[Snort-users] barnyard2: Unable to open directory '/var/log/snort' and Unable to find the next spool file!

Joyabrata Ghosh joy.career at ...11827...
Tue Nov 11 12:48:03 EST 2014


Dear Barnyard2 users,

Would you please help me out to solve this barnyard2(src:
https://github.com/firnsy/barnyard2) configuration problem, corresponding
snort is working good as required.


*# barnyard2 -v -c /etc/barnyard2.conf -d /var/log/snort *

Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
Parsing config file "/etc/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
Chroot directory = /var/spool/barnyard2
-------------------------------------------------
 Keyword     |          Input @
-------------------------------------------------
unified2     : init() = 0x441942
unified2     :   - readRecordHeader() = 0x4419b5
unified2     :   - readRecord()       = 0x441b74
-------------------------------------------------

-------------------------------------------------
 Keyword     |          Output @
-------------------------------------------------
alert_cef    :       0x428779
alert_syslog :       0x42ee25
log_tcpdump  :       0x431a39
database     :       0x4389c9
alert_fast   :       0x42a673
alert_full   :       0x42b290
alert_fwsam  :       0x42ba51
alert_unixsock:       0x4303cb
alert_csv    :       0x42925d
log_null     :       0x431913
log_ascii    :       0x430ca3
alert_test   :       0x42fc3b
sguil        :       0x4327cd
alert_syslog_full:       0x4339df
log_syslog_full:       0x4339bf
-------------------------------------------------


        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.13 (Build 327) DEBUG
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>

*ERROR: Unable to open directory '/var/log/snort' (No such file or
directory)*
*ERROR: Unable to find the next spool file!*
===============================================================================
Record Totals:
   Records:           0
   Events:           0 (0.000%)
   Packets:           0 (0.000%)
   Unknown:           0 (0.000%)
   Suppressed:           0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 0          (0.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 0          (0.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 0



===============================================================================
===============================================================================
===============================================================================



*[root-vmjoyabratag04-08:36:40-~] **# cat /etc/barnyard2.conf*
#
#  Barnyard2 example configuration file
#

#
# This file contains a sample barnyard2 configuration.
# You can take the following steps to create your own custom configuration:
#
#   1) Configure the variable declarations
#   2) Setup the input plugins
#   3) Setup the output plugins
#

#
# Step 1: configure the variable declarations
#

# in order to keep from having a commandline that uses every letter in the
# alphabet most configuration options are set here.

# use UTC for timestamps
#
#config utc

# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map


# Configure signature suppression at the spooler level see
doc/README.sig_suppress
#
#
#config sig_suppress: 1:10


# Set the event cache size to defined max value before recycling of event
occur.
#
#
#config event_cache_size: 4096

# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=

# define explicit classifications similar to that of snort.
#
#config classification: shortname, short description, priority

# set the directory for any output logging
#
#config logdir: /tmp

# to ensure that any plugins requiring some level of uniqueness in their
output
# the alert_with_interface_name, interface and hostname directives are
provided.
# An example of usage would be to configure them to the values of the
associated
# snort process whose unified files you are reading.
#
# Example:
#   For a snort process as follows:
#     snort -i eth0 -c /etc/snort.conf
#
#   Typical options would be:
#     config hostname:  thor
#     config interface: eth0
#     config alert_with_interface_name
#
#config hostname:   thor
#config interface:  eth0

# enable printing of the interface name when alerting.
#
config alert_with_interface_name

# at times snort will alert on a packet within a stream and dump that
stream to
# the unified output. barnyard2 can generate output on each packet of that
# stream or the first packet only.
#
#config alert_on_each_packet_in_stream

# enable daemon mode
#
#config daemon

# make barnyard2 process chroot to directory after initialisation.
#
config chroot: /var/spool/barnyard2

# specifiy the group or GID for barnyard2 to run as after initialisation.
#
#config set_gid: 999

# specifiy the user or UID for barnyard2 to run as after initialisation.
#
#config set_uid: 999

# specify the directory for the barnyard2 PID file.
#
#config pidpath: /var/run/by2.pid

# enable decoding of the data link (or second level headers).
#
#config decode_data_link

# dump the application data
#
#config dump_payload

# dump the application data as chars only
#
#config dump_chars_only

# enable verbose dumping of payload information in log style output plugins.
#
#config dump_payload_verbose

# enable obfuscation of logged IP addresses.
#
#config obfuscate

# enable the year being shown in timestamps
#
#config show_year

# set the umask for all files created by the barnyard2 process (eg. log
files).
#
#config umask: 066

# enable verbose logging
#
#config verbose

# quiet down some of the output
#
#config quiet

# define the full waldo filepath.
#
#config waldo_file: /tmp/waldo

# specificy the maximum length of the MPLS label chain
#
#config max_mpls_labelchain_len: 64

# specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by
MPLS.
#
#config mpls_payload_type: ipv4

# set the reference network or homenet which is predominantly used by the
# log_ascii plugin.
#
#config reference_net: 192.168.0.0/24

#
# CONTINOUS MODE
#

# set the archive directory for use with continous mode
#
#config archivedir: /tmp

# when in operating in continous mode, only process new records and ignore
any
# existing unified files
#
#config process_new_records_only


#
# Step 2: setup the input plugins
#

# this is not hard, only unified2 is supported ;)
input unified2


#
# Step 3: setup the output plugins
#

# alert_cef
#
----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host using the open standard
# Common Event Format (CEF).
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host        - specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully
supported)
#   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#   output alert_cef
#   output alert_cef: host=192.168.10.1
#   output alert_cef: host=sysserver.com:1001
#   output alert_cef: LOG_AUTH LOG_INFO
#

# alert_bro
#
----------------------------------------------------------------------------
#
# Purpose: Send alerts to a Bro-IDS instance.
#
# Arguments: hostname:port
#
# Examples:
#   output alert_bro: 127.0.0.1:47757

# alert_fast
#
----------------------------------------------------------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
#
# Arguments: file <file>, stdout
#            arguments should be comma delimited.
#   file - specifiy alert file
#   stdout - no alert file, just print to screen
#
# Examples:
#   output alert_fast
#   output alert_fast: stdout
#
output alert_fast: stdout


# prelude: log to the Prelude Hybrid IDS system
#
----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides logging to the Prelude Hybrid IDS system
#
# Arguments: profile=snort-profile
#   snort-profile   - name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# Examples:
#   output alert_prelude
#   output alert_prelude: profile=snort-profile-name
#


# alert_syslog
#
----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to
local syslog
#
#   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#   output alert_syslog
#   output alert_syslog: LOG_AUTH LOG_INFO
#

# syslog_full
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data via
TCP/UDP or LOCAL ie(syslog())
# Arguments:
#      sensor_name $sensor_name         - unique sensor name
#      server $server                   - server the device will report to
#      local                            - if defined, ignore all remote
information and use syslog() to send message.
#      protocol $protocol               - protocol device will report over
(tcp/udp)
#      port $port                       - destination port device will
report to (default: 514)
#      delimiters $delimiters           - define a character that will
delimit message sections ex:  "|", will use | as mess)
#      separators $separators           - define field separator included
in each message ex: " " ,  will use space as field)
#      operation_mode $operaion_mode    - default | complete : default mode
is compatible with default snort syslog message,)
#      log_priority   $log_priority     - used by local option for syslog
priority call. (man syslog(3) for supported option)
#      log_facility  $log_facility      - used by local option for syslog
facility call. (man syslog(3) for supported option)
#      payload_encoding                 - (default: hex)  support
hex/ascii/base64 for log_syslog_full using operation_mode .

# Usage Examples:
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode defaut
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode comple
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, local
# output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority
LOG_CRIT,log_facility LOG_CRON

# log_ascii
#
----------------------------------------------------------------------------
#
# Purpose: This output module provides the default packet logging
funtionality
#
# Arguments: None.
#
# Examples:
#   output log_ascii
#


# log_tcpdump
#
----------------------------------------------------------------------------
#
# Purpose
#  This output module logs packets in binary tcpdump format
#
# Arguments:
#   The only argument is the output file name.
#
# Examples:
#   output log_tcpdump: tcpdump.log
#


# sguil
#
----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability for the sguil
interface
# See doc/README.sguil
#
# Arguments: agent_port <port>, sensor_name <name>
#            arguments should be comma delimited.
#   agent_port  - explicitly set the sguil agent listening port
#                 (default: 7736)
#   sensor_name - explicitly set the sensor name
#                 (default: machine hostname)
#
# Examples:
#   output sguil
#   output sguil: agent_port=7000
#   output sguil: sensor_name=argyle
#   output sguil: agent_port=7000, sensor_name=argyle
#


# database: log to a variety of databases
#
----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability to a variety of
databases
# See doc/README.database for additional information.
#
# Examples:
#   output database: log, mysql, user=root password=test dbname=db
host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#


# alert_fwsam: allow blocking of IP's through remote services
#
----------------------------------------------------------------------------
# output alert_fwsam: <SnortSam Station>:<port>/<key>
#
#  <FW Mgmt Station>:  IP address or host name of the host running SnortSam.
#  <port>:         Port the remote SnortSam service listens on (default
898).
#  <key>:              Key used for authentication (encryption really)
#              of the communication to the remote service.
#
# Examples:
#
# output alert_fwsam: snortsambox/idspassword
# output alert_fwsam: fw1.domain.tld:898/mykey
# output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw
#

[root-vmjoyabratag04-08:37:10-~]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141111/84ebdb4c/attachment.html>


More information about the Snort-users mailing list