Snort mailing list archives

Re: Using Barnyard2 with Snort

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 26 Jun 2015 13:54:40 -0600

On 2015-06-26 11:00 AM, Farnsworth, Robert wrote:

HI, James I know your busy but just wanted to reply so you don’t
forget about this.

Thanks

Robert

FROM: James Lay [mailto:jlay () slave-tothe-box net]
 SENT: Wednesday, June 24, 2015 6:56 AM
 TO: snort-users () lists sourceforge net
 SUBJECT: Re: [Snort-users] Using Barnyard2 with Snort

On Mon, 2015-06-22 at 12:37 +0000, Farnsworth, Robert wrote:

This is what I get running in verbose. I have attached my
barnyard2.conf file.

[root@usolglwxoh004 jzcdc0]# /usr/local/bin/barnyard2 -v

Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "./barnyard2.conf"

-----Original Message-----

From: James Lay [mailto:jlay () slave-tothe-box net]

Sent: Friday, June 19, 2015 5:08 PM

To: Farnsworth, Robert

Cc: snort-users () lists sourceforge net

Subject: RE: [Snort-users] Using Barnyard2 with Snort

On 2015-06-19 02:55 PM, Farnsworth, Robert wrote:

I cannot get Barnyard to run.

It seems to die @ Parsing config file "/etc/snort/barnyard2.conf"

-----Original Message-----

From: James Lay [mailto:jlay () slave-tothe-box net]

Sent: Friday, June 19, 2015 4:46 PM

To: snort-users () lists sourceforge net

Subject: Re: [Snort-users] Using Barnyard2 with Snort

On 2015-06-19 11:57 AM, Farnsworth, Robert wrote:

I realize this is off topic for SNORT, but does anybody know how

to

get help with a barnyard2 config? I've tried the google group and

the

e-mail fails.

[root@anyhost] /usr/bin/barnyard2 -c /etc/snort/barnyard2.conf -d

/var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "/etc/snort/barnyard2.conf"

______ -*> Barnyard2 <*-

/ ,,_ \ Version 2.1.13 (Build 327)

|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

[1]

+ '''' + (C) Copyright 2008-2013 Ian Firns firnsy () securixlive com

Thanks

ROBERT L. FARNSWORTH


You'll want to post your barnyard2.conf file as well as try and run
it with the -v option for verbose mode, then post the output of that
as well.

James



So ok...here's what I got:

config reference_file:          /etc/snort/reference.config
config classification_file:     /etc/snort/classification.config
config gen_file:                /etc/snort/gen-msg.map
config sid_file:                /etc/snort/sid-msg.map

input unified2
output alert_fast: stdout

root@siftworkstation:/opt/etc/snort# /bin/barnyard2 -v -c 
testbarnyard2.conf -l /var/log/barnyard2 -d /var/log/snort -f unified.u2 
-w /var/log/barnyard2/external.waldo


Running in Continuous mode

         --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "testbarnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2

         --== Initialization Complete ==--

   ______   -*> Barnyard2 <*-
  / ,,_  \  Version 2.1.14 (Build 336)
  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>

This took at least 30 seconds on a slow box with a big rules file to 
initialize...I suspect that's what you're seeing...pegs the CPU as well, 
but that's to be expected.  Test with the above and see if you get the 
same results...make sure /var/log/snort and /var/log/barnyard2 exist.

James

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Using Barnyard2 with Snort Farnsworth, Robert (Jun 19)
- Re: Using Barnyard2 with Snort James Lay (Jun 19)
  - Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 19)
    - Re: Using Barnyard2 with Snort James Lay (Jun 19)
    - Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 22)
    - Re: Using Barnyard2 with Snort James Lay (Jun 24)
    - Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 26)
    - Re: Using Barnyard2 with Snort James Lay (Jun 26)
    - Re: Using Barnyard2 with Snort Y M (Jun 26)
    - Re: Using Barnyard2 with Snort James Lay (Jun 26)
    - Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 29)
    - Re: Using Barnyard2 with Snort James Lay (Jun 30)