Re: AANVAL or MYSQL question

[Y M <snort () outlook com>]

> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: WARNING: Ignoring corrupt/truncated waldofile 
> '/var/log/snort/eth0/barnyard2.waldo'

If its possible, stop Snort and Barnyard2, and then delete the waldo. Barnyard2 will create a new one for you.
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Waiting for new data
After this line, do you get any other information in the syslog as new alerts are being written into the unified2 log? 
You can also enable local syslog output in Barnyard2, just to be sure that Barnyard2 setup is ok.
While Snort and Barnyard2 are running, do
ps aux | grep snort              (paste the output related to Snort)ps aux | grep barnyard2     (paste the output 
related to Barnyard2)
YM

> From: SGierczak () presencehealth org
> To: wkitty42 () windstream net; snort-users () lists sourceforge net
> Date: Mon, 21 Apr 2014 17:54:50 +0000
> Subject: Re: [Snort-users] AANVAL or MYSQL question
>
>
>
> Like I said.  You are losing me a little.  I am running barnyard as a startup when the system comes up, or by:
> service barnyard2 start/stop
>
> I believe that all the configuration then comes from the /usr/local/etc/barnyard2.conf.
> In that file are the following which are uncommented:
> config reference_file:      /etc/snort/reference.config
> config classification_file: /etc/snort/classification.config
> config gen_file:            /etc/snort/gen-msg.map
> config sid_file:                /etc/snort/sid-msg.map
> config daemon
> input unified2
> output alert_fast: stdout
> output database: log, mysql, user=snort_user password=snortuser dbname=snortdb host=localhost
>
> When I stop and start barnyard, the following gets generated in the syslog file:
>
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Running in Continuous mode
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]:
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]:         --== Initializing Barnyard2 ==--
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Input Plugins!
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Output Plugins!
> Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Parsing config file "/etc/snort/barnyard.conf"
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Log directory = /var/log/snort/eth0
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Initializing daemon mode
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Daemon parent exiting
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Daemon initialized, signaled parent pid: 2014
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: PID path stat checked out ok, PID path set to /var/run/
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Writing PID "2015" to file "/var/run//barnyard2_NULL.pid"
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: compiled support for (mysql)
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: configured to use mysql
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: schema version = 107
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:           host = localhost
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:           user = snort_user
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:  database name = snortdb                                     
> This is the correct snortdb
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:    sensor name = rlicsnortids1:NULL
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:      sensor id = 1
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:     sensor cid = 1
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:  data encoding = hex
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:   detail level = full
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database:     ignore_bpf = no
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: using the "log" facility
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]:
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]:         --== Initialization Complete ==--
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Barnyard2 initialization completed successfully (pid=2015)
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: WARNING: Ignoring corrupt/truncated waldofile 
> '/var/log/snort/eth0/barnyard2.waldo'
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Opened spool file '/var/log/snort/eth0/snort.log.1398100514'           
>                 This is the correct location for the snort log
> Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Waiting for new data
>
> Thanks for your help again.
>
>
>
> On 4/17/2014 12:39 PM, Gierczak, Stan wrote:
> > Sorry, this is where you are losing me, I think.
> >
> > What I believe the answer is that barnyard2 is being run as a service.  
> > The executable that was created is from the install guide at 
> > http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide
> > _for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval
>
> you forgot to supply the requested startup command line for your barnyard2.
>
> you forgot to say if your barnyard2 is being pointed to the proper snort log directory. this might be done on the 
> command line or possibly inside the
> barnyard2 config.
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases 
> and their applications. Written by three acclaimed leaders in the field, this first edition is now available. 
> Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!