Snort mailing list archives

Re: Snort + barnyard2 + BASE

From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Sat, 24 Oct 2009 14:35:36 -0400

I just upgraded to barnyard2 1.7 beta 4 (I was on 1.6).  I had to work
through a few settings in the barnyard2.conf file as they don't quite
match the comments.  I also had to create a /var/log/barnyard2 but no
log file is showing up there.

Here's what my barnyard2.conf file has now:

config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:                /etc/snort/sid-msg.map
config interface:       eth1

input unified2
output alert_syslog:
output database: alert, mysql, user=snort password=password dbname=snort
host=localhost

-----Original Message-----
From: Paul Schmehl [mailto:pschmehl_lists () tx rr com] 
Sent: Saturday, October 24, 2009 2:00 PM
To: Shenk, Jerry A; snort-users () lists sourceforge net; James Chase
Subject: Re: [Snort-users] Snort + barnyard2 + BASE

First of all, if either of you are using barnyard2 version 1.6, you need

to upgrade to the 1.7.3 beta.  1.6 does not correctly parse and use the 
waldo file, so every time you restart barnyard, it rereads all the 
existing log files and reinserts those records into the database.

Jerry and James, how about posting your barnyard2,conf file.  That
appears 
to be where the problem is.

A typical file should look like this:

********begin barnyard2.conf file*************

config reference-map:   /usr/local/etc/snort/reference.config
config class-map:       /usr/local/etc/snort/classification.config
config gen-msg-map:     /usr/local/etc/snort/gen-msg.map
config sid-msg-map:     /usr/local/etc/snort/sid-msg.map

config hostname:        myserver
config interface:       eth1

# Step 2: setup the input plugins
input unified2

output database: log, mysql, user=user password=password dbname=snort 
host=localhost

*********end barnyard2.conf file***************

The config settings eliminate the need to call those files from the 
commandline at startup, as you are doing James.

-G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map

I note that you are not defining the classification.config file or the 
reference.config file on the commandline.  That may be why you're not 
seeing any output.

You can run barnyard2 -T to test your setup and see if there are errors,

and you can add -v for more verbose output.  Running this should tell
you 
if something is wrong.

barnyard2 -d /var/log/snort/ -f snort.u2 -w /var/log/snort/waldo.file -c

/usr/local/etc/barnyard2.conf -T

If you want to save the output just redirect it to a file

--On October 24, 2009 9:35:30 AM -0500 "Shenk, Jerry A" 
<jshenk () decommunications com> wrote:


I'm having the exact same problem but I have unified2 set as the

output

processor.

My waldo file seems to be working but it's not updating:
Using waldo file '/etc/snort/barnyard.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.log
    time_stamp      = 1256243504
    record_idx      = 13

Barnyard2 is seeing that there are files to process:
Opened spool file '/var/log/snort/snort.log.1256379065'
Waiting for new data
Closing spool file '/var/log/snort/snort.log.1256379065'. Read 40
records
Opened spool file '/var/log/snort/snort.log.1256379948'
Waiting for new data
Closing spool file '/var/log/snort/snort.log.1256379948'. Read 13
records
Opened spool file '/var/log/snort/snort.log.1256380242'
Waiting for new data

But, it never goes past waiting even if the file does get updated.
Restarting barnyard2 will cause new records to be read in from the
snort.log file.  Barnyard does update the spool file that's being
watched when snort is restarted.

I tried adding syslog to barnyard just to separate mysql issues from
barnyard but barnyard2 doesn't send syslog updates either...and I
believe my syslog output is set correctly because I get "database:

using

the "alert" facility" when I start barnyard2.

Here is my syslog output entry:
output alert_syslog:

-----Original Message-----
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Sent: Tuesday, September 22, 2009 12:21 PM
To: James Chase; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort + barnyard2 + BASE

Hi,

You should use the unified2 output preprocessor in Snort.

--
Shawn

-----Original Message-----
From: James Chase [mailto:james () mandala-designs com]
Sent: Tuesday, September 22, 2009 8:47 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort + barnyard2 + BASE

Hi,

I have successfully setup snort/barnyard/base before but I am now
setting up a new sensor using barnyard2. I was able to confirm that
everything is working by using barnyard but when I try and use
barnyard2, I do not see any new events added via BASE.

Here is my output in snort.conf:

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

and I am running snort like so: /usr/sbin/snort -D -i eth0 -u snort -g
snort -c /etc/snort/snort.conf -l /var/log/snort

Here is my setup in barnyard2.conf:

input unified2
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
output database: alert, mysql, user=snort password=password

dbname=snort

host=localhost  ##I did just have log, but when it wasn't working, I
decided to try it with this output as well, like in barnayrd(1).

running barnyard2 with these options: /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard2.waldo -D


I do not think the waldo file is working correctly, but that just

tells

barnyard2 where to start right? When barnyard2 starts up it sees the
files but does not read any records from it and BASE does not show any
new alerts.

I've banged my head for awhile but am sure I missed something very
simple?

James

------------------------------------------------------------------------

------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart

your

developing skills, take BlackBerry mobile applications to market and
stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register
now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------

------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart

your

developing skills, take BlackBerry mobile applications to market and
stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register
now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for
the use of the individual or entity to which they are addressed and

may

contain information that is privileged, proprietary and confidential.

If

you are not the intended recipient, you may not use, copy or disclose

to

anyone the message or any information contained in the message. If you
have received this communication in error, please notify the sender

and

delete this e-mail message. The contents do not represent the opinion

of

D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------

------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart

your

developing skills, take BlackBerry mobile applications to market and

stay

ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
  - Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
    - Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- <Possible follow-ups>
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
  - Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
    - Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
    - Re: Snort + barnyard2 + BASE firnsy (Oct 24)
    - Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
    - Re: Snort + barnyard2 + BASE firnsy (Oct 24)
    - Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)
    - Re: Snort + barnyard2 + BASE firnsy (Oct 25)
    - Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)

(Thread continues...)