[Snort-users] Barnyard reading unified files from snort.

Gierczak, Stan SGierczak at ...16714...
Tue Jun 17 12:50:32 EDT 2014


Still having issues getting BarnYard to read from snort.  Attached are the barnyard and snort conf.

Below is the output from syslog.  I believe that the highlight shows that it is looking in the correct directory, but it doesn't seem correct that it reads one record, nor that the Waldo is not correct.  The Waldo file is empty -rwxrwxr-x 1 snort snort         0 May  6 12:07 barnyard2.waldo
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Running in Continuous mode
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]:
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]:         --== Initializing Barnyard2 ==--
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Initializing Input Plugins!
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Initializing Output Plugins!
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Parsing config file "/etc/snort/barnyard.conf"
Jun 16 12:41:46 rlicsnortids1 barnyard2[1455]: Log directory = /var/log/snort/eth0
Jun 16 12:41:46 rlicsnortids1 barnyard2[1455]: Initializing daemon mode
Jun 16 12:41:46 rlicsnortids1 barnyard2[1455]: Daemon parent exiting
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Daemon initialized, signaled parent pid: 1455
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: PID path stat checked out ok, PID path set to /var/run/
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Writing PID "1456" to file "/var/run//barnyard2_eth0.pid"
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: compiled support for (mysql)
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: configured to use mysql
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: schema version = 107
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:           host = localhost
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:           user = snort_user
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:  database name = snortdb
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:    sensor name = rlicsnortids1:eth0
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:      sensor id = 2
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:     sensor cid = 1
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:  data encoding = hex
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:   detail level = full
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database:     ignore_bpf = no
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: using the "log" facility
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]:
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]:         --== Initialization Complete ==--
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Barnyard2 initialization completed successfully (pid=1456)
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/eth0/barnyard2.waldo'
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Opened spool file '/var/log/snort/eth0/snort.log.1402938235'
Jun 16 12:41:47 rlicsnortids1 barnyard2[1456]: Closing spool file '/var/log/snort/eth0/snort.log.1402938235'. Read 1 records
Jun 16 12:41:47 rlicsnortids1 barnyard2[1456]: Opened spool file '/var/log/snort/eth0/snort.log.1402940498'
Jun 16 12:41:47 rlicsnortids1 barnyard2[1456]: Waiting for new data

This I believe is how snort get initiated:
#!/bin/sh
#
# Init file for Barnyard2
#
#
# chkconfig: 2345 40 60
# description:  Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid
[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1
### Default variables
SYSCONFIG="/etc/default/barnyard2"
### Read configuration
[ -r "$SYSCONFIG" ] && . "$SYSCONFIG"
RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"
start() {
       echo -n $"Starting $desc ($prog): "
       for INT in $INTERFACES; do
               PIDFILE="/var/lock/barnyard2-$INT.pid"
               ARCHIVEDIR="$SNORTDIR/$INT/archive"
               WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
               BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
               $prog $BARNYARD_OPTS
       done
       RETVAL=$?
       echo
       [ $RETVAL -eq 0 ] && touch /var/lock/$prog
       return $RETVAL
}
stop() {
       echo -n $"Shutting down $desc ($prog): "
       killall $prog
       RETVAL=$?
       echo
       [ $RETVAL -eq 0 ] && rm -f /var/lock/$prog
       return $RETVAL
}
restart() {
       stop
       start
}
reload() {
       echo -n $"Reloading $desc ($prog): "
       killall $prog -HUP
       RETVAL=$?
       echo
       return $RETVAL
}
case "$1" in
start)
       start
       ;;
stop)
       stop
       ;;
restart)
       restart
       ;;
reload)
       reload
       ;;
condrestart)
       [ -e /var/lock/$prog ] && restart
       RETVAL=$?
       ;;
status)
       status $prog
       RETVAL=$?
       ;;
dump)
       dump
       ;;
*)
       echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
       RETVAL=1
esac
exit $RETVAL

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140617/4962dfa2/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: barnyard2.conf.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140617/4962dfa2/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort.conf.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140617/4962dfa2/attachment-0001.txt>


More information about the Snort-users mailing list