Re: Barnyard not populating opt table

[David Humes <delsasser001 () yahoo com>]

So, it seems as though this is a feature of the
current barnyard implementation.  I took a look at the
op_acid_db.c source code for the output plugin and it
clearly states that tcp and ip options are not
handled.  I took a look at the CVS tree for barnyard
and there are no updates to address this problem. 
Further, there is very little development activity for
this project.  Most of the files have not been touched
in 18 months.  It appears to be at best a stalled
project, which makes me wonder if I should be
deploying it on production sensors when there is no
recent development or bug-fix work.  If anyone out
there is more plugged-in on the future of barnyard,
your inputs would be appreciated.

Thanks.

--Dave


--- David Humes <delsasser001 () yahoo com> wrote:

> I noticed that since installing Barnyard we're not
> seeing any TCP options when viewing events with
> BASE. 
> I checked the snort.opt table and sure enough it was
> empty.  This was a fresh Snort/Barnyard install with
> Barnyard running from the start.  I reconfigured
> Snort
> to log directly to the database, and immediately
> started seeing data in the opt table.  So, it's
> fairly
> certain that the problem is with Barnyard or more
> likely my configuration. 
>
> Here's the config.
>
> config daemon
> config localtime
> config hostname: ranger
> config interface: eth1
> config sid-msg-map:     /etc/snort/rules/sid-msg.map
> config gen-msg-map:     /etc/snort/rules/gen-msg.map
> config class-file:     
> /etc/snort/rules/classification.config
> output alert_acid_db: mysql, database snort, server
> localhost, user snort, password snort, detail full
> output log_acid_db: mysql, database snort, server
> localhost, user snort, password snort, detail full
>
> And here is how it's being started.
>
> /usr/local/bin/barnyard -c
> /etc/snort/barnyard/barnyard.conf -d /var/log/snort
> -f
> snort.log -w /var/log/snort/waldo.barnyard -a
> /var/log/snort/archive
>
> Also, it has never been completely clear if the
> output
> alert_acid_db line is necessary.  I have run
> Barnyard
> without that line and it seemed to work fine execept
> for the problem noted above.  It appears as though
> the
> log files incorporate all of the information in the
> alert files, so I would not think that it should be
> necessary.
>
> We're running Snort-2.4.2, Barnyard-0.2.0, and mysql
> Ver 14.7 
>
> Any assistance would be appreciated.  
>
> --Dave
>
>
>       
>               
______________________________________________________
> Yahoo! for Good 
> Donate to the Hurricane Katrina relief effort. 
> http://store.yahoo.com/redcross-donate3/ 
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content,
> downloads, discussions,
> and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users