Re: Snort & Barnyard

[Ayodele Okeowo <aymacro () gmail com>]

Does that mean it worked?

Ayo


On Mon, Dec 23, 2013 at 10:20 AM, James Hodge <james () hodgey com> wrote:

> Hi,
>
> Thanks for your reply. Yes, at least I think so, I'm running snort like
> this:
> /usr/sbin/snort -A fast -b -d -D -i eth1 -u snort -g snort -c
> /etc/snort/snort.conf -l /usr/local/snort/var/log/eth1
>
> Starting barnyard without daemon mode shows this only:
>
> root@network08:/var/www/aanval/apps# barnyard2 -c
> /etc/snort/barnyard.conf -d /usr/local/snort/var/log/eth1 -w
> /usr/local/snort/var/log/eth1/barnyard2.waldo -l
> /usr/local/snort/var/log/eth1 -a /usr/local/snort/var/log/eth1/archive -f
> snort.log -X /var/lock/barnyard2-eth1.pid
> Running in Continuous mode
>
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/snort/barnyard.conf"
>
>
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
>
>
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /usr/local/snort/var/log/eth1
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
>
> [SignatureReferencePullDataStore()]: No Reference found in database ...
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = localhost
> database:           user = snort_user
> database:  database name = snortdb
> database:    sensor name = localhost:eth1
> database:      sensor id = 2
> database:     sensor cid = 1
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "log" facility
>
>         --== Initialization Complete ==--
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.13 (Build 327)
>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com>
>
> Using waldo file '/usr/local/snort/var/log/eth1/barnyard2.waldo':
>     spool directory = /usr/local/snort/var/log/eth1
>     spool filebase  = snort.log
>     time_stamp      = 1387663189
>     record_idx      = 0
> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'
> Closing spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'.
> Read 0 records
> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387811302'
> Waiting for new data
>
> If I then press ctrl-c it says it's seen 0 for every field.
>
> If it helps, this is the dir in question:
>
> root@network08:/var/www/aanval/apps# ls -al /usr/local/snort/var/log/eth1/
>
> total 98184
> drwxr-xr-x 4 snort snort      4096 Dec 23 15:11 .
> drwxr-xr-x 4 snort snort      4096 Dec 21 22:27 ..
> -rw-r--r-- 1 snort snort 100383823 Dec 23 15:13 alert
> drwxr-xr-x 2 snort snort      4096 Dec 23 15:11 archive
> -rw------- 1 snort snort      2056 Dec 23 15:11 barnyard2.waldo
> -rw------- 1 snort snort    128173 Dec 23 15:13 snort.log.1387811302
>
>
>
> On 22 December 2013 23:29, Ayodele Okeowo <aymacro () gmail com> wrote:
>
> > When you ran snort did you use the ' console -A' switch? Also did you
> > test tour barnyard without daemon?
> > On Dec 22, 2013 6:04 PM, "James" <snort () cyclohexane net> wrote:
> >
> > >  Hi all,
> > >
> > > I've followed this guide:
> > > http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval
> > > but using the most current Snort + Barnyard and everything seems to have
> > > installed and start-up correctly, but I'm not seeing anything get logged
> > > into the MySQL database. There were a few mistakes in the guide, which I've
> > > managed to fix with a bit of Googling, but I can't seem to solve this. I
> > > realise you're probably going to need more information to be able to help,
> > > but don't know enough yet to guess what that might be. Can anyone help
> > > please? The alternative is I wipe it all and start again in the hope I just
> > > missed something stupid the first time, but hopefully someone could help me
> > > avoid that?
> > >
> > > Thanks
> > > James
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Rapidly troubleshoot problems before they affect your business. Most IT
> > > organizations don't have a clear picture of how application performance
> > > affects their revenue. With AppDynamics, you get 100% visibility into
> > > your
> > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> > > AppDynamics Pro!
> > >
> > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!