Snort mailing list archives
Barnyard reading unified files from snort.
From: "Gierczak, Stan" <SGierczak () presencehealth org>
Date: Tue, 17 Jun 2014 16:50:32 +0000
Still having issues getting BarnYard to read from snort. Attached are the barnyard and snort conf.
Below is the output from syslog. I believe that the highlight shows that it is looking in the correct directory, but
it doesn't seem correct that it reads one record, nor that the Waldo is not correct. The Waldo file is empty
-rwxrwxr-x 1 snort snort 0 May 6 12:07 barnyard2.waldo
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Running in Continuous mode
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]:
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: --== Initializing Barnyard2 ==--
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Initializing Input Plugins!
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Initializing Output Plugins!
Jun 16 12:41:45 rlicsnortids1 barnyard2[1455]: Parsing config file "/etc/snort/barnyard.conf"
Jun 16 12:41:46 rlicsnortids1 barnyard2[1455]: Log directory = /var/log/snort/eth0
Jun 16 12:41:46 rlicsnortids1 barnyard2[1455]: Initializing daemon mode
Jun 16 12:41:46 rlicsnortids1 barnyard2[1455]: Daemon parent exiting
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Daemon initialized, signaled parent pid: 1455
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: PID path stat checked out ok, PID path set to /var/run/
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Writing PID "1456" to file "/var/run//barnyard2_eth0.pid"
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: compiled support for (mysql)
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: configured to use mysql
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: schema version = 107
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: host = localhost
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: user = snort_user
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: database name = snortdb
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: sensor name = rlicsnortids1:eth0
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: sensor id = 2
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: sensor cid = 1
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: data encoding = hex
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: detail level = full
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: ignore_bpf = no
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: database: using the "log" facility
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]:
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: --== Initialization Complete ==--
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Barnyard2 initialization completed successfully (pid=1456)
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: WARNING: Ignoring corrupt/truncated waldofile
'/var/log/snort/eth0/barnyard2.waldo'
Jun 16 12:41:46 rlicsnortids1 barnyard2[1456]: Opened spool file '/var/log/snort/eth0/snort.log.1402938235'
Jun 16 12:41:47 rlicsnortids1 barnyard2[1456]: Closing spool file '/var/log/snort/eth0/snort.log.1402938235'. Read 1
records
Jun 16 12:41:47 rlicsnortids1 barnyard2[1456]: Opened spool file '/var/log/snort/eth0/snort.log.1402940498'
Jun 16 12:41:47 rlicsnortids1 barnyard2[1456]: Waiting for new data
This I believe is how snort get initiated:
#!/bin/sh
#
# Init file for Barnyard2
#
#
# chkconfig: 2345 40 60
# description: Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid
[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1
### Default variables
SYSCONFIG="/etc/default/barnyard2"
### Read configuration
[ -r "$SYSCONFIG" ] && . "$SYSCONFIG"
RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"
start() {
echo -n $"Starting $desc ($prog): "
for INT in $INTERFACES; do
PIDFILE="/var/lock/barnyard2-$INT.pid"
ARCHIVEDIR="$SNORTDIR/$INT/archive"
WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f
$LOG_FILE -X $PIDFILE $EXTRA_ARGS"
$prog $BARNYARD_OPTS
done
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/$prog
return $RETVAL
}
stop() {
echo -n $"Shutting down $desc ($prog): "
killall $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/$prog
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading $desc ($prog): "
killall $prog -HUP
RETVAL=$?
echo
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
[ -e /var/lock/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
dump)
dump
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
RETVAL=1
esac
exit $RETVAL
Attachment:
barnyard2.conf.txt
Description: barnyard2.conf.txt
Attachment:
snort.conf.txt
Description: snort.conf.txt
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard reading unified files from snort. Gierczak, Stan (Jun 17)