Re: Barnyard woes

[Ken Gunderson <kgunders () teamcool net>]

On Tuesday 18 February 2003 08:15 am, Joerg Weber wrote:
> Hallo everyone,
>
> I've had barnyard running on my test-system, but didn't like the way
> I had things up so I decided to do a clean, neat config.
> Big mistake :)
>
> Here's my problem:
> 1) I'd like to use SnortCenter to maintain my sensors. SnortCenter
> adds the unified_plugin like this:
> output log_unified: filename snort-unified, limit 500
> but no alert_unified:
> Should I add this by hand via a preprocessor?

preprocessor???  unified is an output plugin...;-)

i have only been experimenting with barnyard, but follows is my 
understanding thus far:

if you want to be logging alerts....  but i don't think you can point it 
to the same file as the log because barnyard can only take one input 
per instance in it's present incarnation.  hence you need to point 
output to second file and run two instances of barnyard.

> 2) Snort's running fine and happily logging into
> /var/log/snort/snort-unified.
> Now I'm setting up my barnyard.conf like
> config hostname: Inhouse
> config interface: eth1
> processor dp_alert
> processor dp_log
> processor dp_stream_stat
> output log_acid_db: mysql, sensor_id 7, database snort, server [ip],
> user [user], password [root]

this will log "logs" to database.  you also need alert_acid_db if you 
want to log alerts to db as well, but then since snort unified will log  
"log" events to both snort-unified.log and snort-unified.alert, you 
will get two inserts into your db per log event.  if you only use 
alert_acid_db, you  miss logging the payload.  if you only use 
log_acid_db, then you miss logging alerts.  (while barnyard can only 
take one input per instance, i think one instance of barnyard is apable 
of logging events to >1 output).  so you're back to 2 instances, 
logging "log" events to db and "alert" events to file (or vice versa 
and not having paylod data logged to db).

> Now I'm starting barnyard like
> barnyard -c /root/barnyard-0.1.0-beta5/etc/barnyard.conf -f
> /var/log/snort/snort-unified -w /var/log/snort/waldo
> And the result looks like
> Skipping tagged packet 1389
> Skipping tagged packet 1392
> Skipping tagged packet 1394
> Skipping tagged packet 1396
> Skipping tagged packet 1398
> [and on and on and on...]
> What's up with that?

what does mysql give you when you SELECT * ON sensor?  does it jive with 
what your barnyard config has?

the first thing i would suggest when troubleshooting something like this 
would be to upgrade to the latest stable release.


> 3) Same happens when I try to run barnyard with the -f
> /var/log/snort/scan.log
>
> 4) The reason I'm running into this is my dislike of running two
> instances of barnyard, one for log, one for alert. Isn't there a more
> clever way to do things?

afaik; this is the only way you can do it because of barnyard's 
limitation to one input source per instance.

hope this helped some.

-- 
Best regards,

Ken Gunderson
PGP Key-- 9F5179FD

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users