Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0

from [eric-list-snort-users] Network Security [Permanent Link]
Subject: Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0
Date: Sat, 20 Aug 2005 14:08:02 -0500 
On Sat, 2005-08-20 at 13:38:16 -0500, Paul Schmehl proclaimed...


Restart barnyard, but add -v to make it more verbose.  If that doesn't tell 
you anything, then add a second or third v.


I've added 6 "-v" switches ... and removed the waldo file from the 
commandline entirely. This is what I get....

gw1$ /var/qmail/bin/barnyard -c /var/snort/etc/barnyard.conf \
  -d /var/snort/log -f snort.log -v -v -v -v -v -v

Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /var/snort/etc/barnyard.conf
  Spool dir:             /var/snort/log
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            Not specified
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        gw1
  Interface:       bridge0
  BPF Filter:      not port 22
  Class file:      /var/snort/etc/classification.config
  Sid-msg file:    /var/snort/etc/sid-msg.map
  Gen-msg file:    /var/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /var/snort/etc
  Config file:   /var/snort/etc/barnyard.conf
  Sid-msg file:  /var/snort/etc/sid-msg.map
  Gen-msg file:  /var/snort/etc/gen-msg.map
  Class file:    /var/snort/etc/classification.config
  Hostname:      gw1
  Interface:     bridge0
  BPF Filter:    not port 22
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/snort/log
  Spool file:    snort.log
  Start at end:  0
Waiting for new spool file

A rule is then triggered, but the status above never changes.


If you delete the waldo file, barnyard *should* reread all the log files 
(giving you duplicates in your db.)  If it still isn't reading the 
logfiles, then remove the waldo switch.  If it *still* won't load the 
files, there's something wrong with the files.  Either they're not in 
unified format or they're screwed up in a way that makes it impossible for 
barnyard to parse them.

The waldo file should look something like this:

# less /usr/local/etc/waldo.file
/var/log/snort/
snort.log
1124382173
3138


My waldo file was null length.


Check to see if the snort log files are binary.  If they aren't then snort 
isn't logging in unified format.


They're the following...

gw1$ file /var/snort/log/*
/var/snort/log/alert:                        ASCII text
/var/snort/log/snort-unified.log.1124485688: 8086 relocatable (Microsoft)
/var/snort/log/snort-unified.log.1124499689: 8086 relocatable (Microsoft)
/var/snort/log/snort-unified.log.1124510258: 8086 relocatable (Microsoft)
/var/snort/log/snort-unified.log.1124513157: 8086 relocatable (Microsoft)


This wasn't intended to fix anything regarding your present problem.


I know, just mentioning :)

Thanks for the help so far.

- Eric


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0, Paul Schmehl
Next by Date:  Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0, eric-list-snort-users
Previous by Thread:  Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0, Paul Schmehl
Next by Thread:  Re: [Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0, eric-list-snort-users
Indexes:  [Date] [Thread] [Top] [All Lists]