Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Barnyard 0.1.5 and mysql

From: "Chris Eidem" <jceidem () dexma com>
Date: Tue, 13 Nov 2001 09:22:53 -0600
Hey y'all,

Got a question about barnyard and mysql.  Looks like it's sending stuff
into the db with a sid of '0'.  Why?  

snort is running on OpenBSD 2.8-stable and barnyard is sending data to a
Win2k Pro box with mysql 3.23.29

If I go to the cache and status page it says that I have 9433 events,
yet no alerts show up.  Wierd.

mysql> select * from sensor;
+-----+----------+-----------------------+--------+--------+----------+
| sid | hostname | interface             | filter | detail | encoding |
+-----+----------+-----------------------+--------+--------+----------+
|   1 | unknown  | [reading from a file] | NULL   |      1 |        0 |
|   2 | SHARPAM  | [reading from a file] | NULL   |      1 |        0 |
|   3 | unknown  | [reading from a file] | NULL   |      1 |        0 |
+-----+----------+-----------------------+--------+--------+----------+
3 rows in set (0.05 sec)

mysql> select count(*) from event where sid > 0;
+----------+
| count(*) |
+----------+
|        0 |
+----------+
1 row in set (0.00 sec)

mysql> select count(*) from event where sid = 0;
+----------+
| count(*) |
+----------+
|     9433 |
+----------+
1 row in set (1.24 sec)

I start barnyard like this:
./barnyard -c ./byshmy.conf -s sid-msg.map -g gen-msg.map -d
/var/log/snort -f snort.alert 

I get this:
<major snippage>
SQL: INSERT INTO event(sid, cid, signature, timestamp) VALUES('0',
'9431', '130', '2001-11-12 21:07:05')
SQL: INSERT INTO event(sid, cid, signature, timestamp) VALUES('0',
'9432', '121', '2001-11-12 21:07:35')
SQL: INSERT INTO event(sid, cid, signature, timestamp) VALUES('0',
'9433', '126', '2001-11-12 21:07:48')

Lines from the byshmy.conf:
output alert_acid_db: mysql, sensor_id cubanelle-xl1, database snort,
server sharpam, user snort, detail full, password snort
output log_acid_db: mysql, sensor_id cubanelle-xl1, database snort,
server sharpam, user snort, detail full, password snort

Version info:
[root@cubanelle /usr/local/snort]# ./barnyard -V


-*> Barnyard! <*-
Version 0.1.0-beta5-dev (Build 6)
By Andrew R. Baker (andrewb () snort org)
and Martin Roesch (roesch () sourcefire com, www.snort.org)

[root@cubanelle /usr/local/snort]# snort -V

-*> Snort! <*-
Version 1.8.2 (Build 86)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

ACID info:
mysql> select * from schema;
+------+---------------------+
| vseq | ctime               |
+------+---------------------+
|  104 | 2001-11-07 15:12:33 |
+------+---------------------+
1 row in set (0.01 sec)

running 0.9.6.18b on Win2k

C:\stuff>mysqladmin -V
mysqladmin  Ver 8.21 Distrib 3.23.39, for Win95/Win98 on i32

Thanks in advance,
Chris


Chris Eidem                        Dexma, Inc.
Network Administrator              7701 York Av. S.
Phone: 952.229.1311                Edina, MN 55435

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: