Snort mailing list archives
Barnyard and ACID woes
From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 03 Sep 2002 11:38:27 +0100
Hi guys, Getting some strange results using Snort-1.8.7 Barnyard Version 0.1.0-rc2 (Build 11) Mysql Ver 11.18 Distrib 3.23.52 ACID 0.9.6b21 Basically, the packet data is getting logged to the DB as below, but it seems ACID doesn't pick up the timestamps, sensor id etc: ----snip mysql.log----- 116 Query SELECT sig_class_id FROM sig_class WHERE sig_class_name='misc-activity' 116 Query INSERT INTO sig_class(sig_class_name) VALUES('misc-activity') 116 Query INSERT INTO signature(sig_name, sig_class_id, sig_priority, sig_rev, sig_sid) VALUES('Snort Alert [1:485:0]', '1', '3', '0', '485') 116 Query INSERT INTO event(sid, cid, signature, timestamp) VALUES('1', '1', '1', '2002-09-03 11:17:25 +0100') 116 Query INSERT INTO iphdr(sid, cid, ip_src, ip_dst, ip_proto)VALUES('1', '1', 'obs', 'obfuscated', '1') 116 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code) VALUES('1', '1', '3', '13') 020903 11:17:53 116 Query SELECT sig_id FROM signature WHERE sig_name='Snort Alert [1:485:0]' AND sig_rev=0 AND sig_sid=485 116 Query INSERT INTO event(sid, cid, signature, timestamp) VALUES('1', '2', '1', '2002-09-03 11:17:53 +0100') 116 Query INSERT INTO iphdr(sid, cid, ip_src, ip_dst, ip_proto)VALUES('1', '2', 'obs', 'obfuscated', '1') 116 Query INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code) VALUES('1', '2', '3', '13') ----snip mysql.log---- Snort and Barnyard have been trimmed to the min and pumped to the max. I have tried leaving out the hostname and interface name in the barnyard conf (and obviously tried putting them in). Have tried trimming and pumping the snort conf and command line options in similar ways. Here are my current cmd line options... snort -i eth2 -c /etc/snort/snort.conf.eth2 barnyard -c /etc/snort/barnyard.conf.eth2 -d /var/log/snort/ -f snort.alert And the relevant config entries: ----snip snort.conf---- output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 ----snip snort.conf---- ---snip barnyard.conf---- processor dp_alert processor dp_log processor dp_stream_stat output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password ******, detail full output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password ******, detail full ----snip barnyard.conf---- The "detail full" on the end has been removed and re-added. Didn't know what it did, so thought I would try it. This all works if I point snort straight at the DB - it only seems to be failing with Barnyard...?! Any ideas? This is not a mish-crit application and in reality barnyard isn't even needed - I just wanted to give it a test drive...! What am I doing wrong? Kind Regards, -- Scott Nursten -------------------------- S2S Consultants T: 01444 232 742 F: 01444 232 061 W: http://s2s.ltd.uk E: scottn () s2s ltd uk -------------------------- ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard and ACID woes Scott Nursten (Sep 03)
- Snort Minimum permissions Richard Hall (Sep 03)