Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using Barnyard2 with Snort

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 30 Jun 2015 04:59:18 -0600
On Mon, 2015-06-29 at 18:51 +0000, Farnsworth, Robert wrote:


I did finally get it to run with one concern, see my start-up info.   

Is this a concern?
[CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize 
informations found in the database




[root@host snort]# /usr/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w 
/var/log/snort/barnyard.waldo
[1] 29647
[root@host snort]# Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second

[CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize 
informations found in the database

database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort_user
database:  database name = snortdb
database:    sensor name = localhost:eth2
database:      sensor id = 2
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.13 (Build 327)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>

Using waldo file '/var/log/snort/barnyard.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.log
    time_stamp      = 1435349813
    record_idx      = 0
Opened spool file '/var/log/snort/snort.log.1435349813'
Waiting for new data

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Friday, June 26, 2015 3:55 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Using Barnyard2 with Snort

On 2015-06-26 11:00 AM, Farnsworth, Robert wrote:

HI, James I know your busy but just wanted to reply so you don’t 
forget about this.

Thanks

Robert

FROM: James Lay [mailto:jlay () slave-tothe-box net]
 SENT: Wednesday, June 24, 2015 6:56 AM
 TO: snort-users () lists sourceforge net
 SUBJECT: Re: [Snort-users] Using Barnyard2 with Snort

On Mon, 2015-06-22 at 12:37 +0000, Farnsworth, Robert wrote:


This is what I get running in verbose. I have attached my 
barnyard2.conf file.

[root@usolglwxoh004 jzcdc0]# /usr/local/bin/barnyard2 -v

Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "./barnyard2.conf"

-----Original Message-----

From: James Lay [mailto:jlay () slave-tothe-box net]

Sent: Friday, June 19, 2015 5:08 PM

To: Farnsworth, Robert

Cc: snort-users () lists sourceforge net

Subject: RE: [Snort-users] Using Barnyard2 with Snort

On 2015-06-19 02:55 PM, Farnsworth, Robert wrote:


I cannot get Barnyard to run.







It seems to die @ Parsing config file "/etc/snort/barnyard2.conf"







-----Original Message-----



From: James Lay [mailto:jlay () slave-tothe-box net]



Sent: Friday, June 19, 2015 4:46 PM



To: snort-users () lists sourceforge net



Subject: Re: [Snort-users] Using Barnyard2 with Snort







On 2015-06-19 11:57 AM, Farnsworth, Robert wrote:



I realize this is off topic for SNORT, but does anybody know how

to


get help with a barnyard2 config? I've tried the google group and

the


e-mail fails.







[root@anyhost] /usr/bin/barnyard2 -c /etc/snort/barnyard2.conf -d




/var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo







Running in Continuous mode







--== Initializing Barnyard2 ==--







Initializing Input Plugins!







Initializing Output Plugins!







Parsing config file "/etc/snort/barnyard2.conf"







______ -*> Barnyard2 <*-







/ ,,_ \ Version 2.1.13 (Build 327)







|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

[1]






+ '''' + (C) Copyright 2008-2013 Ian Firns firnsy () securixlive com







Thanks







ROBERT L. FARNSWORTH


You'll want to post your barnyard2.conf file as well as try and run 
it with the -v option for verbose mode, then post the output of that 
as well.

James




So ok...here's what I got:

config reference_file:          /etc/snort/reference.config
config classification_file:     /etc/snort/classification.config
config gen_file:                /etc/snort/gen-msg.map
config sid_file:                /etc/snort/sid-msg.map

input unified2
output alert_fast: stdout

root@siftworkstation:/opt/etc/snort# /bin/barnyard2 -v -c testbarnyard2.conf -l /var/log/barnyard2 -d /var/log/snort 
-f unified.u2 -w /var/log/barnyard2/external.waldo


Running in Continuous mode

         --== Initializing Barnyard2 ==-- Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "testbarnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2

         --== Initialization Complete ==--

   ______   -*> Barnyard2 <*-
  / ,,_  \  Version 2.1.14 (Build 336)
  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>

This took at least 30 seconds on a slow box with a big rules file to initialize...I suspect that's what you're 
seeing...pegs the CPU as well, but that's to be expected.  Test with the above and see if you get the same 
results...make sure /var/log/snort and /var/log/barnyard2 exist.

James

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors network devices and physical & virtual servers, 
alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now 
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



I do not run barnyard2 with mysql, so I'll defer to someone else on the
list.

James

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: