Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trouble in the Barnyard

From: "Bob Baller" <bobballer () q com>
Date: Wed, 18 Jan 2017 20:38:58 -0600
I think I've answered my own question below.  I didn't look at the timestamp
on the files, although I guess I expected the snort file to be updated - it
wasn't.  Only the ibdata1 and ib_logfile0 were updated when I ran Barnyard.
and the ibtmp file had been updated on the 15th - not sure what caused that.
January 2 is when I created the Snort DB so the Snort file hasn't been
touched.

 

-rw-r----- 1 mysql mysql       56 Dec 25 23:05 auto.cnf

-rw-r--r-- 1 root  root         0 Dec 25 23:05 debian-5.7.flag

-rw-r----- 1 mysql mysql      302 Jan  2 14:43 ib_buffer_pool

-rw-r----- 1 mysql mysql 79691776 Jan 18 20:05 ibdata1

-rw-r----- 1 mysql mysql 50331648 Jan 18 20:05 ib_logfile0

-rw-r----- 1 mysql mysql 50331648 Dec 25 23:05 ib_logfile1

-rw-r----- 1 mysql mysql 12582912 Jan 15 12:23 ibtmp1

drwxr-x--- 2 mysql mysql     4096 Dec 25 23:05 mysql

drwxr-x--- 2 mysql mysql     4096 Dec 25 23:05 performance_schema

drwxr-x--- 2 mysql mysql     4096 Jan  2 21:48 snort

drwxr-x--- 2 mysql mysql    12288 Dec 25 23:05 sys

 

Is this normal?

 

I'll read up on how to make it run in the background.

 

 

 

 

 

From: Bob Baller [mailto:bobballer () q com] 
Sent: Wednesday, January 18, 2017 8:02 PM
To: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Trouble in the Barnyard

 

Well that certainly had an effect!

 

Here is the Output from ./configure:

 

This output doesn't appear to be any different than the previous attempts
(specifically the section dealing with mysql)  but the output from the make
command after this was different.  After the 'sudo make install' command, I
started Barnyard2 and it immediately started streaming Snort alerts to the
screen.  I broke out of it after a while and I copy/pasted the last few
lines of alerts and output at the end of the ./configure output below.  At
this point is there a way to tell that it is actually writing to the Mysql
tables rather than just to the screen? The eof on the snort file in the
mysql directory doesn't appear to have changed (several other files have
changed but they didn't appear to change continuously while Barnyard was
running).

 

bob@HP7620 //home/bob/Downloads/Barnyard2/barnyard2-master $ ./configure
--with-mysql -with-mysql-libraries=/usr/lib/i386-linux-gnu

checking for a BSD-compatible install... /usr/bin/install -c

checking whether build environment is sane... yes

checking for a thread-safe mkdir -p... /bin/mkdir -p

checking for gawk... gawk

checking whether make sets $(MAKE)... yes

checking whether make supports nested variables... yes

checking build system type... i686-pc-linux-gnu

checking host system type... i686-pc-linux-gnu

checking how to print strings... printf

checking for style of include used by make... GNU

checking for gcc... gcc

checking whether the C compiler works... yes

checking for C compiler default output file name... a.out

checking for suffix of executables... 

checking whether we are cross compiling... no

checking for suffix of object files... o

checking whether we are using the GNU C compiler... yes

checking whether gcc accepts -g... yes

checking for gcc option to accept ISO C89... none needed

checking whether gcc understands -c and -o together... yes

checking dependency style of gcc... none

checking for a sed that does not truncate output... /bin/sed

checking for grep that handles long lines and -e... /bin/grep

checking for egrep... /bin/grep -E

checking for fgrep... /bin/grep -F

checking for ld used by gcc... /usr/bin/ld

checking if the linker (/usr/bin/ld) is GNU ld... yes

checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B

checking the name lister (/usr/bin/nm -B) interface... BSD nm

checking whether ln -s works... yes

checking the maximum length of command line arguments... 1572864

checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu
format... func_convert_file_noop

checking how to convert i686-pc-linux-gnu file names to toolchain format...
func_convert_file_noop

checking for /usr/bin/ld option to reload object files... -r

checking for objdump... objdump

checking how to recognize dependent libraries... pass_all

checking for dlltool... no

checking how to associate runtime and link libraries... printf %s\n

checking for ar... ar

checking for archiver @FILE support... @

checking for strip... strip

checking for ranlib... ranlib

checking command to parse /usr/bin/nm -B output from gcc object... ok

checking for sysroot... no

checking for a working dd... /bin/dd

checking how to truncate binary pipes... /bin/dd bs=4096 count=1

checking for mt... mt

checking if mt is a manifest tool... no

checking how to run the C preprocessor... gcc -E

checking for ANSI C header files... yes

checking for sys/types.h... yes

checking for sys/stat.h... yes

checking for stdlib.h... yes

checking for string.h... yes

checking for memory.h... yes

checking for strings.h... yes

checking for inttypes.h... yes

checking for stdint.h... yes

checking for unistd.h... yes

checking for dlfcn.h... yes

checking for objdir... .libs

checking if gcc supports -fno-rtti -fno-exceptions... no

checking for gcc option to produce PIC... -fPIC -DPIC

checking if gcc PIC flag -fPIC -DPIC works... yes

checking if gcc static flag -static works... yes

checking if gcc supports -c -o file.o... yes

checking if gcc supports -c -o file.o... (cached) yes

checking whether the gcc linker (/usr/bin/ld) supports shared libraries...
yes

checking whether -lc should be explicitly linked in... no

checking dynamic linker characteristics... GNU/Linux ld.so

checking how to hardcode library paths into programs... immediate

checking whether stripping libraries is possible... yes

checking if libtool supports shared libraries... yes

checking whether to build shared libraries... yes

checking whether to build static libraries... yes

checking whether to enable maintainer-specific portions of Makefiles... no

checking for gcc option to accept ISO C99... none needed

checking for gcc option to accept ISO Standard C... (cached) none needed

checking for gcc... (cached) gcc

checking whether we are using the GNU C compiler... (cached) yes

checking whether gcc accepts -g... (cached) yes

checking for gcc option to accept ISO C89... (cached) none needed

checking whether gcc understands -c and -o together... (cached) yes

checking dependency style of gcc... (cached) none

checking whether byte ordering is bigendian... no

checking for bison... bison

checking for flex... flex

checking for strings.h... (cached) yes

checking for string.h... (cached) yes

checking for stdlib.h... (cached) yes

checking for unistd.h... (cached) yes

checking sys/sockio.h usability... no

checking sys/sockio.h presence... no

checking for sys/sockio.h... no

checking paths.h usability... yes

checking paths.h presence... yes

checking for paths.h... yes

checking for inttypes.h... (cached) yes

checking wchar.h usability... yes

checking wchar.h presence... yes

checking for wchar.h... yes

checking math.h usability... yes

checking math.h presence... yes

checking for math.h... yes

checking for floor in -lm... yes

checking for ceil in -lm... yes

checking for inet_ntoa in -lnsl... yes

checking for socket in -lsocket... no

checking whether printf must be declared... no

checking whether fprintf must be declared... no

checking whether syslog must be declared... no

checking whether puts must be declared... no

checking whether fputs must be declared... no

checking whether fputc must be declared... no

checking whether fopen must be declared... no

checking whether fclose must be declared... no

checking whether fwrite must be declared... no

checking whether fflush must be declared... no

checking whether getopt must be declared... no

checking whether bzero must be declared... no

checking whether bcopy must be declared... no

checking whether memset must be declared... no

checking whether strtol must be declared... no

checking whether strcasecmp must be declared... no

checking whether strncasecmp must be declared... no

checking whether strerror must be declared... no

checking whether perror must be declared... no

checking whether socket must be declared... no

checking whether sendto must be declared... no

checking whether vsnprintf must be declared... no

checking whether snprintf must be declared... no

checking whether strtoul must be declared... no

checking for snprintf... yes

checking for strlcpy... no

checking for strlcat... no

checking for strerror... yes

checking for vswprintf... yes

checking for wprintf... yes

checking size of char... 1

checking size of short... 2

checking size of int... 4

checking size of long int... 4

checking size of long long int... 8

checking size of unsigned int... 4

checking size of unsigned long int... 4

checking size of unsigned long long int... 8

checking for u_int8_t... yes

checking for u_int16_t... yes

checking for u_int32_t... yes

checking for u_int64_t... yes

checking for uint8_t... yes

checking for uint16_t... yes

checking for uint32_t... yes

checking for uint64_t... yes

checking for int8_t... yes

checking for int16_t... yes

checking for int32_t... yes

checking for int64_t... yes

checking for INADDR_NONE... yes

checking for __FUNCTION__... yes

checking pcap.h usability... yes

checking pcap.h presence... yes

checking for pcap.h... yes

checking for pcap_datalink in -lpcap... yes

checking for sparc... no

checking for mysql... yes

checking for compress in -lz... yes

checking for mysql default client reconnect... no

checking for mysql reconnect option... yes

checking for mysql setting of reconnect option before connect bug... no

checking for linuxthreads... no

checking that generated files are newer than configure... done

configure: creating ./config.status

config.status: creating Makefile

config.status: creating src/Makefile

config.status: creating src/sfutil/Makefile

config.status: creating src/input-plugins/Makefile

config.status: creating src/output-plugins/Makefile

config.status: creating etc/Makefile

config.status: creating doc/Makefile

config.status: creating rpm/Makefile

config.status: creating schemas/Makefile

config.status: creating m4/Makefile

config.status: creating config.h

config.status: executing depfiles commands

config.status: executing libtool commands

 

 

Output from Barnyard2:

 

01/03-02:25:50.183716  [**] [1:402:7] Snort Alert [1:402:7] [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.37 ->
192.168.1.1

01/03-02:25:56.291285  [**] [1:402:7] Snort Alert [1:402:7] [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.16 ->
192.168.1.1

01/03-02:25:56.293544  [**] [1:402:7] Snort Alert [1:402:7] [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.37 ->
192.168.1.1

01/03-02:26:02.402276  [**] [1:402:7] Snort Alert [1:402:7] [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.16 ->
192.168.1.1

01/03-02:26:02.403808  [**] [1:402:7] Snort Alert [1:402:7] [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.37 ->
192.168.1.1

^C*** Caught Int-Signal

Barnyard2 exiting

database: Closing connection to database "snort"

============================================================================
===

Record Totals:

   Records:       39462

   Events:       19731 (50.000%)

   Packets:       19731 (50.000%)

   Unknown:           0 (0.000%)

   Suppressed:           0 (0.000%)

============================================================================
===

Packet breakdown by protocol (includes rebuilt packets):

      ETH: 19731      (100.000%)

  ETHdisc: 0          (0.000%)

     VLAN: 12896      (65.359%)

     IPV6: 336        (1.703%)

  IP6 EXT: 672        (3.406%)

  IP6opts: 336        (1.703%)

  IP6disc: 0          (0.000%)

      IP4: 19395      (98.297%)

  IP4disc: 0          (0.000%)

    TCP 6: 0          (0.000%)

    UDP 6: 0          (0.000%)

    ICMP6: 335        (1.698%)

  ICMP-IP: 0          (0.000%)

      TCP: 8          (0.041%)

      UDP: 1          (0.005%)

     ICMP: 19051      (96.554%)

  TCPdisc: 0          (0.000%)

  UDPdisc: 0          (0.000%)

  ICMPdis: 0          (0.000%)

     FRAG: 0          (0.000%)

   FRAG 6: 0          (0.000%)

      ARP: 0          (0.000%)

    EAPOL: 0          (0.000%)

  ETHLOOP: 0          (0.000%)

      IPX: 0          (0.000%)

    OTHER: 336        (1.703%)

  DISCARD: 0          (0.000%)

InvChkSum: 0          (0.000%)

   S5 G 1: 0          (0.000%)

   S5 G 2: 0          (0.000%)

    Total: 19731     

============================================================================
===

Closing spool file '/var/log/snort/snort.u2.1483389911'. Read 39462 records

 

 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: