Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort / Barnyard error.

From: Rudi Starcevic <rudi () oasis net au>
Date: Tue, 14 Oct 2003 17:46:47 +1000
Hi,

Just having a couple problems getting Snort and Barnyard to work together.
I've been struggling with this for a couple days on and off so I've started again from fresh source 
but am still seeing errors.

Here's what I'm trying and what I'm seeing:

I re-installed 20 mins ago from snort.org
-*> Snort! <*-
Version 2.0.2 (Build 92)

Also Barnyard from sourceforge 10 mins ago
-*> Barnyard! <*-
Version 0.1.0 (Build 17)

Now I make *1* and only change to the snort.conf file.
I uncomment just 1 line:

#output log_unified: filename snort.log, limit 128
output log_unified: filename snort.log, limit 128

Now I start Snort:
/usr/local/snort/bin/snort -b -i eth0 -c /usr/local/snort/etc/snort.conf -L testlog 

So far it's all good.

2 log files are created when I trigger a rule
/var/log/snort/alert
/var/log/snort/testlog.1066116497

Now I stop Snort and want to use Barnyard to analyze the binary log;
My Barnyard command is:

/usr/local/barnyard/bin/barnyard -o \
-c /usr/local/snort/etc/barnyard.conf  \
-f /var/log/snort/testlog.1066116497 \
-L /var/log/barnyard  \
-g /usr/local/snort/etc/gen-msg.map \
-s /usr/local/snort/etc/sid-msg.map


This is my error:

-*> Barnyard! <*-
Version 0.1.0 (Build 17)
By Andrew R. Baker (andrewb () snort org)
and Martin Roesch (roesch () sourcefire com, www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AlertCSV initialized
Parsing Config file: /usr/local/snort/etc/barnyard.conf
Barnyard Version 0.1.0 (Build 17) started
ERROR => No input plugin found for magic: a1b2c3d4
Fatal Error, Quitting..
Exiting
This error can be found on Google several times but mostly the advice is to upgrade, 
which I've tried without joy.

I also found this:
>> Barnyard subsists exclusively on a diet of snort unified output files.
I though uncommenting 'output log_unified: filename snort.log, limit 128' would 
help but also no joy yet.

Sorry for this repeat question but I am now stuck.
Am I still missing a config. option or something ?

In the testlog.1066116497 the first 2 line are binary then I can read some
text. Should this file be all binary with no readable text.
Also can I just have a binary log and no text 'alert' log in my snort log dir. ? 

Many thanks.
Best regards
Rudi.














-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: