[Snort-users] barnyard2: Unable to open directory '/var/log/snort' and Unable to find the next spool file!

Stephen Gantz stephen.gantz at ...16854...
Tue Nov 11 13:43:01 EST 2014


I'll start with the obvious questions - have you created /var/log/snort and have you configured Snort for unified2 output and to write to that directory? 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz at ...16854...

> On Nov 11, 2014, at 12:48 PM, Joyabrata Ghosh <joy.career at ...11827...> wrote:
> 
> Dear Barnyard2 users,
> 
> Would you please help me out to solve this barnyard2(src: https://github.com/firnsy/barnyard2) configuration problem, corresponding snort is working good as required.
> 
> 
> # barnyard2 -v -c /etc/barnyard2.conf -d /var/log/snort 
> 
> Running in Continuous mode
> 
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
> Parsing config file "/etc/barnyard2.conf"
> 
> 
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
> 
> Barnyard2 spooler: Event cache size set to [2048] 
> Log directory = /var/log/barnyard2
> Chroot directory = /var/spool/barnyard2
> -------------------------------------------------
>  Keyword     |          Input @ 
> -------------------------------------------------
> unified2     : init() = 0x441942
> unified2     :   - readRecordHeader() = 0x4419b5
> unified2     :   - readRecord()       = 0x441b74
> -------------------------------------------------
> 
> -------------------------------------------------
>  Keyword     |          Output @ 
> -------------------------------------------------
> alert_cef    :       0x428779
> alert_syslog :       0x42ee25
> log_tcpdump  :       0x431a39
> database     :       0x4389c9
> alert_fast   :       0x42a673
> alert_full   :       0x42b290
> alert_fwsam  :       0x42ba51
> alert_unixsock:       0x4303cb
> alert_csv    :       0x42925d
> log_null     :       0x431913
> log_ascii    :       0x430ca3
> alert_test   :       0x42fc3b
> sguil        :       0x4327cd
> alert_syslog_full:       0x4339df
> log_syslog_full:       0x4339bf
> -------------------------------------------------
> 
> 
>         --== Initialization Complete ==--
> 
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.13 (Build 327) DEBUG
>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
> 
> ERROR: Unable to open directory '/var/log/snort' (No such file or directory)
> ERROR: Unable to find the next spool file!
> ===============================================================================
> Record Totals:
>    Records:           0
>    Events:           0 (0.000%)
>    Packets:           0 (0.000%)
>    Unknown:           0 (0.000%)
>    Suppressed:           0 (0.000%)
> ===============================================================================
> Packet breakdown by protocol (includes rebuilt packets):
>       ETH: 0          (0.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 0          (0.000%)
>   IP6 EXT: 0          (0.000%)
>   IP6opts: 0          (0.000%)
>   IP6disc: 0          (0.000%)
>       IP4: 0          (0.000%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 0          (0.000%)
>   ICMP-IP: 0          (0.000%)
>       TCP: 0          (0.000%)
>       UDP: 0          (0.000%)
>      ICMP: 0          (0.000%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 0          (0.000%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 0          (0.000%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 0          (0.000%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 0          (0.000%)
>     Total: 0         
> 
> 
> 
> ===============================================================================
> ===============================================================================
> ===============================================================================
> 
> 
> 
> [root-vmjoyabratag04-08:36:40-~] # cat /etc/barnyard2.conf
> #
> #  Barnyard2 example configuration file
> #
> 
> #
> # This file contains a sample barnyard2 configuration.
> # You can take the following steps to create your own custom configuration:
> #
> #   1) Configure the variable declarations
> #   2) Setup the input plugins
> #   3) Setup the output plugins
> #
> 
> #
> # Step 1: configure the variable declarations
> #
> 
> # in order to keep from having a commandline that uses every letter in the
> # alphabet most configuration options are set here.
> 
> # use UTC for timestamps
> #
> #config utc
> 
> # set the appropriate paths to the file(s) your Snort process is using.
> #
> config reference_file:      /etc/snort/reference.config
> config classification_file: /etc/snort/classification.config
> config gen_file:            /etc/snort/gen-msg.map
> config sid_file:            /etc/snort/sid-msg.map
> 
> 
> # Configure signature suppression at the spooler level see doc/README.sig_suppress
> #
> #
> #config sig_suppress: 1:10
> 
> 
> # Set the event cache size to defined max value before recycling of event occur.
> #
> #
> #config event_cache_size: 4096
> 
> # define dedicated references similar to that of snort.
> #
> #config reference: mybugs http://www.mybugs.com/?s=
> 
> # define explicit classifications similar to that of snort.
> #
> #config classification: shortname, short description, priority
> 
> # set the directory for any output logging
> #
> #config logdir: /tmp
> 
> # to ensure that any plugins requiring some level of uniqueness in their output
> # the alert_with_interface_name, interface and hostname directives are provided.
> # An example of usage would be to configure them to the values of the associated
> # snort process whose unified files you are reading.
> #
> # Example:
> #   For a snort process as follows:
> #     snort -i eth0 -c /etc/snort.conf
> #
> #   Typical options would be:
> #     config hostname:  thor
> #     config interface: eth0
> #     config alert_with_interface_name
> #
> #config hostname:   thor
> #config interface:  eth0
> 
> # enable printing of the interface name when alerting.
> #
> config alert_with_interface_name
> 
> # at times snort will alert on a packet within a stream and dump that stream to
> # the unified output. barnyard2 can generate output on each packet of that
> # stream or the first packet only.
> #
> #config alert_on_each_packet_in_stream
> 
> # enable daemon mode
> #
> #config daemon
> 
> # make barnyard2 process chroot to directory after initialisation.
> #
> config chroot: /var/spool/barnyard2
> 
> # specifiy the group or GID for barnyard2 to run as after initialisation.
> #
> #config set_gid: 999
> 
> # specifiy the user or UID for barnyard2 to run as after initialisation.
> #
> #config set_uid: 999
> 
> # specify the directory for the barnyard2 PID file.
> #
> #config pidpath: /var/run/by2.pid
> 
> # enable decoding of the data link (or second level headers).
> #
> #config decode_data_link
> 
> # dump the application data
> #
> #config dump_payload
> 
> # dump the application data as chars only
> #
> #config dump_chars_only
> 
> # enable verbose dumping of payload information in log style output plugins.
> #
> #config dump_payload_verbose
> 
> # enable obfuscation of logged IP addresses.
> #
> #config obfuscate
> 
> # enable the year being shown in timestamps
> #
> #config show_year
> 
> # set the umask for all files created by the barnyard2 process (eg. log files).
> #
> #config umask: 066
> 
> # enable verbose logging
> #
> #config verbose
> 
> # quiet down some of the output
> #
> #config quiet
> 
> # define the full waldo filepath.
> #
> #config waldo_file: /tmp/waldo
> 
> # specificy the maximum length of the MPLS label chain
> #
> #config max_mpls_labelchain_len: 64
> 
> # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
> #
> #config mpls_payload_type: ipv4
> 
> # set the reference network or homenet which is predominantly used by the
> # log_ascii plugin.
> #
> #config reference_net: 192.168.0.0/24
> 
> #
> # CONTINOUS MODE
> #
> 
> # set the archive directory for use with continous mode
> #
> #config archivedir: /tmp
> 
> # when in operating in continous mode, only process new records and ignore any
> # existing unified files
> #
> #config process_new_records_only
> 
> 
> #
> # Step 2: setup the input plugins
> #
> 
> # this is not hard, only unified2 is supported ;)
> input unified2
> 
> 
> #
> # Step 3: setup the output plugins
> #
> 
> # alert_cef
> # ----------------------------------------------------------------------------
> #
> # Purpose:
> #  This output module provides the abilty to output alert information to a
> # remote network host as well as the local host using the open standard
> # Common Event Format (CEF).
> #
> # Arguments: host=hostname[:port], severity facility
> #            arguments should be comma delimited.
> #   host        - specify a remote hostname or IP with optional port number
> #                 this is only specific to WIN32 (and is not yet fully supported)
> #   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
> #   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
> #
> # Examples:
> #   output alert_cef
> #   output alert_cef: host=192.168.10.1
> #   output alert_cef: host=sysserver.com:1001
> #   output alert_cef: LOG_AUTH LOG_INFO
> #
> 
> # alert_bro
> # ----------------------------------------------------------------------------
> #
> # Purpose: Send alerts to a Bro-IDS instance.
> #
> # Arguments: hostname:port
> #
> # Examples:
> #   output alert_bro: 127.0.0.1:47757
> 
> # alert_fast
> # ----------------------------------------------------------------------------
> # Purpose: Converts data to an approximation of Snort's "fast alert" mode.
> #
> # Arguments: file <file>, stdout
> #            arguments should be comma delimited.
> #   file - specifiy alert file
> #   stdout - no alert file, just print to screen
> #
> # Examples:
> #   output alert_fast
> #   output alert_fast: stdout
> #
> output alert_fast: stdout
> 
> 
> # prelude: log to the Prelude Hybrid IDS system
> # ----------------------------------------------------------------------------
> #
> # Purpose:
> #  This output module provides logging to the Prelude Hybrid IDS system
> #
> # Arguments: profile=snort-profile
> #   snort-profile   - name of the Prelude profile to use (default is snort).
> #
> # Snort priority to IDMEF severity mappings:
> # high < medium < low < info
> #
> # These are the default mapped from classification.config:
> # info   = 4
> # low    = 3
> # medium = 2
> # high   = anything below medium
> #
> # Examples:
> #   output alert_prelude
> #   output alert_prelude: profile=snort-profile-name
> #
> 
> 
> # alert_syslog
> # ----------------------------------------------------------------------------
> #
> # Purpose:
> #  This output module provides the abilty to output alert information to local syslog
> #
> #   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
> #   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
> #
> # Examples:
> #   output alert_syslog
> #   output alert_syslog: LOG_AUTH LOG_INFO
> #
> 
> # syslog_full
> #-------------------------------
> # Available as both a log and alert output plugin.  Used to output data via TCP/UDP or LOCAL ie(syslog())
> # Arguments:
> #      sensor_name $sensor_name         - unique sensor name
> #      server $server                   - server the device will report to
> #      local                            - if defined, ignore all remote information and use syslog() to send message.
> #      protocol $protocol               - protocol device will report over (tcp/udp)
> #      port $port                       - destination port device will report to (default: 514)
> #      delimiters $delimiters           - define a character that will delimit message sections ex:  "|", will use | as mess)
> #      separators $separators           - define field separator included in each message ex: " " ,  will use space as field)
> #      operation_mode $operaion_mode    - default | complete : default mode is compatible with default snort syslog message,)
> #      log_priority   $log_priority     - used by local option for syslog priority call. (man syslog(3) for supported option)
> #      log_facility  $log_facility      - used by local option for syslog facility call. (man syslog(3) for supported option)
> #      payload_encoding                 - (default: hex)  support hex/ascii/base64 for log_syslog_full using operation_mode .
> 
> # Usage Examples:
> # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode defaut
> # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode comple
> # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
> # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
> # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
> # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
> # output alert_syslog_full: sensor_name snortIds1-eth2, local
> # output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON
> 
> # log_ascii
> # ----------------------------------------------------------------------------
> #
> # Purpose: This output module provides the default packet logging funtionality
> #
> # Arguments: None.
> #
> # Examples:
> #   output log_ascii
> #
> 
> 
> # log_tcpdump
> # ----------------------------------------------------------------------------
> #
> # Purpose
> #  This output module logs packets in binary tcpdump format
> #
> # Arguments:
> #   The only argument is the output file name.
> #
> # Examples:
> #   output log_tcpdump: tcpdump.log
> #
> 
> 
> # sguil
> # ----------------------------------------------------------------------------
> #
> # Purpose: This output module provides logging ability for the sguil interface
> # See doc/README.sguil
> #
> # Arguments: agent_port <port>, sensor_name <name>
> #            arguments should be comma delimited.
> #   agent_port  - explicitly set the sguil agent listening port
> #                 (default: 7736)
> #   sensor_name - explicitly set the sensor name
> #                 (default: machine hostname)
> #
> # Examples:
> #   output sguil
> #   output sguil: agent_port=7000
> #   output sguil: sensor_name=argyle
> #   output sguil: agent_port=7000, sensor_name=argyle
> #
> 
> 
> # database: log to a variety of databases
> # ----------------------------------------------------------------------------
> #
> # Purpose: This output module provides logging ability to a variety of databases
> # See doc/README.database for additional information.
> #
> # Examples:
> #   output database: log, mysql, user=root password=test dbname=db host=localhost
> #   output database: alert, postgresql, user=snort dbname=snort
> #   output database: log, odbc, user=snort dbname=snort
> #   output database: log, mssql, dbname=snort user=snort password=test
> #   output database: log, oracle, dbname=snort user=snort password=test
> #
> 
> 
> # alert_fwsam: allow blocking of IP's through remote services
> # ----------------------------------------------------------------------------
> # output alert_fwsam: <SnortSam Station>:<port>/<key>
> #
> #  <FW Mgmt Station>:  IP address or host name of the host running SnortSam.
> #  <port>:         Port the remote SnortSam service listens on (default 898).
> #  <key>:              Key used for authentication (encryption really)
> #              of the communication to the remote service.
> #
> # Examples:
> #
> # output alert_fwsam: snortsambox/idspassword
> # output alert_fwsam: fw1.domain.tld:898/mykey
> # output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw
> #
> 
> [root-vmjoyabratag04-08:37:10-~]
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141111/472ed243/attachment.html>


More information about the Snort-users mailing list