Snort mailing list archives
Re: AANVAL or MYSQL question
From: "Gierczak, Stan" <SGierczak () presencehealth org>
Date: Thu, 17 Apr 2014 16:39:41 +0000
Sorry, this is where you are losing me, I think. What I believe the answer is that barnyard2 is being run as a service. The executable that was created is from the install guide at http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval Step 12 under the barnyard section. Do not have a Waldo file. Below is a snipped of the syslog. Apr 17 09:16:15 rlicsnortids1 barnyard2[1459]: Barnyard2 initialization completed successfully (pid=1459) Apr 17 09:16:15 rlicsnortids1 barnyard2[1459]: WARNING: Unable to open waldo file '/var/log/snort/eth0/barnyard2.waldo' (No such file or directory) Apr 17 09:16:15 rlicsnortids1 barnyard2[1459]: Opened spool file '/var/log/snort/eth0/snort.log.1397741834' Apr 17 09:16:15 rlicsnortids1 barnyard2[1459]: Closing spool file '/var/log/snort/eth0/snort.log.1397741834'. Read 0 records Apr 17 09:16:15 rlicsnortids1 barnyard2[1459]: Opened spool file '/var/log/snort/eth0/snort.log.1397744166' Apr 17 09:16:15 rlicsnortids1 barnyard2[1459]: Waiting for new data This is a listing of the dir: root@rlicsnortids1:/var/log/snort/eth0# ls -al total 109308 drwxr-xr-x 3 snort snort 4096 Apr 17 09:16 . drwxr-xr-x 4 snort snort 4096 Apr 16 08:01 .. -rw-r--r-- 1 root root 110186861 Apr 17 11:34 alert drwxr-xr-x 2 snort snort 4096 Apr 17 09:16 archive -rw------- 1 snort snort 1720205 Apr 17 11:34 snort.log.1397744166 root@rlicsnortids1:/var/log/snort/eth0# From: Y M [mailto:snort () outlook com] Sent: Thursday, April 17, 2014 11:22 AM To: Gierczak, Stan Cc: snort-users Subject: RE: [Snort-users] AANVAL or MYSQL question This looks good. What is your barnyard2 command and is it being directed to the unified2 directory? Does that directory contain the waldo file? YM ________________________________ From: SGierczak () presencehealth org To: snort () outlook com CC: snort-users () lists sourceforge net Subject: RE: [Snort-users] AANVAL or MYSQL question Date: Thu, 17 Apr 2014 16:13:12 +0000 Sorry missed that one. output database: log, mysql, user=snort_user password=snortuser dbname=snortdb host=localhost From: Y M [mailto:snort () outlook com] Sent: Thursday, April 17, 2014 11:04 AM To: Gierczak, Stan Cc: snort-users Subject: RE: [Snort-users] AANVAL or MYSQL question Ok. Can you reply to my second question?
What is the db connection string in your barnyard2.conf? (remove private data).
YM ________________________________ From: SGierczak () presencehealth org To: snort () outlook com CC: snort-users () lists sourceforge net Subject: RE: [Snort-users] AANVAL or MYSQL question Date: Thu, 17 Apr 2014 12:35:45 +0000 Yes. And it seems empty. mysql> \u snortdb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +-------------------+ | Tables_in_snortdb | +-------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-------------------+ 16 rows in set (0.00 sec) mysql> select * from data limit 5; Empty set (0.00 sec) mysql> select * from event limit 5; Empty set (0.00 sec) mysql> select * from detail limit 5; +-------------+-------------+ | detail_type | detail_text | +-------------+-------------+ | 0 | fast | | 1 | full | +-------------+-------------+ 2 rows in set (0.00 sec) From: Y M [mailto:snort () outlook com] Sent: Thursday, April 17, 2014 7:33 AM To: Gierczak, Stan Cc: snort-users Subject: RE: [Snort-users] AANVAL or MYSQL question
From your database setup, Aanval has its own database. This means that Aanval app uses this particular database to do its job. However, your Aanval is pointing to another database completely. This is important because from the tables command you showed, Aanval database does not contain a table called "event", so Aanval does not know what or where to query the event data.
Did you run this against snortdb: select * from even limit 5; What did it return? What is the db connection string in your barnyard2.conf? (remove private data). YM ________________________________ From: SGierczak () presencehealth org To: snort () outlook com CC: snort-users () lists sourceforge net Subject: RE: [Snort-users] AANVAL or MYSQL question Date: Thu, 17 Apr 2014 11:45:45 +0000
From my understanding, Barnyard is supposed to take the information that Snort collects and populate the snortdb(which I see nothing in the snortdb) and then aanval should present from that?? I think the issue is that barnyard is not populating?
From: Y M [mailto:snort () outlook com] Sent: Wednesday, April 16, 2014 2:57 PM To: Gierczak, Stan Cc: snort-users Subject: RE: [Snort-users] AANVAL or MYSQL question Shouldn't the Database Name point to Anaval's own database(aanvaldb)? From the your previous post there seems lots of tables that Aanval depend on. YM ________________________________ From: SGierczak () presencehealth org To: wkitty42 () windstream net; snort-users () lists sourceforge net Date: Wed, 16 Apr 2014 19:34:51 +0000 Subject: Re: [Snort-users] AANVAL or MYSQL question That was from aanval configuration/snort module settings. [cid:image001.png@01CF5A30.B83980A0] -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Wednesday, April 16, 2014 2:25 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] AANVAL or MYSQL question On 4/16/2014 2:18 PM, Gierczak, Stan wrote:
So, do I need to be concerned with: Description: cid:image001.png@01CF595C.E309FE60<https://01CF595C.E309FE60> Also how can I see if the db is getting data into it?
where are you seeing that? what application are you looking at?
some thoughts:
do you have spaces in the database name?
do you have mixed-case characters in the database name?
what OS is the database running on? some are sensitive to mixed-case filenames...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases
and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download
your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE
O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three
acclaimed leaders in the field, this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge
net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current
on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: AANVAL or MYSQL question, (continued)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 16)
- Re: AANVAL or MYSQL question waldo kitty (Apr 16)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 16)
- Re: AANVAL or MYSQL question Y M (Apr 16)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question Y M (Apr 17)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question Y M (Apr 17)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question Y M (Apr 17)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question waldo kitty (Apr 18)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 21)
- Re: AANVAL or MYSQL question waldo kitty (Apr 21)
- Re: AANVAL or MYSQL question Y M (Apr 22)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 23)
- Re: AANVAL or MYSQL question Y M (Apr 22)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 23)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 23)
- Re: AANVAL or MYSQL question waldo kitty (Apr 23)
- Re: AANVAL or MYSQL question Y M (Apr 23)