Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort / Barnyard error.

From: Bamm Visscher <bamm () satx rr com>
Date: Tue, 14 Oct 2003 07:15:55 -0500
Lose the '-b' and '-L' switches when you start snort. It overrides your snort.conf and tells it to log in pcap binary 
NOT unified. You should see a snort.log.<secs> file in your log dir then. Make sure you tell barnyard to read the 
correct file too (snort.log.<secs>).

Bammkkkk

On Tue, Oct 14, 2003 at 05:46:47PM +1000, Rudi Starcevic wrote:

Hi,

Just having a couple problems getting Snort and Barnyard to work together.
I've been struggling with this for a couple days on and off so I've 
started again from fresh source
but am still seeing errors.

Here's what I'm trying and what I'm seeing:

I re-installed 20 mins ago from snort.org
-*> Snort! <*-
Version 2.0.2 (Build 92)

Also Barnyard from sourceforge 10 mins ago
-*> Barnyard! <*-
Version 0.1.0 (Build 17)

Now I make *1* and only change to the snort.conf file.
I uncomment just 1 line:

#output log_unified: filename snort.log, limit 128
output log_unified: filename snort.log, limit 128

Now I start Snort:
/usr/local/snort/bin/snort -b -i eth0 -c /usr/local/snort/etc/snort.conf 
-L testlog

So far it's all good.

2 log files are created when I trigger a rule
/var/log/snort/alert
/var/log/snort/testlog.1066116497

Now I stop Snort and want to use Barnyard to analyze the binary log;
My Barnyard command is:

/usr/local/barnyard/bin/barnyard -o \
-c /usr/local/snort/etc/barnyard.conf  \
-f /var/log/snort/testlog.1066116497 \
-L /var/log/barnyard  \
-g /usr/local/snort/etc/gen-msg.map \
-s /usr/local/snort/etc/sid-msg.map


This is my error:

-*> Barnyard! <*-
Version 0.1.0 (Build 17)
By Andrew R. Baker (andrewb () snort org)
and Martin Roesch (roesch () sourcefire com, www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AlertCSV initialized
Parsing Config file: /usr/local/snort/etc/barnyard.conf
Barnyard Version 0.1.0 (Build 17) started
ERROR => No input plugin found for magic: a1b2c3d4
Fatal Error, Quitting..
Exiting

This error can be found on Google several times but mostly the advice is 
to upgrade,
which I've tried without joy.

I also found this:

Barnyard subsists exclusively on a diet of snort unified output files.


I though uncommenting 'output log_unified: filename snort.log, limit 
128' would
help but also no joy yet.

Sorry for this repeat question but I am now stuck.
Am I still missing a config. option or something ?

In the testlog.1066116497 the first 2 line are binary then I can read some
text. Should this file be all binary with no readable text.

Also can I just have a binary log and no text 'alert' log in my snort 
log dir. ?

Many thanks.
Best regards
Rudi.














-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: