Snort 1.90 and Barnyard 0.1.0-rc3 (Build 11) with Acid 0.9.6b22 I nitial Install Help.

["Pacheco, Michael F." <MPacheco () elcom com>]

Hello All,

Been running Snort 1.8.4 then 8.6 from about 8 months now with no problems,
tuned and running great.  I now have a second gateway and wish to do three
things.  Add a second sensor, separate the sensors from the backend and have
the scan logs also report back to the management backend for ACID to see.

Backend - RH 8.0, Apache 2.0.43 - source install, PHP 4.2.3, GD, jpgraph,
ACID 0.9.6b22, MySQL 3.23.53
Sensors - RH 8.0, Snort 1.9.0, MySQL Client 3.23.53, Barnyard 0.1.0-rc3
(Build 11)

The two issues I am having - 1. I can't get Barnyard and ACID to work
together.  2. I can't get the portscan log (scan.log) to be seen by ACID.

1. With both sensors direct reporting to MySQL on the backend ie: output
database: alert, mysql, user=xxx password=xxx dbname=xxx host=x.x.x.x
Snort starts fine, sends alerts to the backend and Acid sees them fine and
displays great.

When trying Barnyard in both log and then alert both Snort and Barnyard
start great - no errors, viewing the database I can see the event table
being populated with alerts, Acid actually increases the traffic counter
graphs as then should for the events its sees, but the sensor is never
registered and none of the Alerts are viewable through ACID

Snort.conf - output alert_unified: filename snort.alert, limit 128
Barnyard.conf - output alert_acid_db: mysql, sensor_id 1, database xxx,
server x.x.x.x, user xxx, password xxxx

Starting Barnyard with - /usr/local/bin/barnyard -c /etc/snort/barnyard.conf
-D -d /var/log/snort \
         -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -f snort.alert
&

Also tried log_unified with snort.log - same result, and I dropped the
database between each troubleshooting event, recreated it and had Acid
populate its specific tables before starting the sensors on each session.
What am I doing wrong and/or what did I not read from the docs?  Any
pointers would be appreciated.

2.  I've seen this issue before on the list but have not found an answer,
even in the archives - sensor 1 produces a scan.log. How do I get that
scan.log to be seen by the separated management backend?  I tried a tar and
copy to management backend, untar - but all ACID sees then is the event
times, but not the source\destination?

Thanks to the list for any help\pointers - please, if your going to RTM me,
a section would be appreciated as I have looked a number of times, I just
might be missing something obvious (or to blind to see the nose on my face).

Thanks

Mike Pacheco

P.S. - Marty - GREAT PRODUCT!! - CUDOS!!


-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users