Snort mailing list archives

Problem with barnyard 0.2.0 and snort 2.4.0

From: eric-list-snort-users () catastrophe net
Date: Sat, 20 Aug 2005 00:44:35 -0500

It seems I have a problem with barnyard 0.2.0 and snort 2.4.0 on OpenBSD
3.6. I have configured snort to write a unified log to
/var/snort/log/snort.log with the following....

output log_unified: snort.log, limit 128

files are being written, as witnessed by the following....

 $ ls -l /var/snort/log
 [...]
 -rw-r--r--  1 root    _snort    5967 Aug 19 19:58 snort-unified.log.1124485688
 -rw-r--r--  1 root    _snort    9150 Aug 19 20:29 snort-unified.log.1124499689
 -rw-r--r--  1 root    _snort   46069 Aug 19 23:45 snort-unified.log.1124510258
 -rw-r--r--  1 root    _snort   18878 Aug 20 00:27 snort-unified.log.1124513157
 [...]

I'm starting snort in the following manner...

 # /var/snort/bin/snort -c /var/snort/etc/snort.conf \
   -l /var/snort/log -F /var/snort/etc/snort.pcap -D

So everything is working there fine. Signatures are triggered on.

My barnyard.conf is as follows...

 config localtime
 config hostname: gw1
 config interface: bridge0
 config filter: not port 22
 output log_acid_db: mysql, database snort, server 10.19.81.137, 
  user foo, password bar, detail full    [wrapped for clarity]

Next I start barnyard in the following manner...

 # /var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \
    -s /var/snort/etc/sid-msg.map -g /var/snort/etc/gen-msg.map \
    -p /var/snort/etc/classification.config -d /var/snort/log \
    -f snort.log -w /var/snort/log/snort_ids.log

which yields the following....

Barnyard Version 0.2.0 (Build 32)
Config file variables:
  Hostname:        gw1
  Interface:       bridge0
  BPF Filter:      not port 22
  Class file:      Not specified
  Sid-msg file:    Not specified
  Gen-msg file:    Not specified
  Daemon flag:     Not Set
  Localtime flag:  Set
WARNING: Bookmark file is corrupt, only processing new events
Program Variables:
  Continual processing mode
  Config dir:    /var/snort/etc
  Config file:   /var/snort/etc/barnyard.conf
  Sid-msg file:  /var/snort/etc/sid-msg.map
  Gen-msg file:  /var/snort/etc/gen-msg.map
  Class file:    /var/snort/etc/classification.config
  Hostname:      gw1
  Interface:     bridge0
  BPF Filter:    not port 22
  Log dir:       /var/log/snort
  Verbosity:     2
  Localtime:     1
  Spool dir:     /var/snort/log
  Spool file:    snort.log
  Bookmark file: /var/snort/log/snort_ids.log
  Record Number: 0
  Timet:         0
  Start at end:  1
Output plugins enabled for 'alert' records
-------------------------------------------------------
None configured
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 10.19.81.137
  Database User: foo password bar
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================

When I run barnyard, all I see is...

Skipped 0 old records
Waiting for new spool file

No sockets are opened to the database, and nothing ever changes when an
alert is triggered, no action takes place. I have another machine that I run
it on and get this...

sensor_id == 2
SensorID: 2
Next CID: 74
Waiting for new data

...when starting barnyard.

Is there a better way to debug this to see what I'm doing wrong? My database
user/password is correct (I've tried it from the command line).

Thanks.

- Eric


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 19)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
  - Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
    - Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
    - Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
    - Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
    - Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Jason Brvenik (Sep 19)
  - Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Sep 19)