RE: OT: Help with Barnyard

["Gordon Cunningham" <gcunnin2 () bellsouth net>]

Ralf,

Thanks for responding.  (Just tried recompiling and I'm now getting an
error - undef ref to my_compress - will look into this)

Yes, barnyard was compiled with MySQL support and appears to connect to
MySQL just fine, but always has an undefined output plugin error.
classificaton.config is in the same subdir as the .map files.  I'm testing
snort 1.9.1 on RedHat 7.3 with latest patches - single NIC at the moment.  I
did note the different naming of the output plugin (config file originally
had alert_acid_db or log_acid_db instead of op_acid_db), but neither works.
How do I configure the output plugins, or are they supposed to be automatic?

Command line:  barnyard -o -c /etc/snort/barnyard.conf -f alert -g
/etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort

Using -R as a test (bold mine):

-*> Barnyard! <*-
Version 0.1.0 (Build 17)
By Andrew R. Baker (andrewb () snort org)
and Martin Roesch (roesch () sourcefire com, www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
WARNING /etc/snort/barnyard.conf(156) => Unknown output plugin "op_acid_db"
referenced, ignoring!Archive Directory is NULL
Config File =/etc/snort/barnyard.conf
Log Dir=/var/log/snort
Spool Dir=/var/log/snort
Spool File=alert
Waldo File is NULL
Sid File=/etc/snort/sid-msg.map
Gen File=/etc/snort/gen-msg.map
Hostname=XXXX
Interface=eth0
Filter=not port 22
Record Number: 0
Log Flag: 0
Verbosity Level=0
File Arg Start: 0
One shot mode enabled
Dry Run mode enabled
commandline: barnyard -o -c /etc/snort/barnyard.conf -f alert -g
/etc/snort/gen-
msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -R

Results of actual run (bold mine):
-*> Barnyard! <*-
Version 0.1.0 (Build 17)
By Andrew R. Baker (andrewb () snort org)
and Martin Roesch (roesch () sourcefire com, www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
WARNING /etc/snort/barnyard.conf(156) => Unknown output plugin "op_acid_db"
referenced, ignoring!Barnyard Version 0.1.0 (Build 17) started
ERROR => No input plugin found for magic: 5d2a2a5b
Fatal Error, Quitting..
Exiting


Barnyard config file (comments removed and sanitized):

config hostname: XXXX
config interface: eth0
config filter: not port 22
processor dp_alert
processor dp_log
processor dp_stream_stat
processor dp_plugbase
output alert_fast
output log_dump
# output op_acid_db: mysql, sensor_id 1, database snort, server localhost,
user XXXX, password XXXX
output op_acid_db: mysql, sensor_id 1, database snort, server localhost,
user XXXX, password XXXX, detail full


- Gordon

 -----Original Message-----
From:   snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]  On Behalf Of Ralf
Spenneberg
Sent:   Wednesday, April 09, 2003 1:08 AM
To:     SnortUsers
Subject:        Re: [Snort-users] OT:  Help with Barnyard

> Subject: [Snort-users] OT:  Help with Barnyard
>
>
> However, I?m having a heck of a time configuring barnyard!  I get around
one
> issue only to stumble onto another.  I?m running barnyard 0.1.0 on the
same
> machine as snort for testing, and snort is writing unified log/alert
files,
> but I can?t seem to get barnyard to process them without an error.  Lately
> it?s ?Unknown output plugin "alert_acid_db" referenced? or similar.  What
am
> I missing?
Well, did you compile barnyard with "--enable-mysql"?
Your Snort installation needs: gen-msg.map, sid-msg.map and
classification.config

If you are using Red Hat Linux you will find a barnyard RPM package at
my site:
http://www.spenneberg.org/IDS


Cheers,

Ralf

--
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34                             48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40

Markt+Technik Book:                     Intrusion Detection für Linux
Server
IPsec/PPTP Kernels for Red Hat Linux:
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users