Snort mailing list archives

Re: AANVAL or MYSQL question

From: Y M <snort () outlook com>
Date: Tue, 22 Apr 2014 18:05:41 +0000

Did not recreate the waldo file.

Try stopping Barnyard2 and run it again. If it still does not create them, you can create them yourself by touch 
/path/to /waldo/barnayrd2.waldo

Do get repeated:

This because you deleted the the waldo file, Barnyard2 goes through all of the logs attempting to read them. The waldo 
file allows Barnyard2 to keep track of these logs.

Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5195 ssns remain.  memcap: 
8387389/8388608

This is because you are running the stream5 preprocessor with the default memcap. It is a good practice to change the 
default values; based on your network of course.

Did not do this yet.

Thats ok, probably you won't need to.

ps aux|grep snort
From the output, it seems that you are running multiple instances of Snort and Barnyard2. If thats the case, there 
various considerations that you need to look at:1. Mutiple Snort configurations, specifically when monitoring multiple 
network segments.2. Packet load balancing (PF_RING). As far as I know, running multiple instances of Snort without 
packet load balancing, will not achieve what you are trying to do. Please, correct me if I am wrong.3. Multiple 
instances of Snort and Barnyard2 would require appropriate directory segregation of output files/directories. The same 
goes for waldo files.
/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0

From the command, you are overriding the output mechanism specified in snort.conf file. Any command line argument will 
override its counterpart in the snort.conf file as stated in Snort manual. So in your case, you are outputting Snort's 
fast logs, and not unified2 logs. This is why Barnyard2 is not able to read them.

Hope this helps.YM

From: SGierczak () presencehealth org
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] AANVAL or MYSQL question
Date: Tue, 22 Apr 2014 17:09:42 +0000









 
 
Did as suggested:

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: WARNING: Ignoring corrupt/truncated waldofile 
'/var/log/snort/eth0/barnyard2.waldo'

 
If its possible, stop Snort and Barnyard2, and then delete the waldo. Barnyard2 will create a new one for you.  Did not 
recreate the waldo
 file.
 
Apr 22 12:01:11 rlicsnortids1 snort[3514]:         --== Initialization Complete ==--
Apr 22 12:01:11 rlicsnortids1 snort[3514]: Commencing packet processing (pid=3514)
Apr 22 12:01:11 rlicsnortids1 snort[3514]: Commencing packet processing (pid=3514)
Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Running in Continuous mode
Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]:
Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]:         --== Initializing Barnyard2 ==--
Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Initializing Input Plugins!
Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Initializing Output Plugins!
Apr 22 12:01:24 rlicsnortids1 barnyard2[3520]: Parsing config file "/etc/snort/barnyard.conf"
Apr 22 12:01:26 rlicsnortids1 barnyard2[3520]: Log directory = /var/log/snort/eth0
Apr 22 12:01:26 rlicsnortids1 barnyard2[3520]: Initializing daemon mode
Apr 22 12:01:26 rlicsnortids1 barnyard2[3520]: Daemon parent exiting
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Daemon initialized, signaled parent pid: 3520
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: PID path stat checked out ok, PID path set to /var/run/
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Writing PID "3521" to file "/var/run//barnyard2_NULL.pid"
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: compiled support for (mysql)
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: configured to use mysql
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: schema version = 107
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:           host = localhost
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:           user = snort_user
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:  database name = snortdb
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:    sensor name = rlicsnortids1:NULL
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:      sensor id = 1
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:     sensor cid = 1
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:  data encoding = hex
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:   detail level = full
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database:     ignore_bpf = no
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: database: using the "log" facility
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]:
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]:         --== Initialization Complete ==--
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Barnyard2 initialization completed successfully (pid=3521)
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: WARNING: Unable to open waldo file '/var/log/snort/eth0/barnyard2.waldo' 
(No such file or directory)
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Opened spool file '/var/log/snort/eth0/snort.log.1398128272'
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Closing spool file '/var/log/snort/eth0/snort.log.1398128272'. Read 1 
records
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Opened spool file '/var/log/snort/eth0/snort.log.1398186071'
Apr 22 12:01:26 rlicsnortids1 barnyard2[3521]: Waiting for new data

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Waiting for new data



 
 
Do get repeated:
Apr 21 08:43:57 rlicsnortids1 barnyard2[1465]: Closing spool file '/var/log/snort/eth0/snort.log.1398084990'. Read 1 
records
Apr 21 08:43:57 rlicsnortids1 barnyard2[1465]: Opened spool file '/var/log/snort/eth0/snort.log.1398087837'
Apr 21 08:43:57 rlicsnortids1 barnyard2[1465]: Waiting for new data
Apr 21 09:22:38 rlicsnortids1 barnyard2[1465]: Closing spool file '/var/log/snort/eth0/snort.log.1398087837'. Read 1 
records
Apr 21 09:22:38 rlicsnortids1 barnyard2[1465]: Opened spool file '/var/log/snort/eth0/snort.log.1398090157'
Apr 21 09:22:38 rlicsnortids1 barnyard2[1465]: Waiting for new data
 
Also
Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5195 ssns remain.  memcap: 
8387389/8388608
Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5190 ssns remain.  memcap: 
8383940/8388608
Apr 21 12:28:22 rlicsnortids1 snort[1321]: S5: Pruned 5 sessions from cache for memcap. 5210 ssns remain.  memcap: 
8387597/8388608
 


After this line, do you get any other information in the syslog as new alerts are being written into the unified2 log? 
You can also enable
 local syslog output in Barnyard2, just to be sure that Barnyard2 setup is ok.  Did not do this yet.


 


While Snort and Barnyard2 are running, do


 


ps aux | grep snort              (paste the output related to Snort)


ps aux | grep barnyard2     (paste the output related to Barnyard2)


 
root@rlicsnortids1:/var/log# ps aux|grep snort
avahi      605  0.0  0.0  32312  1236 ?        S    Apr21   0:00 avahi-daemon: running [rlicsnortids1.local]
snort     1321 82.3 12.3 633956 501136 ?       Rsl  Apr21 1393:18 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g 
snort -c /etc/snort/snort.conf -l /var/log/snort/eth0
snort     3514 66.1  7.6 633684 308620 ?       Rsl  12:01   4:34 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g 
snort -c /etc/snort/snort.conf -l /var/log/snort/eth0
root      3521  0.0  0.8 138788 32408 ?        Ss   12:01   0:00 barnyard2 -D -c /etc/snort/barnyard.conf -d 
/var/log/snort/eth0 -w /var/log/snort/eth0/barnyard2.waldo
 -l /var/log/snort/eth0 -a /var/log/snort/eth0/archive -f snort.log -X /var/lock/barnyard2-eth0.pid
root      3536  0.0  0.0   8116   928 pts/0    S+   12:08   0:00 grep --color=auto snort
root@rlicsnortids1:/var/log# ps aux|grep barnyard2
root      3521  0.0  0.8 138788 33728 ?        Ss   12:01   0:00 barnyard2 -D -c /etc/snort/barnyard.conf -d 
/var/log/snort/eth0 -w /var/log/snort/eth0/barnyard2.waldo
 -l /var/log/snort/eth0 -a /var/log/snort/eth0/archive -f snort.log -X /var/lock/barnyard2-eth0.pid
root      3538  0.0  0.0   8112   932 pts/0    R+   12:08   0:00 grep --color=auto barnyard2
root@rlicsnortids1:/var/log#

Like I said. You are losing me a little. I am running barnyard as a startup when the system comes up, or by:

service barnyard2 start/stop

I believe that all the configuration then comes from the /usr/local/etc/barnyard2.conf.

In that file are the following which are uncommented:

config reference_file: /etc/snort/reference.config

config classification_file: /etc/snort/classification.config

config gen_file: /etc/snort/gen-msg.map

config sid_file: /etc/snort/sid-msg.map

config daemon

input unified2

output alert_fast: stdout

output database: log, mysql, user=snort_user password=snortuser dbname=snortdb host=localhost

When I stop and start barnyard, the following gets generated in the syslog file:

Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Running in Continuous mode

Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]:

Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: --== Initializing Barnyard2 ==--

Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Input Plugins!

Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Initializing Output Plugins!

Apr 21 12:44:08 rlicsnortids1 barnyard2[2014]: Parsing config file "/etc/snort/barnyard.conf"

Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Log directory = /var/log/snort/eth0

Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Initializing daemon mode

Apr 21 12:44:09 rlicsnortids1 barnyard2[2014]: Daemon parent exiting

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Daemon initialized, signaled parent pid: 2014

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: PID path stat checked out ok, PID path set to /var/run/

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Writing PID "2015" to file "/var/run//barnyard2_NULL.pid"

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: compiled support for (mysql)

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: configured to use mysql

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: schema version = 107

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: host = localhost

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: user = snort_user

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: database name = snortdb This is the correct snortdb

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: sensor name = rlicsnortids1:NULL

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: sensor id = 1

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: sensor cid = 1

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: data encoding = hex

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: detail level = full

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: ignore_bpf = no

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: database: using the "log" facility

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]:

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: --== Initialization Complete ==--

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Barnyard2 initialization completed successfully (pid=2015)

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: WARNING: Ignoring corrupt/truncated waldofile 
'/var/log/snort/eth0/barnyard2.waldo'

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Opened spool file '/var/log/snort/eth0/snort.log.1398100514' This is 
the correct location for the snort log

Apr 21 12:44:09 rlicsnortids1 barnyard2[2015]: Waiting for new data

Thanks for your help again.

On 4/17/2014 12:39 PM, Gierczak, Stan wrote:

Sorry, this is where you are losing me, I think.

What I believe the answer is that barnyard2 is being run as a service.

The executable that was created is from the install guide at

http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide

_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval

you forgot to supply the requested startup command line for your barnyard2.

you forgot to say if your barnyard2 is being pointed to the proper snort log directory. this might be done on the 
command line or possibly inside the

barnyard2 config.

--

NOTE: No off-list assistance is given without prior approval.

Please keep mailing list traffic on the list unless

private contact is specifically requested and granted.

------------------------------------------------------------------------------

Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases 
and their applications. Written by three acclaimed leaders in the field, this first edition is now available. 
Download your free book today!

http://p.sf.net/sfu/NeoTech

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

Start Your Social Network Today - Download eXo Platform

Build your Enterprise Intranet with eXo Platform Software

Java Based Open Source Intranet - Social, Extensible, Cloud Ready

Get Started Now And Turn Your Intranet Into A Collaboration Platform

http://p.sf.net/sfu/ExoPlatform

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: AANVAL or MYSQL question, (continued)
- - - Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
    - Re: AANVAL or MYSQL question Y M (Apr 17)
    - Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
    - Re: AANVAL or MYSQL question Y M (Apr 17)
    - Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
    - Re: AANVAL or MYSQL question waldo kitty (Apr 18)
    - Re: AANVAL or MYSQL question Gierczak, Stan (Apr 21)
    - Re: AANVAL or MYSQL question waldo kitty (Apr 21)
    - Re: AANVAL or MYSQL question Y M (Apr 22)
    - Re: AANVAL or MYSQL question Gierczak, Stan (Apr 23)
    - Re: AANVAL or MYSQL question Y M (Apr 22)
    - Re: AANVAL or MYSQL question Gierczak, Stan (Apr 23)
    - Re: AANVAL or MYSQL question Gierczak, Stan (Apr 23)
    - Re: AANVAL or MYSQL question waldo kitty (Apr 23)
    - Re: AANVAL or MYSQL question Y M (Apr 23)
    - Re: AANVAL or MYSQL question Y M (Apr 23)
    - Re: AANVAL or MYSQL question Hui Cao (huica) (Apr 23)
    - Re: AANVAL or MYSQL question Y M (Apr 24)
    - Re: AANVAL or MYSQL question Hui cao (Apr 24)
    - Can you make snort work with mysql after first installing snort? Steve Crow (Apr 24)
    - Re: Can you make snort work with mysql after first installing snort? Joel Esler (jesler) (Apr 24)

(Thread continues...)