Snort mailing list archives
Barnyard not Updating MySQL
From: "Someone.you dont.like" <maps.this.address () gmail com>
Date: Sun, 28 Aug 2005 11:11:18 -0400
Hi, I am trying to get Barnyard to work in conjunction with Snort to update to MySQL backend database. All three programs are run on a same system (localhost) and I am using the following versions: Barnyard : /usr/local/barnyard/bin/barnyard -V Barnyard Version 0.2.0 (Build 32) Snort: /usr/local/snort/bin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.4.0 (Build 18) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2005 Sourcefire Inc., et al. MySQL: /usr/local/mysql/bin/mysql -V /usr/local/mysql/bin/mysql Ver 14.7 Distrib 4.1.13a, for pc-linux-gnu (i686) using EditLine wrapper OS: Slackware 10.1 (kernel 2.6.11.3) When I configure Snort to update the database directly without Barnyard, it "does" write accordingly in real time as I run portscan or some other type attack that would trigger a rule. But when I attempt to configure Barnyard to process the log files into the database, I see no event table being updated (same type of attack, i.e. Stealth SYN port scan...). A few thing before I go on: Snort, Barnyard, map, and classification files are under /etc/snort Log files are under /var/log/snort ***************** * snort.conf * ***************** I have the following in my /etc/snort/snort.conf: output alert_unified: filename snort-unified.alert, limit 128 output log_unified: filename snort-unified.log, limit 128 And the MySQL database line is "commented". ********************* * barnyard.conf * ********************* In /etc/snort/barnyard.conf I have: config daemon #config localtime config hostname: localhost config interface: bridge0 config filter: not port 22 output alert_fast output log_dump output alert_csv: csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,i\type,icode output log_pcap output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password [EDITED], detail full output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password [EDITED], detail full The passwords are double and triple checked. They work with Snort and MySQL commandline. ******************* * Snort exec * ******************* Here's how I run Snort: /usr/local/snort/bin/snort -dev -u snort -q -c /etc/snort/snort.conf -i eth0 -l /var/log/snort -D ************************** * Barnyard exec * ************************** And Barnyard: /usr/local/barnyard/bin/barnyard -c /etc/snort/barnyard.conf -s /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -d /var/log/snort/ -f snort-unified.log -X /var/run/by.pid -w /etc/snort/waldo.file -v -v -v -v -v -v -D With the following screen output by Barnyard (verbose mode): Barnyard Version 0.2.0 (Build 32) Command line arguments: Config file: /etc/snort/barnyard.conf Spool dir: /var/log/snort/ Gen-msg file: /etc/snort/gen-msg.map Sid-msg file: /etc/snort/sid-msg.map Class file: /etc/snort/classification.config Log dir: Not specified Archive dir: Not specified File base: snort-unified.log Waldo file: /etc/snort/waldo.file Pid file: /var/run/by.pid Verbosity level: 6 Dry run flag: Not Set Batch mode flag: Not Set Daemon flag: Set New records only flag: Not Set Usage flag: Not Set Version flag: Not Set Config file variables: Hostname: localhost Interface: bridge0 BPF Filter: not port 22 Class file: Not specified Sid-msg file: Not specified Gen-msg file: Not specified Daemon flag: Set Localtime flag: Not Set Program Variables: Continual processing mode Config dir: /etc/snort Config file: /etc/snort/barnyard.conf Sid-msg file: /etc/snort/sid-msg.map Gen-msg file: /etc/snort/gen-msg.map Class file: /etc/snort/classification.config Hostname: localhost Interface: bridge0 BPF Filter: not port 22 Log dir: /var/log/snort Verbosity: 6 Localtime: 0 Spool dir: /var/log/snort/ Spool file: snort.alert Pid file: /var/run/by.pid Bookmark file: /etc/snort/waldo.file Record Number: 6 Timet: 1125274341 Start at end: 0 ******************** * waldo.file * ******************** The content of waldo.file after startup of Barnyard is: cat /etc/snort/waldo.file /var/log/snort/ snort.alert 1125274341 6 ************************** * /var/log/message * ************************** Aug 29 12:19:08 [EDITED] barnyard: Starting data processing using information from bookmark file Aug 29 12:19:08 [EDITED] barnyard: WARNING: Using spool file from bookmark file Aug 29 12:19:09 [EDITED] barnyard[21484]: Initializing daemon mode Aug 29 12:19:09 [EDITED] barnyard[21485]: Opened spool file '/var/log/snort//snort.alert.1125274341' Aug 29 12:19:09 [EDITED] barnyard[21485]: OpAlertFast configured Aug 29 12:19:09 [EDITED] barnyard[21485]: Filename: fast.alert Aug 29 12:19:09 [EDITED] barnyard[21485]: OpAlertCSV configured Aug 29 12:19:09 [EDITED] barnyard[21485]: Filepath: csv.out Aug 29 12:19:09 [EDITED] barnyard[21485]: Format: timestamp, msg, srcip, sport, dstip, dport, protoname, itype, icode Aug 29 12:19:09 [EDITED] barnyard[21485]: Waiting for new data The log files do get written to from what I see: ls -la /var/log/snort/ total 126 drwxr-xr-x 3 snort snort 472 2005-08-29 12:14 ./ drwxr-xr-x 12 root root 1576 2005-08-28 04:40 ../ drwx------ 2 snort snort 112 2005-08-28 20:23 192.168.0.174/ -rw------- 1 snort snort 61144 2005-08-29 12:09 alert -rw-r--r-- 1 snort snort 10548 2005-08-29 12:07 fast.alert -rw------- 1 snort snort 272 2005-08-29 12:15 snort-unified.alert.1125332058 -rw------- 1 snort snort 488 2005-08-29 12:15 snort-unified.log.1125332058 -rw------- 1 snort snort 400 2005-08-28 21:16 snort.alert.1125274341 -rw------- 1 snort snort 3848 2005-08-28 22:54 snort.log.1125280475 -rw------- 1 snort snort 5824 2005-08-28 23:37 snort.log.1125286059 -rw------- 1 snort snort 5128 2005-08-29 02:15 snort.log.1125292589 -rw------- 1 snort snort 488 2005-08-29 02:17 snort.log.1125296165 -rw------- 1 snort snort 16321 2005-08-29 12:09 snort.log.1125296354 After portscan: ls -la /var/log/snort/ total 126 drwxr-xr-x 3 snort snort 472 2005-08-29 12:14 ./ drwxr-xr-x 12 root root 1576 2005-08-28 04:40 ../ drwx------ 2 snort snort 112 2005-08-28 20:23 192.168.0.174/ -rw------- 1 snort snort 61144 2005-08-29 12:09 alert -rw-r--r-- 1 snort snort 10548 2005-08-29 12:07 fast.alert -rw------- 1 snort snort 528 2005-08-29 12:18 snort-unified.alert.1125332058 -rw------- 1 snort snort 952 2005-08-29 12:18 snort-unified.log.1125332058 -rw------- 1 snort snort 400 2005-08-28 21:16 snort.alert.1125274341 -rw------- 1 snort snort 3848 2005-08-28 22:54 snort.log.1125280475 -rw------- 1 snort snort 5824 2005-08-28 23:37 snort.log.1125286059 -rw------- 1 snort snort 5128 2005-08-29 02:15 snort.log.1125292589 -rw------- 1 snort snort 488 2005-08-29 02:17 snort.log.1125296165 -rw------- 1 snort snort 16321 2005-08-29 12:09 snort.log.1125296354 The weird thing is the waldo.file shows snort.alert.1125274341. I do not know whether that has something to do with it; please correct me if I'm wrong. This is how I check the event table: [Before portscan]: mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 60 | +----------+ 1 row in set (0.00 sec) [A few minutes later after the portscan] mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 60 | +----------+ 1 row in set (0.00 sec) In case of Snort only updating the database, I can actually see the event table growing in real time. Anyway, I've tried to run Snort and Barnyard with only log or alert file updates, still Barnyard doesn't update the database. The sensor id is 1: mysql> select * from sensor; +-----+---------------+-----------+--------+--------+----------+----------+ | sid | hostname | interface | filter | detail | encoding | last_cid | +-----+---------------+-----------+--------+--------+----------+----------+ | 1 | 192.168.2.134 | eth0 | NULL | 1 | 0 | 56 | +-----+---------------+-----------+--------+--------+----------+----------+ 1 row in set (0.04 sec) I have also tried sensor_id 0 and 2 in my barnyard.conf, no luck! Ok, one last thing, the log files are indeed in unified format because when I run Barnyard in batch mode, it process them accordingly and I get: /usr/local/barnyard/bin/barnyard -o -c /etc/snort/barnyard.conf -s /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config /var/log/snort/snort-unified.alert.1125332058 Barnyard Version 0.2.0 (Build 32) Exiting [user]@[somehost]:~/blah# ls csv.out fast.alert I hope I pretty much covered everything that I could. Any ideas? Any help would be much appreciated. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard not Updating MySQL Someone.you dont.like (Aug 28)
- Re: Barnyard not Updating MySQL Someone.you dont.like (Aug 28)