Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Barnyard and ACID woes

From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 03 Sep 2002 11:38:27 +0100
Hi guys, 

Getting some strange results using

Snort-1.8.7
Barnyard Version 0.1.0-rc2 (Build 11)
Mysql  Ver 11.18 Distrib 3.23.52
ACID 0.9.6b21

Basically, the packet data is getting logged to the DB as below, but it
seems ACID doesn't pick up the timestamps, sensor id etc:

----snip mysql.log-----
116 Query       SELECT sig_class_id FROM sig_class WHERE
sig_class_name='misc-activity'
116 Query       INSERT INTO sig_class(sig_class_name)
VALUES('misc-activity')
116 Query       INSERT INTO signature(sig_name, sig_class_id, sig_priority,
sig_rev, sig_sid) VALUES('Snort Alert [1:485:0]', '1', '3', '0', '485')
116 Query       INSERT INTO event(sid, cid, signature, timestamp)
VALUES('1', '1', '1', '2002-09-03 11:17:25 +0100')
116 Query       INSERT INTO iphdr(sid, cid, ip_src, ip_dst,
ip_proto)VALUES('1', '1', 'obs', 'obfuscated', '1')
116 Query       INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code)
VALUES('1', '1', '3', '13')
020903 11:17:53     116 Query       SELECT sig_id FROM signature WHERE
sig_name='Snort Alert [1:485:0]' AND sig_rev=0 AND sig_sid=485
116 Query       INSERT INTO event(sid, cid, signature, timestamp)
VALUES('1', '2', '1', '2002-09-03 11:17:53 +0100')
116 Query       INSERT INTO iphdr(sid, cid, ip_src, ip_dst,
ip_proto)VALUES('1', '2', 'obs', 'obfuscated', '1')
116 Query       INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code)
VALUES('1', '2', '3', '13')
----snip mysql.log----
 
Snort and Barnyard have been trimmed to the min and pumped to the max. I
have tried leaving out the hostname and interface name in the barnyard conf
(and obviously tried putting them in). Have tried trimming and pumping the
snort conf and command line options in similar ways.

Here are my current cmd line options...

snort -i eth2 -c /etc/snort/snort.conf.eth2
barnyard -c /etc/snort/barnyard.conf.eth2 -d /var/log/snort/ -f snort.alert

And the relevant config entries:

----snip snort.conf----
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
----snip snort.conf----

---snip barnyard.conf----
processor dp_alert
processor dp_log
processor dp_stream_stat
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost,
user snort, password ******, detail full
output log_acid_db: mysql, sensor_id 1, database snort, server localhost,
user snort, password ******, detail full
----snip barnyard.conf----

The "detail full" on the end has been removed and re-added. Didn't know what
it did, so thought I would try it. This all works if I point snort straight
at the DB - it only seems to be failing with Barnyard...?! Any ideas? This
is not a mish-crit application and in reality barnyard isn't even needed - I
just wanted to give it a test drive...!

What am I doing wrong?


Kind Regards, 

-- 
Scott Nursten
--------------------------
S2S Consultants
T: 01444 232 742
F: 01444 232 061
W: http://s2s.ltd.uk
E: scottn () s2s ltd uk
--------------------------



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: