Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Barnyard2 showing no records

From: <wkitty42 () windstream net>
Date: Mon, 30 Sep 2013 11:49:21 -0400

On Wednesday, September 25, 2013 10:05 AM, Greg Martin <grmartin () integritybankonline com> wrote: 



We have had Snort running now for a couple of months and there have really been no issues, but now all of a sudden 
information is not being sent from Barnyard2.  It just states that it is waiting for data.  I checked connections going 
from the snort machine to our mirrored port on our switch and the connection seems fine.  I am going to logon to the 
switch once I get an issue resolved with my logon to the switch.  Anyhow, I was wondering if you might have any ideas 
or be able to suggest further troubleshooting on this issue?  I restarted the snort machine as well and this did not 
make a difference either.

start at the beginning of the trail...

1. snort - is the defined output .u2 file gaining content

if the defined unified2 output file is filling up, then move to step 2 otherwise you need to figure out why snort is 
not seeing traffic and recording alerts...

2. barnyard2 - is barnyard2 able to access and read the defined u2 file?

if yes, then move to the other half of by2... if no, then you need to figure out why by2 can no longer read the u2 
file(s) it was reading previously...

3. barnyard2 - can barnyard2 communicate with the database

if yes, then traffic alerts should be flowing from snort to the output u2 file, through by2 and into the database for 
your tools to read from the database...

something else to consider is if network transport has been changed recently... maybe now packaged in VLAN(s)... you 
also mention your login to a router... it is possible that router(s) may have been compromised or otherwise altered so 
the traffic is not sent to snort...

that's everything i can think of... just remember to always start at the beginning of the trail... the way up the 
mountain is not found by dropping into the middle of the forest and striking out in any old direction hoping to hit a 
trail that may not even be on said mountain ;)


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: