Snort mailing list archives
barnyard2: Unable to open directory '/var/log/snort' and Unable to find the next spool file!
From: Joyabrata Ghosh <joy.career () gmail com>
Date: Tue, 11 Nov 2014 23:18:03 +0530
Dear Barnyard2 users, Would you please help me out to solve this barnyard2(src: https://github.com/firnsy/barnyard2) configuration problem, corresponding snort is working good as required. *# barnyard2 -v -c /etc/barnyard2.conf -d /var/log/snort * Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in... Parsing config file "/etc/barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 Chroot directory = /var/spool/barnyard2 ------------------------------------------------- Keyword | Input @ ------------------------------------------------- unified2 : init() = 0x441942 unified2 : - readRecordHeader() = 0x4419b5 unified2 : - readRecord() = 0x441b74 ------------------------------------------------- ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_cef : 0x428779 alert_syslog : 0x42ee25 log_tcpdump : 0x431a39 database : 0x4389c9 alert_fast : 0x42a673 alert_full : 0x42b290 alert_fwsam : 0x42ba51 alert_unixsock: 0x4303cb alert_csv : 0x42925d log_null : 0x431913 log_ascii : 0x430ca3 alert_test : 0x42fc3b sguil : 0x4327cd alert_syslog_full: 0x4339df log_syslog_full: 0x4339bf ------------------------------------------------- --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 327) DEBUG |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> *ERROR: Unable to open directory '/var/log/snort' (No such file or directory)* *ERROR: Unable to find the next spool file!* =============================================================================== Record Totals: Records: 0 Events: 0 (0.000%) Packets: 0 (0.000%) Unknown: 0 (0.000%) Suppressed: 0 (0.000%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 0 (0.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 0 (0.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 0 =============================================================================== =============================================================================== =============================================================================== *[root-vmjoyabratag04-08:36:40-~] **# cat /etc/barnyard2.conf* # # Barnyard2 example configuration file # # # This file contains a sample barnyard2 configuration. # You can take the following steps to create your own custom configuration: # # 1) Configure the variable declarations # 2) Setup the input plugins # 3) Setup the output plugins # # # Step 1: configure the variable declarations # # in order to keep from having a commandline that uses every letter in the # alphabet most configuration options are set here. # use UTC for timestamps # #config utc # set the appropriate paths to the file(s) your Snort process is using. # config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map # Configure signature suppression at the spooler level see doc/README.sig_suppress # # #config sig_suppress: 1:10 # Set the event cache size to defined max value before recycling of event occur. # # #config event_cache_size: 4096 # define dedicated references similar to that of snort. # #config reference: mybugs http://www.mybugs.com/?s= # define explicit classifications similar to that of snort. # #config classification: shortname, short description, priority # set the directory for any output logging # #config logdir: /tmp # to ensure that any plugins requiring some level of uniqueness in their output # the alert_with_interface_name, interface and hostname directives are provided. # An example of usage would be to configure them to the values of the associated # snort process whose unified files you are reading. # # Example: # For a snort process as follows: # snort -i eth0 -c /etc/snort.conf # # Typical options would be: # config hostname: thor # config interface: eth0 # config alert_with_interface_name # #config hostname: thor #config interface: eth0 # enable printing of the interface name when alerting. # config alert_with_interface_name # at times snort will alert on a packet within a stream and dump that stream to # the unified output. barnyard2 can generate output on each packet of that # stream or the first packet only. # #config alert_on_each_packet_in_stream # enable daemon mode # #config daemon # make barnyard2 process chroot to directory after initialisation. # config chroot: /var/spool/barnyard2 # specifiy the group or GID for barnyard2 to run as after initialisation. # #config set_gid: 999 # specifiy the user or UID for barnyard2 to run as after initialisation. # #config set_uid: 999 # specify the directory for the barnyard2 PID file. # #config pidpath: /var/run/by2.pid # enable decoding of the data link (or second level headers). # #config decode_data_link # dump the application data # #config dump_payload # dump the application data as chars only # #config dump_chars_only # enable verbose dumping of payload information in log style output plugins. # #config dump_payload_verbose # enable obfuscation of logged IP addresses. # #config obfuscate # enable the year being shown in timestamps # #config show_year # set the umask for all files created by the barnyard2 process (eg. log files). # #config umask: 066 # enable verbose logging # #config verbose # quiet down some of the output # #config quiet # define the full waldo filepath. # #config waldo_file: /tmp/waldo # specificy the maximum length of the MPLS label chain # #config max_mpls_labelchain_len: 64 # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS. # #config mpls_payload_type: ipv4 # set the reference network or homenet which is predominantly used by the # log_ascii plugin. # #config reference_net: 192.168.0.0/24 # # CONTINOUS MODE # # set the archive directory for use with continous mode # #config archivedir: /tmp # when in operating in continous mode, only process new records and ignore any # existing unified files # #config process_new_records_only # # Step 2: setup the input plugins # # this is not hard, only unified2 is supported ;) input unified2 # # Step 3: setup the output plugins # # alert_cef # ---------------------------------------------------------------------------- # # Purpose: # This output module provides the abilty to output alert information to a # remote network host as well as the local host using the open standard # Common Event Format (CEF). # # Arguments: host=hostname[:port], severity facility # arguments should be comma delimited. # host - specify a remote hostname or IP with optional port number # this is only specific to WIN32 (and is not yet fully supported) # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO) # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0) # # Examples: # output alert_cef # output alert_cef: host=192.168.10.1 # output alert_cef: host=sysserver.com:1001 # output alert_cef: LOG_AUTH LOG_INFO # # alert_bro # ---------------------------------------------------------------------------- # # Purpose: Send alerts to a Bro-IDS instance. # # Arguments: hostname:port # # Examples: # output alert_bro: 127.0.0.1:47757 # alert_fast # ---------------------------------------------------------------------------- # Purpose: Converts data to an approximation of Snort's "fast alert" mode. # # Arguments: file <file>, stdout # arguments should be comma delimited. # file - specifiy alert file # stdout - no alert file, just print to screen # # Examples: # output alert_fast # output alert_fast: stdout # output alert_fast: stdout # prelude: log to the Prelude Hybrid IDS system # ---------------------------------------------------------------------------- # # Purpose: # This output module provides logging to the Prelude Hybrid IDS system # # Arguments: profile=snort-profile # snort-profile - name of the Prelude profile to use (default is snort). # # Snort priority to IDMEF severity mappings: # high < medium < low < info # # These are the default mapped from classification.config: # info = 4 # low = 3 # medium = 2 # high = anything below medium # # Examples: # output alert_prelude # output alert_prelude: profile=snort-profile-name # # alert_syslog # ---------------------------------------------------------------------------- # # Purpose: # This output module provides the abilty to output alert information to local syslog # # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO) # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0) # # Examples: # output alert_syslog # output alert_syslog: LOG_AUTH LOG_INFO # # syslog_full #------------------------------- # Available as both a log and alert output plugin. Used to output data via TCP/UDP or LOCAL ie(syslog()) # Arguments: # sensor_name $sensor_name - unique sensor name # server $server - server the device will report to # local - if defined, ignore all remote information and use syslog() to send message. # protocol $protocol - protocol device will report over (tcp/udp) # port $port - destination port device will report to (default: 514) # delimiters $delimiters - define a character that will delimit message sections ex: "|", will use | as mess) # separators $separators - define field separator included in each message ex: " " , will use space as field) # operation_mode $operaion_mode - default | complete : default mode is compatible with default snort syslog message,) # log_priority $log_priority - used by local option for syslog priority call. (man syslog(3) for supported option) # log_facility $log_facility - used by local option for syslog facility call. (man syslog(3) for supported option) # payload_encoding - (default: hex) support hex/ascii/base64 for log_syslog_full using operation_mode . # Usage Examples: # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode defaut # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode comple # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output alert_syslog_full: sensor_name snortIds1-eth2, local # output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON # log_ascii # ---------------------------------------------------------------------------- # # Purpose: This output module provides the default packet logging funtionality # # Arguments: None. # # Examples: # output log_ascii # # log_tcpdump # ---------------------------------------------------------------------------- # # Purpose # This output module logs packets in binary tcpdump format # # Arguments: # The only argument is the output file name. # # Examples: # output log_tcpdump: tcpdump.log # # sguil # ---------------------------------------------------------------------------- # # Purpose: This output module provides logging ability for the sguil interface # See doc/README.sguil # # Arguments: agent_port <port>, sensor_name <name> # arguments should be comma delimited. # agent_port - explicitly set the sguil agent listening port # (default: 7736) # sensor_name - explicitly set the sensor name # (default: machine hostname) # # Examples: # output sguil # output sguil: agent_port=7000 # output sguil: sensor_name=argyle # output sguil: agent_port=7000, sensor_name=argyle # # database: log to a variety of databases # ---------------------------------------------------------------------------- # # Purpose: This output module provides logging ability to a variety of databases # See doc/README.database for additional information. # # Examples: # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output database: log, oracle, dbname=snort user=snort password=test # # alert_fwsam: allow blocking of IP's through remote services # ---------------------------------------------------------------------------- # output alert_fwsam: <SnortSam Station>:<port>/<key> # # <FW Mgmt Station>: IP address or host name of the host running SnortSam. # <port>: Port the remote SnortSam service listens on (default 898). # <key>: Key used for authentication (encryption really) # of the communication to the remote service. # # Examples: # # output alert_fwsam: snortsambox/idspassword # output alert_fwsam: fw1.domain.tld:898/mykey # output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw # [root-vmjoyabratag04-08:37:10-~]
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- barnyard2: Unable to open directory '/var/log/snort' and Unable to find the next spool file! Joyabrata Ghosh (Nov 11)