<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
<!--
@font-face
        {font-family:Cambria}
@font-face
        {font-family:Calibri}
@font-face
        {font-family:Tahoma}
@font-face
        {font-family:Verdana}
@font-face
        {font-family:Consolas}
@font-face
        {font-family:"Times New Roman \, serif"}
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Verdana","sans-serif";
        color:#434343}
h1
        {margin-top:24.0pt;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:0cm;
        margin-bottom:.0001pt;
        page-break-after:avoid;
        font-size:16.0pt;
        font-family:"Verdana","sans-serif";
        color:#434343;
        font-weight:bold}
h2
        {margin-top:10.0pt;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:0cm;
        margin-bottom:.0001pt;
        page-break-after:avoid;
        font-size:14.0pt;
        font-family:"Verdana","sans-serif";
        color:#434343;
        font-weight:normal}
h3
        {margin-top:10.0pt;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:0cm;
        margin-bottom:.0001pt;
        page-break-after:avoid;
        font-size:13.0pt;
        font-family:"Verdana","sans-serif";
        color:#434343;
        font-weight:normal}
h4
        {margin-top:10.0pt;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:0cm;
        margin-bottom:.0001pt;
        page-break-after:avoid;
        font-size:14.0pt;
        font-family:"Verdana","sans-serif";
        color:#434343;
        font-weight:normal}
h5
        {margin-top:10.0pt;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:0cm;
        margin-bottom:.0001pt;
        page-break-after:avoid;
        font-size:13.0pt;
        font-family:"Verdana","sans-serif";
        color:#434343;
        font-weight:normal}
h6
        {margin-top:10.0pt;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:0cm;
        margin-bottom:.0001pt;
        page-break-after:avoid;
        font-size:11.0pt;
        font-family:"Verdana","sans-serif";
        color:#434343;
        font-weight:normal}
a:link, span.MsoHyperlink
        {color:#148120;
        text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
        {color:#1E3C22;
        text-decoration:underline}
p
        {margin-right:0cm;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black}
pre
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New","serif";
        color:black}
tt
        {font-family:"Courier New","serif"}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        color:#434343}
span.Heading1Char
        {font-family:"Cambria","serif";
        color:#365F91;
        font-weight:bold}
span.Heading2Char
        {font-family:"Cambria","serif";
        color:#4F81BD;
        font-weight:bold}
span.Heading3Char
        {font-family:"Cambria","serif";
        color:#4F81BD;
        font-weight:bold}
span.Heading4Char
        {font-family:"Cambria","serif";
        color:#4F81BD;
        font-weight:bold;
        font-style:italic}
span.Heading5Char
        {font-family:"Cambria","serif";
        color:#243F60}
span.Heading6Char
        {font-family:"Cambria","serif";
        color:#243F60;
        font-style:italic}
span.BalloonTextChar
        {font-family:"Tahoma","sans-serif";
        color:#434343}
p.msochpdefault, li.msochpdefault, div.msochpdefault
        {margin-right:0cm;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Calibri","sans-serif";
        color:black}
span.emailstyle17
        {color:#434343}
span.heading1char0
        {font-family:"Verdana","sans-serif";
        color:#434343;
        font-weight:bold}
span.heading2char0
        {font-family:"Verdana","sans-serif";
        color:#434343}
span.heading3char0
        {font-family:"Verdana","sans-serif";
        color:#434343}
span.heading4char0
        {font-family:"Verdana","sans-serif";
        color:#434343}
span.heading5char0
        {font-family:"Verdana","sans-serif";
        color:#434343}
span.heading6char0
        {font-family:"Verdana","sans-serif";
        color:#434343}
span.balloontextchar0
        {font-family:"Tahoma","sans-serif";
        color:#434343}
span.HTMLPreformattedChar
        {font-family:Consolas;
        color:#434343}
span.EmailStyle38
        {font-family:"Times New Roman","serif";
        color:black}
.MsoChpDefault
        {font-size:10.0pt}
@page WordSection1
        {margin:72.0pt 72.0pt 72.0pt 72.0pt}
div.WordSection1
        {}
-->
</style>
</head>
<body bgcolor="white" lang="EN-AU" link="#148120" vlink="#1E3C22">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black">Jan</span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black"> </span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black">Yes I have alerts. I can see that because /var/log/snort/alert has alerts listed and /var/log/snort/p1p1/snort.log.1338857440 is growing.</span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black"> </span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black">Regards,</span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black"> </span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black">Michael</span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:windowtext">From:</span></b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:windowtext"> Jan Seidl [mailto:lists@...15522...]
<br>
<b>Sent:</b> Tuesday, 5 June 2012 3:22 PM<br>
<b>To:</b> Michael Green<br>
<b>Subject:</b> Re: [Snort-users] Barnyard2 not writting to Mysql snorby DB</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><tt><span style="font-size:10.0pt">Michael,</span></tt><span style="font-size:10.0pt; font-family:"Courier New","serif""><br>
<br>
<tt>Have you got any rules enabled?</tt><br>
<br>
<tt>Did you made any action that could trigger an event?</tt><br>
<br>
<tt>Under normal (safe) traffic, is normal to have no events.</tt><br>
</span><br>
On 06/05/2012 01:17 AM, Michael Green wrote: </p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black"><img width="31" height="31" id="_x0000_i1025" src="cid:image001.gif@...15665..."></span></p>
<div>
<p class="MsoNormal">Hi</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’ve just configured snort Version 2.9.2.3 in a test environment in preparation for upgrading my production server.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I have it configured for unified2 output and have barnyard2 configured to output to mysql:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:10.0pt; font-family:"Courier New","serif"">##  /etc/snort/p1p1/barnyard2.conf</span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:10.0pt; font-family:"Courier New","serif"">output database: log, mysql, user=<b><i>xxx</i></b> password=<b><i>password</i></b> dbname=snorby host=127.0.0.1 port=3306</span></p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">My snort start command:</p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">/usr/local/bin/snort -u snort -g snort -i p1p1 -c /etc/snort/p1p1/snort.conf -D</span></p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">My barnyard2 start command:</p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">/usr/local/bin/barnyard2 -c /etc/snort/p1p1/barnyard2.conf -u snort -g snort -d /var/log/snort/p1p1 -f snort.log -w /var/log/snort/p1p1/waldo -D</span></p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">Snort is alerting:</p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">New-ids 13:37:02 /var/log/snort/p1p1</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">root # ls -la /var/log/snort/p1p1</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">total 24</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">drwxr-xr-x. 2 snort snort 4096 Jun  5 11:05 .</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">drwxr-xr-x. 3 snort snort 4096 Jun  1 14:34 ..</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">-rw-------. 1 snort snort   96 Jun  5 10:18 snort.log.1338854746</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">-rw-------. 1 snort snort 8011 Jun  5 12:43 snort.log.1338857440</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">-rw-r--r--. 1 snort snort 2056 Jun  5 12:43 waldo</span></p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">And Barnyard2 is seeing the alerts. Relevant section from /var/log/messages follows:</p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Jun  5 11:14:30 New-ids barnyard2[1995]: database: using the "log" facility</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Jun  5 11:14:30 New-ids barnyard2[1995]:</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Jun  5 11:14:30 New-ids barnyard2[1995]:         --== Initialization Complete ==--</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Jun  5 11:14:30 New-ids barnyard2[1995]: Barnyard2 initialization completed successfully (pid=1995)</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Jun  5 11:14:30 New-ids barnyard2[1995]: Using waldo file '/var/log/snort/p1p1/waldo':#012   
</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">      spool directory = /var/log/snort/p1p1#012   
</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">      spool filebase  = snort.log#012   
</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">      time_stamp      = 1338857440#012   
</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">      record_idx      = 0</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Jun  5 11:14:30 New-ids barnyard2[1995]: Opened spool file '/var/log/snort/p1p1/snort.log.1338857440'</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Jun  5 11:14:30 New-ids barnyard2[1995]: Waiting for new data</span></p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">But nothing is being written to my mysql snorby DB?</p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">I can log into mysql using the required credentials</p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">mysql -u xxx -p snorby</span></p>
<p class="MsoNormal" style="margin-bottom:.75pt"><span style="font-family:"Times New Roman , serif","serif""> </span></p>
<p class="MsoNormal" style="margin-bottom:.75pt">but nothing is written.</p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">mysql> select * from event;</span></p>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:.75pt; margin-left:36.0pt">
<span style="font-size:10.0pt; font-family:"Courier New","serif"">Empty set (0.00 sec)</span></p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">I’m now lost, and would appreciate some guidance. What should I do next?</p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">Regards,</p>
<p class="MsoNormal" style="margin-bottom:.75pt"> </p>
<p class="MsoNormal" style="margin-bottom:.75pt">Michael</p>
<div style="margin-bottom:.75pt">
<div class="MsoNormal"><span style="font-family:"Times New Roman , serif","serif"">
<hr size="1" width="600" noshade="" align="left" style="width:450.0pt; color:#FE9C22">
</span></div>
</div>
<p class="MsoNormal"><b><span style="font-size:8.5pt; font-family:"Arial","sans-serif"; color:#0B2057">Michael Green | Senior Network Engineer | GBST</span></b><b><span style="font-size:7.5pt; font-family:"Times New Roman","serif"; color:#0B2057"><br>
</span></b><a href="http://www.gbst.com/"><span style="text-decoration:none"><img border="0" width="95" height="37" id="_x0000_i1027" src="cid:image002.gif@...15665..." alt="Description: GBST"></span></a></p>
</div>
<p style="line-height:9.0pt"><span style="font-size:8.0pt; font-family:"Cambria","serif"">The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed
 by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the
 sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is
 given by the sender that any attachments to this email are free from viruses or other defects.
</span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black"><br>
<br>
<br>
</span></p>
<pre>------------------------------------------------------------------------------</pre>
<pre>Live Security Virtual Conference</pre>
<pre>Exclusive live event will cover all the ways today's security and </pre>
<pre>threat landscape has changed and how IT managers can respond. Discussions </pre>
<pre>will include endpoint security, mobile security and the latest in malware </pre>
<pre>threats. <a href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a></pre>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"; color:black"><br>
<br>
<br>
</span></p>
<pre>_______________________________________________</pre>
<pre>Snort-users mailing list</pre>
<pre><a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a></pre>
<pre>Go to this URL to change user options or unsubscribe:</pre>
<pre><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a></pre>
<pre>Snort-users list archive:</pre>
<pre><a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a></pre>
<pre> </pre>
<pre>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
</div>
<p style="font-size:8pt; line-height:9pt; font-family:'Cambria','times roman',serif">
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and
 your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted,
 including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects.
</p>
<div></div>
</body>
</html>