Snort mailing list archives
Re: Using Barnyard2 with Snort
From: "Farnsworth, Robert" <robert.farnsworth () hp com>
Date: Mon, 29 Jun 2015 18:51:35 +0000
I did finally get it to run with one concern, see my start-up info.
Is this a concern?
[CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize
informations found in the database
[root@host snort]# /usr/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard.waldo
[1] 29647
[root@host snort]# Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize
informations found in the database
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort_user
database: database name = snortdb
database: sensor name = localhost:eth2
database: sensor id = 2
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>
Using waldo file '/var/log/snort/barnyard.waldo':
spool directory = /var/log/snort
spool filebase = snort.log
time_stamp = 1435349813
record_idx = 0
Opened spool file '/var/log/snort/snort.log.1435349813'
Waiting for new data
-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, June 26, 2015 3:55 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Using Barnyard2 with Snort
On 2015-06-26 11:00 AM, Farnsworth, Robert wrote:
HI, James I know your busy but just wanted to reply so you don’t forget about this. Thanks Robert FROM: James Lay [mailto:jlay () slave-tothe-box net] SENT: Wednesday, June 24, 2015 6:56 AM TO: snort-users () lists sourceforge net SUBJECT: Re: [Snort-users] Using Barnyard2 with Snort On Mon, 2015-06-22 at 12:37 +0000, Farnsworth, Robert wrote:This is what I get running in verbose. I have attached my barnyard2.conf file. [root@usolglwxoh004 jzcdc0]# /usr/local/bin/barnyard2 -v Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "./barnyard2.conf" -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Friday, June 19, 2015 5:08 PM To: Farnsworth, Robert Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Using Barnyard2 with Snort On 2015-06-19 02:55 PM, Farnsworth, Robert wrote:I cannot get Barnyard to run.It seems to die @ Parsing config file "/etc/snort/barnyard2.conf"-----Original Message-----From: James Lay [mailto:jlay () slave-tothe-box net]Sent: Friday, June 19, 2015 4:46 PMTo: snort-users () lists sourceforge netSubject: Re: [Snort-users] Using Barnyard2 with SnortOn 2015-06-19 11:57 AM, Farnsworth, Robert wrote:I realize this is off topic for SNORT, but does anybody know howtoget help with a barnyard2 config? I've tried the google group andthee-mail fails.[root@anyhost] /usr/bin/barnyard2 -c /etc/snort/barnyard2.conf -d/var/log/snort -f snort.log -w /var/log/snort/barnyard.waldoRunning in Continuous mode--== Initializing Barnyard2 ==--Initializing Input Plugins!Initializing Output Plugins!Parsing config file "/etc/snort/barnyard2.conf"______ -*> Barnyard2 <*-/ ,,_ \ Version 2.1.13 (Build 327)|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/[1]+ '''' + (C) Copyright 2008-2013 Ian Firns firnsy () securixlive comThanksROBERT L. FARNSWORTHYou'll want to post your barnyard2.conf file as well as try and run it with the -v option for verbose mode, then post the output of that as well. James
So ok...here's what I got:
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
input unified2
output alert_fast: stdout
root@siftworkstation:/opt/etc/snort# /bin/barnyard2 -v -c testbarnyard2.conf -l /var/log/barnyard2 -d /var/log/snort -f
unified.u2 -w /var/log/barnyard2/external.waldo
Running in Continuous mode
--== Initializing Barnyard2 ==-- Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "testbarnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 336)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>
This took at least 30 seconds on a slow box with a big rules file to initialize...I suspect that's what you're
seeing...pegs the CPU as well, but that's to be expected. Test with the above and see if you get the same
results...make sure /var/log/snort and /var/log/barnyard2 exist.
James
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts
via email & sms for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using Barnyard2 with Snort Farnsworth, Robert (Jun 19)
- Re: Using Barnyard2 with Snort James Lay (Jun 19)
- Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 19)
- Re: Using Barnyard2 with Snort James Lay (Jun 19)
- Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 22)
- Re: Using Barnyard2 with Snort James Lay (Jun 24)
- Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 26)
- Re: Using Barnyard2 with Snort James Lay (Jun 26)
- Re: Using Barnyard2 with Snort Y M (Jun 26)
- Re: Using Barnyard2 with Snort James Lay (Jun 26)
- Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 29)
- Re: Using Barnyard2 with Snort James Lay (Jun 30)
- Re: Using Barnyard2 with Snort Farnsworth, Robert (Jun 19)
- Re: Using Barnyard2 with Snort James Lay (Jun 19)