Snort mailing list archives

Snort + barnyard2 + BASE

From: James Chase <james () mandala-designs com>
Date: Tue, 22 Sep 2009 11:47:19 -0400

Hi,

I have successfully setup snort/barnyard/base before but I am now
setting up a new sensor using barnyard2. I was able to confirm that
everything is working by using barnyard but when I try and use
barnyard2, I do not see any new events added via BASE.

Here is my output in snort.conf:

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

and I am running snort like so: /usr/sbin/snort -D -i eth0 -u snort -g
snort -c /etc/snort/snort.conf -l /var/log/snort

Here is my setup in barnyard2.conf:

input unified2
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
output database: alert, mysql, user=snort password=password dbname=snort
host=localhost  ##I did just have log, but when it wasn't working, I
decided to try it with this output as well, like in barnayrd(1).

running barnyard2 with these options: /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard2.waldo -D


I do not think the waldo file is working correctly, but that just tells
barnyard2 where to start right? When barnyard2 starts up it sees the
files but does not read any records from it and BASE does not show any
new alerts.

I've banged my head for awhile but am sure I missed something very simple?

James



------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort + barnyard2 + BASE James Chase (Sep 22)
- Re: Snort + barnyard2 + BASE Jefferson, Shawn (Sep 22)
- Re: Snort + barnyard2 + BASE Alexander Novokhatsky (Sep 22)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Sep 22)