Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Barnyard not inserting into acid_*

From: sekure <sekure () gmail com>
Date: Thu, 24 Jun 2004 09:21:21 -0400
Yep, at this point it looks like your events are being imported into
the snort portion of the database, but acid is not processing them. 
Take a look at your ACID config.  I can't help you there, I use
OpenAanval.  You might want to check it out. http://www.aanval.com

On Thu, 24 Jun 2004 08:39:33 -0400, VanBrecht, Jason
<jason.vanbrecht () ost dot gov> wrote:


Barnyard does not populate the acid_* tables, acid does that itself,
when you load the page, it pulls data from the snort db tables, and
dumps them into the acid tables.  Atleast that's how mine is setup.

Jason van Brecht
Security Analyst
Department of Transportation



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rudi
Starcevic
Sent: Wednesday, June 23, 2004 8:28 PM
To: sekure
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Barnyard not inserting into acid_*

Hi,

Thanks for you reply.
I've looked into it further but still no joy.
Sorry to bother - I'm sure I have either a simple miss config I keep
missing or perhaps
something underneath not happy on FreeBSD.


You only need log_acid_db, since alert_acid_db will only duplicate the
entries...  But that's not the root of your issue.



The only ouput filter I have in barnyard.conf is:
output alert_acid_db: mysql, sensor_id 1, database snort, server
localhost, user root, password xxxx, detail full

After running:

/usr/local/barnyard/bin/barnyard -c /usr/local/snort/etc/barnyard.conf
-o /var/log/snort/snort.log.1087948218

Barnyard connects to mysql OK.
There are no error in my mysql or php log files.

Here is some line from wildpass.log ( mysql log )

10 Query       INSERT INTO udphdr (sid, cid, udp_sport, udp_dport)
VALUES('1', '9735', '1376', '1434')
10 Query       SELECT sig_id FROM signature WHERE sig_name='MS-SQL Worm
propagation attempt OUTBOUND' AND sig_rev=0 AND sig_sid=2004
10 Query       INSERT INTO event(sid, cid, signature, timestamp)
VALUES('1', '9736', '2', '2004-06-23 17: 52:55')
10 Query       INSERT INTO iphdr(sid, cid, ip_src, ip_dst, ip_proto)
VALUES('1', '9736', '2898447641', '1122407842', '17')

So I'm sure I can connect OK and no error messages but still no insert
in acid_*.
The acid console connects OK but no stats on screen.

Hmm ... might have to go try on another machine as I'm a bit stumped.

Thanks
Regards
Rudi.


Do you have the snort database and tables created in the database?
Can you connect to the database with mysql client with the root user
and manipulate the tables?  Enable error logging on the mysql server
and see what barnyard is trying to do.

On Wed, 23 Jun 2004 12:20:00 +1000, Rudi Starcevic <tech () wildcash com>
wrote:



Hi,

I've got Snort, Mysql, Acid and Barnyard installed and running OK on
FreeBSD with one small hitch. So far I'm unable to get Barnyard to
insert into any of the 4 acid_* tables.

I can't see where I'm going wrong and have been trying on and off for
a couple days so I though I'd ask.

After running the commands:

/usr/local/barnyard/bin/barnyard -c /usr/local/snort/etc/barnyard.conf
-o /var/log/snort/snort.alert.1087948218
/usr/local/barnyard/bin/barnyard -c /usr/local/snort/etc/barnyard.conf
-o /var/log/snort/snort.log.1087948218

The binary log files are processed without error but no data is
inserted into the acid tables, only the standard snort tables.

I have this in my snort.conf:

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

and this in my barnyard.conf:

output alert_acid_db: mysql, sensor_id 1, database snort, server
localhost, user root, password xxxxx, detail full output log_acid_db:
mysql, sensor_id 1, database snort, server localhost, user root,
password xxxxx, detail full

Can you see where I may be going wrong and how I may fix it ??

Many thanks
Kind regards
Rudi.

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training. Attend
Black Hat Briefings & Training, Las Vegas July 24-29 - digital self
defense, top technical experts, no vendor pitches, unmatched
networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training. Attend
Black Hat Briefings & Training, Las Vegas July 24-29 - digital self
defense, top technical experts, no vendor pitches, unmatched networking



opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training. Attend
Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: