Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0

from [eric-list-snort-users] Network Security [Permanent Link]
Subject: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0
Date: Sat, 20 Aug 2005 00:44:35 -0500 
It seems I have a problem with barnyard 0.2.0 and snort 2.4.0 on OpenBSD
3.6. I have configured snort to write a unified log to
/var/snort/log/snort.log with the following....

output log_unified: snort.log, limit 128

files are being written, as witnessed by the following....

 $ ls -l /var/snort/log
 [...]
 -rw-r--r--  1 root    _snort    5967 Aug 19 19:58 snort-unified.log.1124485688
 -rw-r--r--  1 root    _snort    9150 Aug 19 20:29 snort-unified.log.1124499689
 -rw-r--r--  1 root    _snort   46069 Aug 19 23:45 snort-unified.log.1124510258
 -rw-r--r--  1 root    _snort   18878 Aug 20 00:27 snort-unified.log.1124513157
 [...]

I'm starting snort in the following manner...

 # /var/snort/bin/snort -c /var/snort/etc/snort.conf \
   -l /var/snort/log -F /var/snort/etc/snort.pcap -D

So everything is working there fine. Signatures are triggered on.

My barnyard.conf is as follows...

 config localtime
 config hostname: gw1
 config interface: bridge0
 config filter: not port 22
 output log_acid_db: mysql, database snort, server 10.19.81.137, 
  user foo, password bar, detail full    [wrapped for clarity]

Next I start barnyard in the following manner...

 # /var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \
    -s /var/snort/etc/sid-msg.map -g /var/snort/etc/gen-msg.map \
    -p /var/snort/etc/classification.config -d /var/snort/log \
    -f snort.log -w /var/snort/log/snort_ids.log

which yields the following....

Barnyard Version 0.2.0 (Build 32)
Config file variables:
  Hostname:        gw1
  Interface:       bridge0
  BPF Filter:      not port 22
  Class file:      Not specified
  Sid-msg file:    Not specified
  Gen-msg file:    Not specified
  Daemon flag:     Not Set
  Localtime flag:  Set
WARNING: Bookmark file is corrupt, only processing new events
Program Variables:
  Continual processing mode
  Config dir:    /var/snort/etc
  Config file:   /var/snort/etc/barnyard.conf
  Sid-msg file:  /var/snort/etc/sid-msg.map
  Gen-msg file:  /var/snort/etc/gen-msg.map
  Class file:    /var/snort/etc/classification.config
  Hostname:      gw1
  Interface:     bridge0
  BPF Filter:    not port 22
  Log dir:       /var/log/snort
  Verbosity:     2
  Localtime:     1
  Spool dir:     /var/snort/log
  Spool file:    snort.log
  Bookmark file: /var/snort/log/snort_ids.log
  Record Number: 0
  Timet:         0
  Start at end:  1
Output plugins enabled for 'alert' records
-------------------------------------------------------
None configured
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 10.19.81.137
  Database User: foo password bar
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================

When I run barnyard, all I see is...

Skipped 0 old records
Waiting for new spool file

No sockets are opened to the database, and nothing ever changes when an
alert is triggered, no action takes place. I have another machine that I run
it on and get this...

sensor_id == 2
SensorID: 2
Next CID: 74
Waiting for new data

...when starting barnyard.

Is there a better way to debug this to see what I'm doing wrong? My database
user/password is correct (I've tried it from the command line).

Thanks.

- Eric


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Snort w/ Base not recording hits., Kevin Johnson
Next by Date:  Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0, Paul Schmehl
Previous by Thread:  [Snort-users] Snort w/ Base not recording hits., George Laiacona
Next by Thread:  Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0, Paul Schmehl
Indexes:  [Date] [Thread] [Top] [All Lists]