Snort mailing list archives
RE: Barnyard not inserting into acid_*
From: "VanBrecht, Jason" <Jason.VanBrecht () ost dot gov>
Date: Thu, 24 Jun 2004 08:39:33 -0400
Barnyard does not populate the acid_* tables, acid does that itself, when you load the page, it pulls data from the snort db tables, and dumps them into the acid tables. Atleast that's how mine is setup. Jason van Brecht Security Analyst Department of Transportation -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rudi Starcevic Sent: Wednesday, June 23, 2004 8:28 PM To: sekure Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Barnyard not inserting into acid_* Hi, Thanks for you reply. I've looked into it further but still no joy. Sorry to bother - I'm sure I have either a simple miss config I keep missing or perhaps something underneath not happy on FreeBSD.
You only need log_acid_db, since alert_acid_db will only duplicate the entries... But that's not the root of your issue.
The only ouput filter I have in barnyard.conf is: output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password xxxx, detail full After running: /usr/local/barnyard/bin/barnyard -c /usr/local/snort/etc/barnyard.conf -o /var/log/snort/snort.log.1087948218 Barnyard connects to mysql OK. There are no error in my mysql or php log files. Here is some line from wildpass.log ( mysql log ) 10 Query INSERT INTO udphdr (sid, cid, udp_sport, udp_dport) VALUES('1', '9735', '1376', '1434') 10 Query SELECT sig_id FROM signature WHERE sig_name='MS-SQL Worm propagation attempt OUTBOUND' AND sig_rev=0 AND sig_sid=2004 10 Query INSERT INTO event(sid, cid, signature, timestamp) VALUES('1', '9736', '2', '2004-06-23 17: 52:55') 10 Query INSERT INTO iphdr(sid, cid, ip_src, ip_dst, ip_proto) VALUES('1', '9736', '2898447641', '1122407842', '17') So I'm sure I can connect OK and no error messages but still no insert in acid_*. The acid console connects OK but no stats on screen. Hmm ... might have to go try on another machine as I'm a bit stumped. Thanks Regards Rudi.
Do you have the snort database and tables created in the database? Can you connect to the database with mysql client with the root user and manipulate the tables? Enable error logging on the mysql server and see what barnyard is trying to do. On Wed, 23 Jun 2004 12:20:00 +1000, Rudi Starcevic <tech () wildcash com> wrote:Hi, I've got Snort, Mysql, Acid and Barnyard installed and running OK on FreeBSD with one small hitch. So far I'm unable to get Barnyard to insert into any of the 4 acid_* tables. I can't see where I'm going wrong and have been trying on and off for a couple days so I though I'd ask. After running the commands: /usr/local/barnyard/bin/barnyard -c /usr/local/snort/etc/barnyard.conf -o /var/log/snort/snort.alert.1087948218 /usr/local/barnyard/bin/barnyard -c /usr/local/snort/etc/barnyard.conf -o /var/log/snort/snort.log.1087948218 The binary log files are processed without error but no data is inserted into the acid tables, only the standard snort tables. I have this in my snort.conf: output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 and this in my barnyard.conf: output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password xxxxx, detail full output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password xxxxx, detail full Can you see where I may be going wrong and how I may fix it ?? Many thanks Kind regards Rudi. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking
opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard not inserting into acid_* Rudi Starcevic (Jun 22)
- Re: Barnyard not inserting into acid_* sekure (Jun 23)
- Re: Barnyard not inserting into acid_* Rudi Starcevic (Jun 23)
- <Possible follow-ups>
- RE: Barnyard not inserting into acid_* VanBrecht, Jason (Jun 24)
- Re: Barnyard not inserting into acid_* sekure (Jun 24)
- Re: Barnyard not inserting into acid_* Rudi Starcevic (Jun 24)
- Re: Barnyard not inserting into acid_* sekure (Jun 23)