Snort mailing list archives
Re: Problem with barnyard 0.2.0 and snort 2.4.0
From: Paul Schmehl <pauls () utdallas edu>
Date: Sat, 20 Aug 2005 13:38:16 -0500
--On August 20, 2005 12:10:13 PM -0500 eric-list-snort-users () catastrophe net wrote:
Restart barnyard, but add -v to make it more verbose. If that doesn't tell you anything, then add a second or third v.On Sat, 2005-08-20 at 11:55:45 -0500, Paul Schmehl proclaimed...Delete your waldo file (/var/log/snort/log/snort_ids.log) and allow barnyard to recreate it. It's apparently corrupted.Deleted, but it didn't fix anything.
If you delete the waldo file, barnyard *should* reread all the log files (giving you duplicates in your db.) If it still isn't reading the logfiles, then remove the waldo switch. If it *still* won't load the files, there's something wrong with the files. Either they're not in unified format or they're screwed up in a way that makes it impossible for barnyard to parse them.
The waldo file should look something like this: # less /usr/local/etc/waldo.file /var/log/snort/ snort.log 1124382173 3138Check to see if the snort log files are binary. If they aren't then snort isn't logging in unified format.
I also strongly recommend that you do not use localtime with barnyard. It causes problems during the change from daylight savings to "normal" time.Done, but that didn't fix anything either.
This wasn't intended to fix anything regarding your present problem. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 19)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Sep 19)