Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Barnyard Issue

From: Jason Alexander <lists () itsecurity3 its uiowa edu>
Date: Sat, 19 Feb 2005 21:04:26 -0600
All the sudden I'm having some issues with barnyard. For quite some time I've been using it to take data from snort and pass it to my back end database/web server. For some reason barnyard now is exiting when it attempts to process an alert. I have not changed anything except to 
apply patch for the box (RHEL3)

Here is my startup configuration.

/usr/sbin/barnyard -D \
-c /etc/snort/barnyardmain.conf \
-d /data/snort_output           \
-f snort_unified.log            \
-w /data/snort_output/main.waldo \
-s /etc/snort/sid-msg.map       \
-g /etc/snort/gen-msg.map       \
-X /var/lock/subsys/barnyardmain

I stepped up the -v to get some output
Feb 19 21:01:05 ids1 barnyard: No bookmark file found, processing all events 
Feb 19 21:01:05 ids1 barnyard[9277]: Initializing daemon mode
Feb 19 21:01:05 ids1 barnyard[9278]: Opened spool file '/data/snort_output/snort_unified.log.1108867096' 
Feb 19 21:01:05 ids1 barnyard: Barnyard Version 0.2.0 (Build 32)
Feb 19 21:01:05 ids1 barnyard[9278]: OpLogDump configured
Feb 19 21:01:05 ids1 barnyard[9278]:   Filename: dump.log
Feb 19 21:01:05 ids1 barnyard[9278]: OpAcidDB configured
Feb 19 21:01:05 ids1 barnyard[9278]:   Database Flavour: mysql
Feb 19 21:01:05 ids1 barnyard[9278]:   Detail Level: Full
Feb 19 21:01:05 ids1 barnyard[9278]:   Database Server: idsconsole
Feb 19 21:01:05 ids1 barnyard: Command line arguments:
Feb 19 21:01:05 ids1 barnyard[9278]:   Database User: ids1
Feb 19 21:01:05 ids1 barnyard: Config file: /etc/snort/barnyardmain.conf 
Feb 19 21:01:05 ids1 barnyard:   Spool dir:             /data/snort_output
Feb 19 21:01:05 ids1 barnyard: Gen-msg file: /etc/snort/gen-msg.map Feb 19 21:01:05 ids1 barnyard: Sid-msg file: /etc/snort/sid-msg.map 
Feb 19 21:01:05 ids1 barnyard:   Class file:            Not specified
Feb 19 21:01:05 ids1 barnyard:   Log dir:               Not specified
Feb 19 21:01:05 ids1 barnyard:   Archive dir:           Not specified
Feb 19 21:01:05 ids1 barnyard:   File base:             snort_unified.log
Feb 19 21:01:05 ids1 barnyard[9278]: sensor_id == 1
Feb 19 21:01:05 ids1 barnyard: Waldo file: /data/snort_output/main.waldo 
Feb 19 21:01:05 ids1 barnyard[9278]: SensorID: 1
Feb 19 21:01:05 ids1 barnyard: Pid file: /var/lock/subsys/barnyardmain 
Feb 19 21:01:05 ids1 barnyard[9278]: Next CID: 1
Feb 19 21:01:05 ids1 barnyard:   Verbosity level:       6
Feb 19 21:01:05 ids1 barnyard:   Dry run flag:          Not Set
Feb 19 21:01:05 ids1 barnyard:   Batch mode flag:       Not Set
Feb 19 21:01:05 ids1 barnyard:   Daemon flag:           Set
Feb 19 21:01:05 ids1 barnyard:   New records only flag: Not Set
Feb 19 21:01:05 ids1 barnyard:   Usage flag:            Not Set
Feb 19 21:01:05 ids1 barnyard:   Version flag:          Not Set
Feb 19 21:01:05 ids1 barnyard: Config file variables:
Feb 19 21:01:05 ids1 barnyard:   Hostname:        ids1
Feb 19 21:01:05 ids1 barnyard:   Interface:       eth1
Feb 19 21:01:05 ids1 barnyard:   BPF Filter:      Not specified
Feb 19 21:01:05 ids1 barnyard:   Class file:      Not specified
Feb 19 21:01:05 ids1 barnyard:   Sid-msg file:    Not specified
Feb 19 21:01:05 ids1 barnyard:   Gen-msg file:    Not specified
Feb 19 21:01:05 ids1 barnyard:   Daemon flag:     Set
Feb 19 21:01:05 ids1 barnyard:   Localtime flag:  Set
Feb 19 21:01:05 ids1 barnyard: Program Variables:
Feb 19 21:01:05 ids1 barnyard:   Continual processing mode
Feb 19 21:01:05 ids1 barnyard:   Config dir:    /etc/snort
Feb 19 21:01:05 ids1 barnyard:   Config file:   /etc/snort/barnyardmain.conf
Feb 19 21:01:05 ids1 barnyard:   Sid-msg file:  /etc/snort/sid-msg.map
Feb 19 21:01:05 ids1 barnyard:   Gen-msg file:  /etc/snort/gen-msg.map
Feb 19 21:01:05 ids1 barnyard: Class file: /etc/snort/classification.config 
Feb 19 21:01:05 ids1 barnyard:   Hostname:      ids1
Feb 19 21:01:05 ids1 barnyard:   Interface:     eth1
Feb 19 21:01:05 ids1 barnyard:   BPF Filter:
Feb 19 21:01:05 ids1 barnyard:   Log dir:       /var/log/snort
Feb 19 21:01:05 ids1 barnyard:   Verbosity:     6
Feb 19 21:01:05 ids1 barnyard:   Localtime:     1
Feb 19 21:01:05 ids1 barnyard:   Spool dir:     /data/snort_output
Feb 19 21:01:05 ids1 barnyard:   Spool file:    snort_unified.log
Feb 19 21:01:05 ids1 barnyard: Pid file: /var/lock/subsys/barnyardmain Feb 19 21:01:05 ids1 barnyard: Bookmark file: /data/snort_output/main.waldo 
Feb 19 21:01:05 ids1 barnyard:   Record Number: 0
Feb 19 21:01:05 ids1 barnyard:   Timet:         0
Feb 19 21:01:05 ids1 barnyard:   Start at end:  0
Feb 19 21:01:05 ids1 barnyard: barnyardmain startup succeeded
I've got so far as to drop the data base, recompile barnyard, reboot the sensors, reboot the database server. I've looked at the traffice between the server and the sensor and it looks like a mysql session starts and then just dies in the middle. 

I'm at a total loss. Anyone got any ideas.

Thanks
Jason



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: