<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Georgia;
        panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
p.ecxmsonormal, li.ecxmsonormal, div.ecxmsonormal
        {mso-style-name:ecxmsonormal;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.ecxmsoacetate, li.ecxmsoacetate, div.ecxmsoacetate
        {mso-style-name:ecxmsoacetate;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.ecxmsochpdefault, li.ecxmsochpdefault, div.ecxmsochpdefault
        {mso-style-name:ecxmsochpdefault;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.ecxmsonormal1, li.ecxmsonormal1, div.ecxmsonormal1
        {mso-style-name:ecxmsonormal1;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.ecxmsoacetate1, li.ecxmsoacetate1, div.ecxmsoacetate1
        {mso-style-name:ecxmsoacetate1;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.ecxmsochpdefault1, li.ecxmsochpdefault1, div.ecxmsochpdefault1
        {mso-style-name:ecxmsochpdefault1;
        mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:10.0pt;
        font-family:"Times New Roman","serif";}
span.ecxmsohyperlink
        {mso-style-name:ecxmsohyperlink;}
span.ecxmsohyperlinkfollowed
        {mso-style-name:ecxmsohyperlinkfollowed;}
span.ecxemailstyle18
        {mso-style-name:ecxemailstyle18;}
span.ecxballoontextchar
        {mso-style-name:ecxballoontextchar;}
span.ecxmsohyperlink1
        {mso-style-name:ecxmsohyperlink1;
        color:blue;
        text-decoration:underline;}
span.ecxmsohyperlinkfollowed1
        {mso-style-name:ecxmsohyperlinkfollowed1;
        color:purple;
        text-decoration:underline;}
span.ecxemailstyle181
        {mso-style-name:ecxemailstyle181;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.ecxballoontextchar1
        {mso-style-name:ecxballoontextchar1;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle34
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle35
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sorry, 1 instance with the options. 
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Snortd is the script that starts the service.  This was what was copied from the install doc.  The options are input from this script.  Not sure how to get
 that changed.  I thought it would set the options based on the snort.conf.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">snortd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">#!/bin/sh<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># $Id$<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">#<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># snortd         Start/Stop the snort IDS daemon.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">#<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># chkconfig: 2345 40 60<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># description:  snort is a lightweight network intrusion detection tool that \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">#                currently detects more than 1100 host and network \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">#                vulnerabilities, portscans, backdoors, and more.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">#<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># Source the local configuration file<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">. /etc/default/snort<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># Convert the /etc/sysconfig/snort settings to something snort can<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># use on the startup line.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$ALERTMODE"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  ALERTMODE=""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  ALERTMODE="-A $ALERTMODE"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$USER"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  USER="snort"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$GROUP"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  GROUP="snort"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$BINARY_LOG"X = "1X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  BINARY_LOG="-b"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  BINARY_LOG=""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$CONF"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  CONF="-c /etc/snort/snort.conf"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  CONF="-c $CONF"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$INTERFACE"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  INTERFACE="-i eth0"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  INTERFACE="-i $INTERFACE"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$DUMP_APP"X = "1X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  DUMP_APP="-d"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  DUMP_APP=""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$NO_PACKET_LOG"X = "1X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  NO_PACKET_LOG="-N"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  NO_PACKET_LOG=""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$PRINT_INTERFACE"X = "1X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  PRINT_INTERFACE="-I"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  PRINT_INTERFACE=""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$PASS_FIRST"X = "1X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  PASS_FIRST="-o"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  PASS_FIRST=""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$LOGDIR"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  LOGDIR=/var/log/snort<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># These are used by the 'stats' option<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$SYSLOG"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  SYSLOG=/var/log/messages<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ "$SECS"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  SECS=5<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">if [ ! "$BPFFILE"X = "X" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  BPFFILE="-F $BPFFILE"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">######################################<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># Now to the real heart of the matter:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># See how we were called.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">case "$1" in<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">start)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo -n "Starting snort: "<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       cd $LOGDIR<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       if [ "$INTERFACE" = "-i ALL" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          do<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">               mkdir -p "$LOGDIR/$i"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">               chown -R $USER:$GROUP $LOGDIR<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">               /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST
 $BPFFILE $BPF<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          done<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       else<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">             for i in `echo $INTERFACE | sed s/"-i "//`<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">               do<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                 mkdir -p "$LOGDIR/$i"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                 chown -R $USER:$GROUP $LOGDIR<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                 /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST
 $BPFFILE $BPF<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">            done<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       touch /var/lock/snort<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       ;;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">stop)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo -n "Stopping snort: "<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       killall snort<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       rm -f /var/lock/snort<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       ;;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">reload)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "Sorry, not implemented yet"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       ;;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">restart)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       $0 stop<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       $0 start<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       ;;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">condrestart)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       [ -e /var/lock/snort ] && $0 restart<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       ;;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">status)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       status snort<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       ;;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">stats)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       TC=125                          # Trailing context to grep<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       SNORTNAME='snort'               # Process name to look for<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       if [ ! -x "/sbin/pidof" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          echo "/sbin/pidof not present, sorry, I cannot go on like this!"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          exit 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       #Grab Snort's PID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       if [ ! -n "$PID" ]; then        # if we got no PID then:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          echo "No PID found: ${SNORTNAME} must not running."<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          exit 2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo ""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "*******"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "WARNING:  This feature is EXPERIMENTAL - please report errors!"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "*******"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo ""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "You can also run: $0 stats [long | opt]"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo ""<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "Dumping ${SNORTNAME}'s ($PID) statistics"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "please wait..."<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       # Get the date and tell Snort to dump stats as close together in<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       # time as possible--not 100%, but it seems to work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       startdate=`date '+%b %e %H:%M:%S'`<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       # This causes the stats to be dumped to syslog<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       kill -USR1 $PID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       # Sleep for $SECS secs to give syslog a chance to catch up<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       # May need to be adjusted for slow/busy systems<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       sleep $SECS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       if [ "$2" = "long" ]; then              # Long format<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">           egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">               grep snort.*:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       elif [ "$2" = "opt" ]; then             # OPTimize format<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">          # Just show stuff useful for optimizing Snort<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">           egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">               egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       else                                    # Default format<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">           egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">               grep snort.*: | cut -d: -f4-<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       fi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       ;;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">*)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       echo "Usage: $0 {start|stop|reload|restart|condrestart|status|stats (long|opt)}"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">       exit 2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">esac<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">exit 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Multiple instances of snort are news to me.  I see the output that you are referring too, but not sure how that was created.   I just restarted the system,
 and still got 2 instances.  Must be something on startup.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">snort     1375 72.2  7.9 633888 321640 ?       Rsl  13:28   6:18 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root      1519  0.0  0.9 138788 36900 ?        Ss   13:28   0:00 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort/eth0 -w /var/log/snort/eth0/barnyard2.waldo
 -l /var/log/snort/eth0 -a /var/log/snort/eth0/archive -f snort.log -X /var/lock/barnyard2-eth0.pid
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">></span><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#444444;background:white">Did not recreate the waldo file.</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">Try stopping Barnyard2 and run it again. If it still does not create them, you can create them yourself by touch /path/to /waldo/barnayrd2.waldo<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">></span><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#1F497D">Do get repeated:</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">This because you deleted the the waldo file, Barnyard2 goes through all of the logs attempting to read them. The waldo file allows Barnyard2 to keep track of these logs.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">></span><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5195 ssns remain. 
 memcap: 8387389/8388608</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">This is because you are running the stream5 preprocessor with the default memcap. It is a good practice to change the default values; based on your network of course.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">></span><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#1F497D;background:white">Did not do this yet.</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">Thats ok, probably you won't need to.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">></span><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#1F497D">ps aux|grep snort</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">From the output, it seems that you are running multiple instances of Snort and Barnyard2. If thats the case, there various considerations that you need to look at:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">1. Mutiple Snort configurations, specifically when monitoring multiple network segments.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">2. Packet load balancing (PF_RING). As far as I know, running multiple instances of Snort without packet load balancing, will not achieve what you are trying to do. Please, correct me if
 I am wrong.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">3. Multiple instances of Snort and Barnyard2 would require appropriate directory segregation of output files/directories. The same goes for waldo files.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">></span><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#1F497D">/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">From the command, you are overriding the output mechanism specified in snort.conf file. Any command line argument will override its counterpart in the snort.conf file as stated in Snort manual.
 So in your case, you are outputting Snort's fast logs, and not unified2 logs. This is why Barnyard2 is not able to read them.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">Hope this helps.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Calibri","sans-serif"">YM<o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri","sans-serif"">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Calibri","sans-serif"">From: SGierczak@...16793.....<br>
To: snort@...15979...<br>
CC: snort-users@lists.sourceforge.net<br>
Subject: RE: [Snort-users] AANVAL or MYSQL question<br>
Date: Tue, 22 Apr 2014 17:09:42 +0000<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Did as suggested:</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/eth0/barnyard2.waldo'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#444444;background:white">If its possible, stop Snort and Barnyard2, and then delete the waldo. Barnyard2 will create a new one for you.  Did not recreate the waldo
 file.</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:11 rlicsnortids1 snort[3514]:         --== Initialization Complete ==--</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:11 rlicsnortids1 snort[3514]: Commencing packet processing (pid=3514)</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:11 rlicsnortids1 snort[3514]: Commencing packet processing (pid=3514)</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Running in Continuous mode</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]:</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]:         --== Initializing Barnyard2 ==--</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Initializing Input Plugins!</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Initializing Output Plugins!</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Parsing config file "/etc/snort/barnyard.conf"</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3520]: Log directory = /var/log/snort/eth0</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3520]: Initializing daemon mode</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3520]: Daemon parent exiting</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Daemon initialized, signaled parent pid: 3520</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: PID path stat checked out ok, PID path set to /var/run/</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Writing PID "3521" to file "/var/run//barnyard2_NULL.pid"</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: compiled support for (mysql)</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: configured to use mysql</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: schema version = 107</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:           host = localhost</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:           user = snort_user</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:  database name = snortdb</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:    sensor name = rlicsnortids1:NULL</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:      sensor id = 1</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:     sensor cid = 1</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:  data encoding = hex</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:   detail level = full</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:     ignore_bpf = no</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: using the "log" facility</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]:</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]:         --== Initialization Complete ==--</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Barnyard2 initialization completed successfully (pid=3521)</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: WARNING: Unable to open waldo file '/var/log/snort/eth0/barnyard2.waldo' (No such file or directory)</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Opened spool file '/var/log/snort/eth0/snort.log.1398128272'</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Closing spool file '/var/log/snort/eth0/snort.log.1398128272'. Read 1 records</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Opened spool file '/var/log/snort/eth0/snort.log.1398186071'</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Waiting for new data</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.5pt;font-family:"Georgia","serif""> </span></b><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Waiting for new data<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Do get repeated:</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 08:43:57 rlicsnortids1 barnyard2[1465]: Closing spool file '/var/log/snort/eth0/snort.log.1398084990'. Read 1 records</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 08:43:57 rlicsnortids1 barnyard2[1465]: Opened spool file '/var/log/snort/eth0/snort.log.1398087837'</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 08:43:57 rlicsnortids1 barnyard2[1465]: Waiting for new data</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 09:22:38 rlicsnortids1 barnyard2[1465]: Closing spool file '/var/log/snort/eth0/snort.log.1398087837'. Read 1 records</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 09:22:38 rlicsnortids1 barnyard2[1465]: Opened spool file '/var/log/snort/eth0/snort.log.1398090157'</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 09:22:38 rlicsnortids1 barnyard2[1465]: Waiting for new data</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Also</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5195 ssns remain.  memcap: 8387389/8388608</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5190 ssns remain.  memcap: 8383940/8388608</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5210 ssns remain.  memcap: 8387597/8388608</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#444444;background:white">After this line, do you get any other information in the syslog as new alerts are being written into the unified2 log? You can also enable
 local syslog output in Barnyard2, just to be sure that Barnyard2 setup is ok.</span><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#1F497D;background:white">  Did not do this yet.</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#444444;background:white">While Snort and Barnyard2 are running, do</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#444444;background:white">ps aux | grep snort              (paste the output related to Snort)</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Calibri","sans-serif";color:#444444;background:white">ps aux | grep barnyard2     (paste the output related to Barnyard2)</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root@...16785...:/var/log# ps aux|grep snort</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">avahi      605  0.0  0.0  32312  1236 ?        S    Apr21   0:00 avahi-daemon: running [rlicsnortids1.local]</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">snort     1321 82.3 12.3 633956 501136 ?       Rsl  Apr21 1393:18 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">snort     3514 66.1  7.6 633684 308620 ?       Rsl  12:01   4:34 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root      3521  0.0  0.8 138788 32408 ?        Ss   12:01   0:00 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort/eth0 -w /var/log/snort/eth0/barnyard2.waldo
 -l /var/log/snort/eth0 -a /var/log/snort/eth0/archive -f snort.log -X /var/lock/barnyard2-eth0.pid</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root      3536  0.0  0.0   8116   928 pts/0    S+   12:08   0:00 grep --color=auto snort</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root@...16785...:/var/log# ps aux|grep barnyard2</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root      3521  0.0  0.8 138788 33728 ?        Ss   12:01   0:00 barnyard2 -D -c /etc/snort/barnyard.conf -d /var/log/snort/eth0 -w /var/log/snort/eth0/barnyard2.waldo
 -l /var/log/snort/eth0 -a /var/log/snort/eth0/archive -f snort.log -X /var/lock/barnyard2-eth0.pid</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root      3538  0.0  0.0   8112   932 pts/0    R+   12:08   0:00 grep --color=auto barnyard2</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">root@...16785...:/var/log#</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""><br>
> <br>
> <br>
> <br>
> Like I said. You are losing me a little. I am running barnyard as a startup when the system comes up, or by:<br>
> service barnyard2 start/stop<br>
> <br>
> I believe that all the configuration then comes from the /usr/local/etc/barnyard2.conf.<br>
> In that file are the following which are uncommented:<br>
> config reference_file: /etc/snort/reference.config<br>
> config classification_file: /etc/snort/classification.config<br>
> config gen_file: /etc/snort/gen-msg.map<br>
> config sid_file: /etc/snort/sid-msg.map<br>
> config daemon<br>
> input unified2<br>
> output alert_fast: stdout<br>
> output database: log, mysql, user=snort_user password=snortuser dbname=snortdb host=localhost<br>
> <br>
> When I stop and start barnyard, the following gets generated in the syslog file:<br>
> <br>
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Running in Continuous mode<br>
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]:<br>
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: --== Initializing Barnyard2 ==--<br>
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Input Plugins!<br>
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Output Plugins!<br>
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Parsing config file "/etc/snort/barnyard.conf"<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Log directory = /var/log/snort/eth0<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Initializing daemon mode<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Daemon parent exiting<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Daemon initialized, signaled parent pid: 2014<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: PID path stat checked out ok, PID path set to /var/run/<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Writing PID "2015" to file "/var/run//barnyard2_NULL.pid"<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: compiled support for (mysql)<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: configured to use mysql<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: schema version = 107<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: host = localhost<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: user = snort_user<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: database name = snortdb This is the correct snortdb<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: sensor name = rlicsnortids1:NULL<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: sensor id = 1<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: sensor cid = 1<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: data encoding = hex<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: detail level = full<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: ignore_bpf = no<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: using the "log" facility<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]:<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: --== Initialization Complete ==--<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Barnyard2 initialization completed successfully (pid=2015)<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/eth0/barnyard2.waldo'<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Opened spool file '/var/log/snort/eth0/snort.log.1398100514' This is the correct location for the snort log<br>
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Waiting for new data<br>
> <br>
> Thanks for your help again.<br>
> <br>
> <br>
> <br>
> On 4/17/2014 12:39 PM, Gierczak, Stan wrote:<br>
> > Sorry, this is where you are losing me, I think.<br>
> ><br>
> > What I believe the answer is that barnyard2 is being run as a service. <br>
> > The executable that was created is from the install guide at <br>
> > <a href="http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide" target="_blank">
http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide</a><br>
> > _for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval<br>
> <br>
> you forgot to supply the requested startup command line for your barnyard2.<br>
> <br>
> you forgot to say if your barnyard2 is being pointed to the proper snort log directory. this might be done on the command line or possibly inside the<br>
> barnyard2 config.<br>
> <br>
> --<br>
> NOTE: No off-list assistance is given without prior approval.<br>
> Please keep mailing list traffic on the list unless<br>
> private contact is specifically requested and granted.<br>
> <br>
> ------------------------------------------------------------------------------<br>
> Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today!<br>
> <a href="http://p.sf.net/sfu/NeoTech" target="_blank">http://p.sf.net/sfu/NeoTech</a><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...7287....sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">
https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
> <br>
> Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
> <br>
> ------------------------------------------------------------------------------<br>
> Start Your Social Network Today - Download eXo Platform<br>
> Build your Enterprise Intranet with eXo Platform Software<br>
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready<br>
> Get Started Now And Turn Your Intranet Into A Collaboration Platform<br>
> <a href="http://p.sf.net/sfu/ExoPlatform" target="_blank">http://p.sf.net/sfu/ExoPlatform</a><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...7287....sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">
https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
> <br>
> Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>