Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user

[beenph <beenph () gmail com>]

On Thu, May 2, 2013 at 12:41 PM, Lars <technicalfriend () yahoo com> wrote:
> Hello,
>
>
>
> A quick update, moving down to what we hope may be the last issue with our
> install of the Snort 2.9.4.5 with Unified2 use to Barnyard piece.  Here is
> where we are now:
>
>
>
> We rebuilt Barnyard2 and use the instructions from someone at UMUC to
> configure Barnyard2, the config files, and Snort.conf compiling Barnyard2 to
> run with MYSql support as you specified.  So far so good on that.
>
> http://polaris.umuc.edu/~sgantz/Barnyard.html
>
>
>
> Now our Barnyard install runs and appears to begin processing, but we get a
> repeating “Can’t extract timestamp” error line that just keeps repeating. We
> have not been able to find a solution to that yet.
>
>
>
> More importantly however we have found out that our Snort build in IDS mode
> does not send anything out to our “merged.log” file.  It will even create a
> new merged.log file in /var/log/snort if we delete one but all the files
> ever do is stay at 0B size.
>
>
> It’s odd as if we use –v switch when starting Snort we can see traffic on
> the screen, and lots whenever we intense scan (or other types of scans)
> against this target system with Zenmap.  We have been able to run test mode
> just fine, with a “success” statement after that.  We have gone back over
> your “Snort-setup” guide, and online details about how to setup snort.conf
> many times by now and while we have corrected a few misnomers here and there
> in our .conf files or their location etc. nonetheless unified2 is not
> collecting / sending output to merged.log or anywhere as far as we can tell.
> Solutions?
>
>
>
> Thanks!
>
>
>
> KJ / team

In your snort.conf at the line where you have output unified2: xxxxxxxxxx
and remove the nostamp option from the command line and delete your merged.log
file and barnyard2 waldo file if it was created.

Also make sure that you are using output unified2 for barnyard2 and
not output log_unified2 or output alert_unified2.


Barnyard2 in continuous mode will only process files that are named
PREFIX.timestamp where timestamp is the number of second since epoch,
so this is why you are getting the "Can’t extract timestamp" message.

As for snort not logging anything if you are running in virtual
machine you might want to add -k none to snort command line, this
disable checksuming on packets
which can sometimes cause issue under certain environement.


Hope this helps.

-elz

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!