Re: Snort + barnyard2 + BASE

["Shenk, Jerry A" <jshenk () decommunications com>]

I'm having the exact same problem but I have unified2 set as the output
processor.

My waldo file seems to be working but it's not updating:
Using waldo file '/etc/snort/barnyard.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.log
    time_stamp      = 1256243504
    record_idx      = 13

Barnyard2 is seeing that there are files to process:
Opened spool file '/var/log/snort/snort.log.1256379065'
Waiting for new data
Closing spool file '/var/log/snort/snort.log.1256379065'. Read 40
records
Opened spool file '/var/log/snort/snort.log.1256379948'
Waiting for new data
Closing spool file '/var/log/snort/snort.log.1256379948'. Read 13
records
Opened spool file '/var/log/snort/snort.log.1256380242'
Waiting for new data

But, it never goes past waiting even if the file does get updated.
Restarting barnyard2 will cause new records to be read in from the
snort.log file.  Barnyard does update the spool file that's being
watched when snort is restarted.

I tried adding syslog to barnyard just to separate mysql issues from
barnyard but barnyard2 doesn't send syslog updates either...and I
believe my syslog output is set correctly because I get "database: using
the "alert" facility" when I start barnyard2.

Here is my syslog output entry:
output alert_syslog:

-----Original Message-----
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] 
Sent: Tuesday, September 22, 2009 12:21 PM
To: James Chase; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort + barnyard2 + BASE

Hi,

You should use the unified2 output preprocessor in Snort.

-- 
Shawn

-----Original Message-----
From: James Chase [mailto:james () mandala-designs com] 
Sent: Tuesday, September 22, 2009 8:47 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort + barnyard2 + BASE

Hi,

I have successfully setup snort/barnyard/base before but I am now
setting up a new sensor using barnyard2. I was able to confirm that
everything is working by using barnyard but when I try and use
barnyard2, I do not see any new events added via BASE.

Here is my output in snort.conf:

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

and I am running snort like so: /usr/sbin/snort -D -i eth0 -u snort -g
snort -c /etc/snort/snort.conf -l /var/log/snort

Here is my setup in barnyard2.conf:

input unified2
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
output database: alert, mysql, user=snort password=password dbname=snort
host=localhost  ##I did just have log, but when it wasn't working, I
decided to try it with this output as well, like in barnayrd(1).

running barnyard2 with these options: /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard2.waldo -D


I do not think the waldo file is working correctly, but that just tells
barnyard2 where to start right? When barnyard2 starts up it sees the
files but does not read any records from it and BASE does not show any
new alerts.

I've banged my head for awhile but am sure I missed something very
simple?

James



------------------------------------------------------------------------
------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and
stay 
ahead of the curve. Join us from November 9-12, 2009. Register
now!
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------
------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and
stay 
ahead of the curve. Join us from November 9-12, 2009. Register
now!
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users