Re: Having problem with Barnyard

[Nick Moore <nmoore () sourcefire com>]

JJ,

1. OK, done. barnyard2 -w /dev/null. Hope this is what you meant. by2 starts
with a message saying "WARNING: Ignoring truncated/corrupt waldofile
'/dev/null'.
2. Looks pretty good:

mysql> show grants for 'snort'@'localhost';
+-------------------------------------------------------------------------------------+
| Grants for snort@localhost
         |
+-------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'snort'@'localhost' IDENTIFIED BY PASSWORD
'5d2e19393cc5ef67' |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `snort`.* TO
'snort'@'localhost'
   |
+-------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql>

3. Before:

[root@FedoraSnort snort]# ls -la /var/log/snort
total 104
drwxr-xr-x.  2 snort snort  4096 2010-06-23 11:34 .
drwxr-xr-x. 15 root  root   4096 2010-06-23 12:00 ..
-rw-------.  1 snort snort     0 2010-06-23 10:38 alert
-rw-------.  1 root  root      0 2010-06-23 11:06 merged.log
-rw-------.  1 root  root  96287 2010-06-23 14:12 snort.log
[root@FedoraSnort snort]#

After:

[root@FedoraSnort snort]# ls -la /var/log/snort
total 280
drwxr-xr-x.  2 snort snort   4096 2010-06-23 11:34 .
drwxr-xr-x. 15 root  root    4096 2010-06-23 12:00 ..
-rw-------.  1 snort snort      0 2010-06-23 10:38 alert
-rw-------.  1 root  root       0 2010-06-23 11:06 merged.log
-rw-------.  1 root  root  277755 2010-06-23 20:03 snort.log
[root@FedoraSnort snort]#

4. by2 says it is waiting for new spool files. Makes me think I'm doing
something wrong in my barnyard config.

Thanks,

Nick


On Wed, Jun 23, 2010 at 7:00 PM, JJC <cummingsj () gmail com> wrote:

> At quick glance it looks correct.. a few things:
>
>    1. /dev/null your waldo file
>    2. have you verified mysql permissions for the user specified in by2
>    3. are you seeing your snort.log files increment as alerts are
>    generated
>    4. when you run by2 (not daemonized) does it say anything about reading
>    spool files etc etc?
>
>
> On Wed, Jun 23, 2010 at 5:57 PM, Nick Moore <nmoore () sourcefire com> wrote:
>
> > JJ,
> >
> > snort -i eth1 -c /etc/snort/snort.conf (pretty boring really)
> >
> > barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
> > /etc/snort/barnyard2.waldo
> >
> > Nick
> >
> >
> > On Wed, Jun 23, 2010 at 6:50 PM, JJC <cummingsj () gmail com> wrote:
> >
> > > What are your runtime options to start each snort and by2?
> > >
> > > On Wed, Jun 23, 2010 at 4:32 PM, Nick Moore <nmoore () sourcefire com>wrote:
> > >
> > > > All,
> > > >
> > > > I'm having a problem with Barnyard putting data into MySQL. Snort is
> > > > seeing events and the log file is increasing, but no events have yet been
> > > > written to the database.
> > > >
> > > > I've attached my snort.conf and barnyard2.conf. Based on the Snort
> > > > screen output below, I'm sure events are triggering:
> > > >
> > > >
> > > > ===============================================================================
> > > > Action Stats:
> > > > ALERTS: 246
> > > > LOGGED: 246
> > > > PASSED: 0
> > > > =====================
> > > >
> > > > I'm sure I'm overlooking something simple. If anyone can point me in the
> > > > right direction, it would be much appreciated.
> > > >
> > > > Thanks!
> > > >
> > > > --
> > > > Nick Moore, SFCE, CISSP, CISA
> > > > Sr. Systems Engineer
> > > > Voice 708-336-9041
> > > > Email nick.moore () sourcefire com
> > > > IM    nickgmoore (Yahoo)
> > > >       nickgmoore38 (AIM)
> > > >
> > > >    ,,_
> > > >   o"  )~   Sourcefire - The Creators of Snort
> > > >    ''''
> > > >
> > > > www.sourcefire.com         www.snort.org
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > > > lucky parental unit.  See the prize list and enter to win:
> > > > http://p.sf.net/sfu/thinkgeek-promo
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > --
> > Nick Moore, SFCE, CISSP, CISA
> > Sr. Systems Engineer
> > Voice 708-336-9041
> > Email nick.moore () sourcefire com
> > IM    nickgmoore (Yahoo)
> >       nickgmoore38 (AIM)
> >
> >    ,,_
> >   o"  )~   Sourcefire - The Creators of Snort
> >    ''''
> >
> > www.sourcefire.com         www.snort.org


-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users