Re: Barnyard2 - Phantom cid/sid?

[beenph <beenph () gmail com>]

Hi Eoin, you might want to move forward to current master 2-1.11 buld 318


http://www.github.com/firnsy/barnyard2

CID value comes from the sensor table.

-elz




On Thu, Jan 24, 2013 at 11:22 AM, Eoin Miller
<eoin.miller () trojanedbinaries com> wrote:
> Anyone want to take a stab at where barnyard2 (2.1.9) manages to get sid
> and cid values for a database that has been reset completely?
>
> mysql> use snortdb;
> Database changed
> mysql> select * from sensor;
> Empty set (0.00 sec)
>
>
> Deleted the PID, waldo files, and even restarted Suricata so the
> unified2 file is shiny and new as well. However, Barnyard2 just silently
> failed logging to the snortdb (running Sguil output as well, but that
> continued to work perfectly).
>
> Start it up, it still thinks it has sensor id 2 and cid 3071365 even
> though there is blank database. Where the heck is this stuff cached?
>
> ---SNIP---
>
> Found pid path directive (/nids/barnyard2/pid)
> Running in Continuous mode
>
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/nids/barnyard2/etc/barnyard2-eth1eth6-0.conf"
> Found pid path directive (/nids/barnyard2/pid)
> Log directory = /nids/barnyard2/log
> Checking PID path...
> PID path stat checked out ok, PID path set to /nids/barnyard2/pid
> Writing PID "9618" to file "/nids/barnyard2/pid/barnyard2_eth1eth6-0.pid"
> Node unique name is: nids-egress-mtc01:eth1eth6-0
>
> database: inconsistent cid information for sid=2
>           Recovering by rolling forward the cid=3071364
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = 127.0.0.1
> database:           user = snort
> database:  database name = snortdb
> database:    sensor name = nids-egress-mtc01:eth1eth6-0
> database:      sensor id = 2
> database:     sensor cid = 3071365
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "log" facility
>
>         --== Initialization Complete ==--
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.9 (Build 263)
>  |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
>  + '''' +  (C) Copyright 2008-2010 SecurixLive.
>
>            Snort by Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>
> WARNING: Unable to open waldo file '/nids/barnyard2/log/bond0-0.waldo'
> (No such file or directory)
> Waiting for new spool file
> ---SNIP---
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!