barnyard-users Mailing List for Barnyard
Status: Beta
Brought to you by:
andrewbaker
Menu
▾
▴
barnyard-users — The place for people to talk about barnyard
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(5) |
Nov
(5) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(5) |
Feb
|
Mar
(2) |
Apr
|
May
(16) |
Jun
(16) |
Jul
(1) |
Aug
|
Sep
|
Oct
(9) |
Nov
(10) |
Dec
(7) |
| 2003 |
Jan
|
Feb
(3) |
Mar
|
Apr
(5) |
May
(2) |
Jun
(2) |
Jul
|
Aug
|
Sep
(10) |
Oct
(4) |
Nov
(4) |
Dec
|
| 2004 |
Jan
(10) |
Feb
(1) |
Mar
(5) |
Apr
(12) |
May
(25) |
Jun
(15) |
Jul
(13) |
Aug
(13) |
Sep
(34) |
Oct
(41) |
Nov
(15) |
Dec
(8) |
| 2005 |
Jan
(4) |
Feb
(11) |
Mar
(18) |
Apr
(2) |
May
(5) |
Jun
(7) |
Jul
(5) |
Aug
(5) |
Sep
(2) |
Oct
(3) |
Nov
|
Dec
(1) |
| 2006 |
Jan
(2) |
Feb
(3) |
Mar
(3) |
Apr
(5) |
May
(12) |
Jun
(6) |
Jul
(6) |
Aug
|
Sep
(10) |
Oct
(22) |
Nov
(1) |
Dec
|
| 2007 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
| 2008 |
Jan
(1) |
Feb
|
Mar
|
Apr
(2) |
May
(4) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: kinomakino <kin...@ho...> - 2014-08-25 18:11:06
|
First, thanks for everything. I wonder if I have configured two sets of rules, such as community and et. the problem I have now set up on how to read barnyard .map both sets of rules? Thank you !!! |
|
From: Ashraf A. <ash...@gm...> - 2013-04-21 08:32:14
|
Hi All, i have recently install snort 2.9.4.5, with rules from snort and ET . i have updated the sid-msg.map , classification.config , and reference.config files before starting the deamons of snort and barnyard2. everything was working fine in the past 2 days, but today , i have seen barnyard2 Deamon is not running, and in the logs i found this i am using barnyard2 2-1.13-BETA version * Opened spool file '/var/log/snort/snort.u2.136637438' 04/19-18:07:13.315134 [**] [1:1384:15] DOS UPnP malformed advertisement [**] Segmentation fault* Does it mean that rule (sid 1384 ) is not in proper format or not correct ? what i have observed is the sig id :1384 is repeated in community rules also, so i have disabled it in snort rules by adding # in front . is it because of duplicate rules in snort.rules and in community.rules ? Regards, Ashraf |
|
From: Jeremy H. <jt...@gm...> - 2012-07-20 18:12:27
|
Over at the http://securixlive.com/barnyard2/ site it says 2.1.9 yet at Sourceforge it's listed in the readme at version 2-1.10 and the source doesn't really say either way. Thanks.. |
|
From: Youngquist, J. R. <jry...@cc...> - 2012-05-29 14:54:35
|
Hi, I upgraded to Snort 2.9.2.3 last week and ran into some issues. With barnyard2, I'm currently logging to a log file and also to a mysql database. I'm using Snorby as a frontend GUI to display the results. Now, after the upgrade, in the /var/log/snort/alert file, I can see that alerts are being generated Ie. [**] [1:11192:12] FILE-IDENTIFY download of executable content [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 05/25-14:53:53.131902 72.247.219.67:80 -> 10.2.12.88:49860 TCP TTL:127 TOS:0x0 ID:18539 IpLen:20 DgmLen:5560 DF ***A**** Seq: 0x785AFFF3 Ack: 0xB91115CC Win: 0xC210 TcpLen: 20 [Xref => http://www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx] But they don't appear in my database. The last event was from 5-21-12 which was before I upgraded Snort. Ie. select * from event; | 1 | 83834 | 456 | 9 | 0 | 3 | 0 | 2012-05-19 10:54:17 | 0 | 83834 | | 1 | 83835 | 456 | 9 | 0 | 3 | 0 | 2012-05-19 10:54:17 | 0 | 83835 | | 1 | 83836 | 456 | 9 | 0 | 3 | 0 | 2012-05-19 10:54:18 | 0 | 83836 | | 1 | 83837 | 454 | 9 | 0 | 3 | 0 | 2012-05-21 12:04:17 | 0 | 83837 | | 1 | 83838 | 454 | 9 | 0 | 3 | 0 | 2012-05-21 12:04:41 | 0 | 83838 | | 1 | 83839 | 454 | 9 | 0 | 3 | 0 | 2012-05-21 12:05:03 | 0 | 83839 | | 1 | 83840 | 457 | 9 | 0 | 3 | 0 | 2012-05-21 22:05:08 | 0 | 83840 | I haven't made any changes to the database. Relevant lines from barnyard2.conf config daemon config waldo_file: /var/log/snort/barnyard2.waldo input unified2 output database: log, mysql, user=xxxxxxx password=xxxxxxx dbname=snorby host=localhost I'm looking for any thoughts on how to troubleshoot this issue. Thanks. Jason Youngquist, CISSP Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jry...@cc...<mailto:jry...@cc...> http://www.ccis.edu<http://www.ccis.edu/> |
|
From: Aycock, J. R. <JEF...@sa...> - 2011-07-22 13:36:29
|
Hello,
Please excuse me for posting this request earlier in the announcement
mailing list which should be in the users mailing list instead. My bad.
I'm new to Sguil and Snort and would appreciate any suggestion for an
issue I am having with Barnyard2.
I've installed Snort 2.9.0.5, Barnyard2 (1.10 beta 1) , and sguil-0.8.0
in a Fedora 15 box. Snort, snort_agent, and sguild all ran with no
issues - I verified this using ps -ef|grep sguil:
[root@10 firnsy-barnyard2-411db8a]ps -ef|grep sguil
root 18246 22388 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18251 18246 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18252 18246 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18354 18332 0 15:14 pts/5 00:00:00 grep --color=auto sguil
sguil 22705 22438 0 08:55 pts/6 00:00:12 snort -u sguil -g sguil
-c /etc/snort/snort.conf -i eth0 -U -A none -m 122 -l
/var/log/snort_data/sensor
root 22772 1 0 09:11 ? 00:00:06 tclsh
/opt/sguil-0.8.0/sensor/snort_agent.tcl -c
/opt/sguil-0.8.0/sensor/snort_agent.conf
I verified that the correct ports are used:
[root@10 firnsy-barnyard2-411db8a]# lsof -i :7736
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 18246 root 14u IPv4 4665775 0t0 TCP *:7736 (LISTEN)
[root@10 firnsy-barnyard2-411db8a]# lsof -i :7735
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 22772 root 4u IPv4 4442250 0t0 TCP XXXXXXXXXX:7735
(LISTEN)
When I attempt to start Barnyard2:
[root@10 firnsy-barnyard2-411db8a]# /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -d /snort_data/sensor -f snort.log -w
/etc/snort/waldo.file -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -v
I get this error message:
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
............
...........
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
.............
............
It didn't matter whether I ran as another user or root, the results are
the same. Does anyone have any suggestion or encounter the same issue?
Thanks in advance!
Jeff
|
|
From: Cool C <cla...@ho...> - 2010-08-21 14:27:41
|
http://nikitamicalizzi7455.angelfire.com/ |
|
From: Jun W. <jun...@ho...> - 2010-08-18 23:14:22
|
Hi Paul, The Snort seems to be okay, pls see the folloing: 1.) root@mbssnort1:~# snort -c /etc/snort/snort.conf -A console -i eth0 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.5.2 (Build 121) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.11 <Build 17> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 2> Preprocessor Object: SF_SSLPP Version 1.1 <Build 3> Preprocessor Object: SF_Dynamic_Example_Preprocessor Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC Version 1.1 <Build 5> Preprocessor Object: SF_DNS Version 1.1 <Build 3> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 12> Preprocessor Object: SF_SSH Version 1.1 <Build 2> Preprocessor Object: SF_SMTP Version 1.1 <Build 8> Not Using PCAP_FRAMES 08/19-09:03:39.988787 [**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 10.2.5.85:1190 -> 10.2.2.73:80 08/19-09:03:59.118214 [**] [1:1411:10] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.2.5.30:1100 -> 10.2.5.116:161 08/19-09:03:59.118214 [**] [1:1417:9] SNMP request udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.2.5.30:1100 -> 10.2.5.116:161 08/19-09:03:59.118227 [**] [1:1411:10] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.2.5.30:1100 -> 10.2.5.133:161 08/19-09:03:59.118227 [**] [1:1417:9] SNMP request udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.2.5.30:1100 -> 10.2.5.133:161 08/19-09:03:59.118230 [**] [1:1411:10] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.2.5.30:1100 -> 10.2.5.213:161 08/19-09:03:59.118230 [**] [1:1417:9] SNMP request udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 10.2.5.30:1100 -> 10.2.5.213:161 ...... 2.) root@mbssnort1:~# snort -c /etc/snort/snort.conf -T --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.5.2 (Build 121) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.11 <Build 17> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 2> Preprocessor Object: SF_SSLPP Version 1.1 <Build 3> Preprocessor Object: SF_Dynamic_Example_Preprocessor Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC Version 1.1 <Build 5> Preprocessor Object: SF_DNS Version 1.1 <Build 3> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 12> Preprocessor Object: SF_SSH Version 1.1 <Build 2> Preprocessor Object: SF_SMTP Version 1.1 <Build 8> Snort successfully loaded all rules and checked all rule chains! Snort exiting 3.) Followed your advice, please see the outcomes: root@mbssnort1:~# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -v -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" ERROR: /etc/snort/barnyard2.conf(310) Undefined variable name: 12. Fatal Error, Quitting.. root@mbssnort1:~# Any info and help would be much appreciated. Thanks. Regards John > Date: Wed, 18 Aug 2010 12:25:42 -0500 > From: psc...@tx... > To: jun...@ho... > CC: bar...@li... > Subject: RE: [Barnyard-users] barnyard2.conf(310) Undefined variable name: 12 > > You snort.conf file has two var HOME_NET entries: > > var HOME_NET 10.2.0.0/16 > var HOME_NET $eth0_ADDRESS > > Does snort start and run? I wouldn't think so. Run "% snort -T -c > /etc/snort/snort.conf" and watch the output. I'm betting it's not running. > > Your startup line for barnyard2 has unnecessary elements in it. You don't need > to call the gen-msg.map and sid-msg.map, because they're already defined in the > barnyard2.conf file. I would remove those. If it still errors out on start, > run barnyard2 in verbose mode: > > /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -v -d /var/log/snort -f > snort.log -w /var/log/snort/barnyard.waldo > > Then look in /var/log/messages and see if there's anything helpful in there. > > --On Wednesday, August 18, 2010 03:54:23 +0000 Jun Wan <jun...@ho...> > wrote: > > > Hi Paul, > > > > Please see the attached snort.conf and barnyard2.conf. > > > > Any info and help would be appreciated. > > > > Thanks > > > > Regards > > > > John > > > >> Date: Tue, 17 Aug 2010 21:34:32 -0500 > >> From: psc...@tx... > >> To: jun...@ho...; bar...@li... > >> Subject: Re: [Barnyard-users] barnyard2.conf(310) Undefined variable name: 12 > >> > >> --On August 17, 2010 9:23:22 PM -0500 Jun Wan <jun...@ho...> > >> wrote: > >> > >> > Hi, > >> > > >> > I followed the instructions (Installing SNORT on Ubuntu 10.04) from: > >> > http://it.thelibrarie.com/weblog/?p=515 > >> > > >> > I did the following: > >> > > >> > root@mbssnort1:~# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf > >> > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f > >> > snort.log -w /var/log/snort/barnyard.waldo > >> > > >> > Running in Continuous mode > >> > –== Initializing Barnyard2 ==– > >> > Initializing Input Plugins! > >> > Initializing Output Plugins! > >> > Parsing config file “/etc/snort/barnyard2.conf” > >> > ERROR: /etc/snort/barnyard2.conf(310) Undefined variable name: 12. > >> > Fatal Error, Quitting.. > >> > > >> > I find nothing via "Google", any info and help would be much appreciated. > >> > > >> > >> Let's see your conf file. > >> > > -- > Paul Schmehl, Senior Infosec Analyst > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > ******************************************* > "It is as useless to argue with those who have > renounced the use of reason as to administer > medication to the dead." Thomas Jefferson > |
|
From: David G. <sk...@gm...> - 2010-08-18 17:26:32
|
How did you suppose to we help you? Without knowing the configuration file? On Tue, Aug 17, 2010 at 11:23 PM, Jun Wan <jun...@ho...> wrote: > Hi, > > I followed the instructions (Installing SNORT on Ubuntu 10.04) from: > http://it.thelibrarie.com/weblog/?p=515 > > I did the following: > > root@mbssnort1:~# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G > /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f > snort.log -w /var/log/snort/barnyard.waldo > > Running in Continuous mode > –== Initializing Barnyard2 ==– > Initializing Input Plugins! > Initializing Output Plugins! > Parsing config file “/etc/snort/barnyard2.conf” > ERROR: /etc/snort/barnyard2.conf(310) Undefined variable name: 12. > Fatal Error, Quitting.. > > I find nothing via "Google", any info and help would be much appreciated. > > Thanks. > Regards > John > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by > > Make an app they can't live without > Enter the BlackBerry Developer Challenge > http://p.sf.net/sfu/RIM-dev2dev > _______________________________________________ > Barnyard-users mailing list > Bar...@li... > https://lists.sourceforge.net/lists/listinfo/barnyard-users > > -- David Gomes Guimarães |
|
From: Jun W. <jun...@ho...> - 2010-08-18 02:23:29
|
Hi, I followed the instructions (Installing SNORT on Ubuntu 10.04) from: http://it.thelibrarie.com/weblog/?p=515 I did the following: root@mbssnort1:~# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo Running in Continuous mode –== Initializing Barnyard2 ==– Initializing Input Plugins! Initializing Output Plugins! Parsing config file “/etc/snort/barnyard2.conf” ERROR: /etc/snort/barnyard2.conf(310) Undefined variable name: 12. Fatal Error, Quitting.. I find nothing via "Google", any info and help would be much appreciated. Thanks. Regards John |
|
From: David G. <sk...@gm...> - 2010-08-16 17:32:38
|
Hi all. Anyone knows if it's possible that barnyard2 dump the ethernet layer of snort unified2 log (using mysql output plugin)? I mean ethernet frame, like MAC source/dest, of the logged packet? Because I need it for the reactive block of the infected machine. And the pcap generated by BASE forge the ethernet frame (fake frame). Currently I have to run barnyard2(in local machine) with a new configuration with log_tcpdump activated to generate a pcap that I can analyze the ethernet frame with "tcpdump -e -r". -- David Gomes Guimarães |
|
From: Curt S. <csh...@gm...> - 2010-04-28 18:08:56
|
I just upgraded to Snort 2.8.6 and I am no longer getting data in my BASE database from this sensor. I know it's not the BASE install as my other sensors are still working fine. Has anyone updated to 2.8.6 and seen this issue or not as well? |
|
From: Willst M. <wil...@gm...> - 2010-03-10 12:02:25
|
Hello, Is it possible to use different output options for different alerts? In my specific case, what I would like to do is this: 1. All alerts are handled by the syslog output so they are written to our logging system for correlation and archival. 2. All alerts except port scans and port sweeps are handled by the database output so they are written to BASE for trending, reporting, payload analysis, etc. Some alerts are more useful for correlation than they are for analysis and reporting, eg. the port scans/sweeps, not to mention can be voluminonus, so I'd rather not clutter up BASE if necessary. We are using barnyard2 v2.1.7 with Snort v2.8.5.x. Are we somehow able to achieve this configuration? Thanks |
|
From: Paul S. <pa...@ut...> - 2010-01-28 04:35:55
|
Stop using barnyard 0.2.0 and use barnyard2 instead. http://www.securixlive.com/barnyard2/index.php --On January 28, 2010 12:10:47 AM +1030 mat...@ad... wrote: > > > > > Hi List, > > I have a weird segfault problem with Barnyard Version 0.2.0 (Build 32), > where I get the following in the messages file > > Jan 27 23:13:38 ids kernel: barnyard[27075]: segfault at > 0000000000000008 rip 00002b459823290b rsp 00007fff0d6b0240 error 4 > > There is no Libc2.7 issue, and I beleive my Snort log files are in the > correct format. This has been built with mysql support and on Centos 5.4 > x86_64. > ># grep -P "^output " /etc/snort/snort.conf > output alert_unified: filename snort.alert, limit 128 > output log_unified: filename snort.log, limit 128 > > I'm testing using the following ping > ping -i 0.1 -n -r -b 202.6.152.255 -p "7569643d3028726f6f74290a" -c 20 > > When I run it under strace in daemon mode, I get this...... > fstat(11, {st_mode=S_IFREG|0644, st_size=3405, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0x2b23ca74b000 write(11, "[**] [1:498:7] ATTACK-RESPONSES id check > returned root [**]\n[Classification: Potentially Bad Traffic] [Priority: > 2]\nEvent ID: 1 Event Reference: > 1\n=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+=+\n\n", 227) = 227 --- SIGSEGV (Segmentation fault) @ 0 (0) --- > Process 27507 detached > > When I run it under strace in batch mode I get this everytime...... > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0x2b783a769000 write(8, "[**] [1:498:7] ATTACK-RESPONSES id check > returned root [**]\n[Classification: Potentially Bad Traffic] [Priority: > 2]\nEvent ID: 1 Event Reference: > 1\n=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+=+\n\n", 227) = 227 open("/etc/localtime", O_RDONLY) = 10 > fstat(10, {st_mode=S_IFREG|0644, st_size=2202, ...}) = 0 > fstat(10, {st_mode=S_IFREG|0644, st_size=2202, ...}) = 0 > > The very strange thing with this is, is that if I ping slowly, it never > ever triggers and doesn't die (ping -i 1), it's only when I ping quickly > and it triggers (ping -i 0.1) is whe it dies. > > The difference here being the 'Potentially Bad Traffic' event... I'm not > sure what comes next, or whats about to happen in the sequence of > events, which is why I'm hoping someone just knows and can say 'hey, > this is about to happen, that could be your problem'. I'm thinking its > about to write to the database (of course, I don't really know). I do > however have 4 things in DB which are a bit screwed up - but there is > something there, so I'm sort of happy. > > mysql> select * from event; > +-----+-----+-----------+---------------------+ >| sid | cid | signature | timestamp | > +-----+-----+-----------+---------------------+ >| 1 | 1 | 1 | 3166-03-23 16:06:23 | >| 1 | 2 | 1 | 3166-03-23 16:06:23 | >| 1 | 3 | 1 | 3166-03-23 16:06:23 | >| 1 | 4 | 1 | 3166-03-23 16:06:23 | > +-----+-----+-----------+---------------------+ > 4 rows in set (0.00 sec) > > ldd `which barnyard` > libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaf096ed000) > libssl.so.6 => /lib64/libssl.so.6 (0x00002aaf09901000) > libmysqlclient.so.15 => /usr/lib64/mysql/libmysqlclient.so.15 > (0x00002aaf09b4b000) libc.so.6 => /lib64/libc.so.6 > (0x00002aaf09ebe000) > libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 > (0x00002aaf0a215000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 > (0x00002aaf0a443000) libcom_err.so.2 => /lib64/libcom_err.so.2 > (0x00002aaf0a6d9000) libk5crypto.so.3 => > /usr/lib64/libk5crypto.so.3 (0x00002aaf0a8db000) libcrypto.so.6 > => /lib64/libcrypto.so.6 (0x00002aaf0ab00000) libdl.so.2 => > /lib64/libdl.so.2 (0x00002aaf0ae52000) > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaf0b056000) > libnsl.so.1 => /lib64/libnsl.so.1 (0x00002aaf0b28e000) > libm.so.6 => /lib64/libm.so.6 (0x00002aaf0b4a7000) > /lib64/ld-linux-x86-64.so.2 (0x00002aaf094d0000) > libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 > (0x00002aaf0b72a000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 > (0x00002aaf0b932000) libresolv.so.2 => /lib64/libresolv.so.2 > (0x00002aaf0bb35000) libselinux.so.1 => /lib64/libselinux.so.1 > (0x00002aaf0bd4a000) libsepol.so.1 => /lib64/libsepol.so.1 > (0x00002aaf0bf63000) > > I don't run selinux (or I should say it's in permissive mode). I will > run it under ltrace and see what happens, then fish around the source, > but am hoping that someone with skills with Barnyard can help out. > > Thanks heaps, Matt Hanna > > ---- Message sent via Adam Internet WebMail - http://www.adam.com.au/ > > > ---- Message sent via Adam Internet WebMail - http://www.adam.com.au/ > > ------------------------------------------------------------------------ > ------ The Planet: dedicated and managed hosting, cloud storage, > colocation Stay online with enterprise data centers and the best network > in the business Choose flexible plans and management services without > long-term contracts Personal 24x7 support from experience hosting pros > just a phone call away. http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Barnyard-users mailing list > Bar...@li... > https://lists.sourceforge.net/lists/listinfo/barnyard-users Paul Schmehl (pa...@ut...) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ |
|
From: <mat...@ad...> - 2010-01-27 14:26:40
|
Hi List,
I have a weird segfault problem with Barnyard Version 0.2.0 (Build 32), where I get the following in the messages file
Jan 27 23:13:38 ids kernel: barnyard[27075]: segfault at 0000000000000008 rip 00002b459823290b rsp 00007fff0d6b0240 error 4
There is no Libc2.7 issue, and I beleive my Snort log files are in the correct format. This has been built with mysql support
and on Centos 5.4 x86_64.
# grep -P "^output " /etc/snort/snort.conf
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
I'm testing using the following ping
ping -i 0.1 -n -r -b 202.6.152.255 -p "7569643d3028726f6f74290a" -c 20
When I run it under strace in daemon mode, I get this......
fstat(11, {st_mode=S_IFREG|0644, st_size=3405, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b23ca74b000
write(11, "[**] [1:498:7] ATTACK-RESPONSES id check returned root [**]\n[Classification: Potentially Bad Traffic] [Priority: 2]\nEvent ID: 1 Event Reference: 1\n=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n", 227) = 227
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
Process 27507 detached
When I run it under strace in batch mode I get this everytime......
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b783a769000
write(8, "[**] [1:498:7] ATTACK-RESPONSES id check returned root [**]\n[Classification: Potentially Bad Traffic] [Priority: 2]\nEvent ID: 1 Event Reference: 1\n=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n", 227) = 227
open("/etc/localtime", O_RDONLY) = 10
fstat(10, {st_mode=S_IFREG|0644, st_size=2202, ...}) = 0
fstat(10, {st_mode=S_IFREG|0644, st_size=2202, ...}) = 0
The very strange thing with this is, is that if I ping slowly, it never ever triggers and doesn't die (ping -i 1), it's only when I ping quickly and it triggers (ping -i 0.1) is whe it dies.
The difference here being the 'Potentially Bad Traffic' event... I'm not sure what comes next, or whats about to happen in the sequence of events, which is why I'm hoping someone just knows and can say 'hey, this is about to happen, that could be your problem'. I'm thinking its about to write to the database (of course, I don't really know). I do however have 4 things in DB which are a bit screwed up - but there is something there, so I'm sort of happy.
mysql> select * from event;
+-----+-----+-----------+---------------------+
| sid | cid | signature | timestamp |
+-----+-----+-----------+---------------------+
| 1 | 1 | 1 | 3166-03-23 16:06:23 |
| 1 | 2 | 1 | 3166-03-23 16:06:23 |
| 1 | 3 | 1 | 3166-03-23 16:06:23 |
| 1 | 4 | 1 | 3166-03-23 16:06:23 |
+-----+-----+-----------+---------------------+
4 rows in set (0.00 sec)
ldd `which barnyard`
libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaf096ed000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002aaf09901000)
libmysqlclient.so.15 => /usr/lib64/mysql/libmysqlclient.so.15 (0x00002aaf09b4b000)
libc.so.6 => /lib64/libc.so.6 (0x00002aaf09ebe000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaf0a215000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaf0a443000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaf0a6d9000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaf0a8db000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaf0ab00000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002aaf0ae52000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaf0b056000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002aaf0b28e000)
libm.so.6 => /lib64/libm.so.6 (0x00002aaf0b4a7000)
/lib64/ld-linux-x86-64.so.2 (0x00002aaf094d0000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaf0b72a000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaf0b932000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaf0bb35000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaf0bd4a000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaf0bf63000)
I don't run selinux (or I should say it's in permissive mode). I will run it under ltrace and see what happens, then fish around the source, but am hoping that someone with skills with Barnyard can help out.
Thanks heaps, Matt Hanna
---- Message sent via Adam Internet WebMail - http://www.adam.com.au/
---- Message sent via Adam Internet WebMail - http://www.adam.com.au/
|
|
From: Gruttmann, S. <Sus...@ed...> - 2009-02-24 07:28:12
|
Hi there, just a second try. I'm still having the problem, that I get a " File Size Limit Exceeded" message when I'm starting Barnyard with a cron job. Error message: /usr/bin/copylog: line 6: 14621 File size limit exceeded/usr/local/bin/barnyard -o /var/log/snort/7124/snort.*.* -c /etc/snort/barnyard.conf Every file is only a few MB. Following scenario: One Snort is placed in our DMZ and the other one behind the FW in local network. DMZ-Snort's output: output log_unified: filename snort.log, limit 128 The Snort in local area fetch the log file via SCP. The file will be processed with Barnyard to import the data into snort database. The SCP script looks like following: #!/bin/sh ssh x.x.x.x /etc/init.d/snort stop scp -v x.x.x.x:/var/log/snort/snort.*.* /var/log/snort/7124/ ssh x.x.x.x rm /var/log/snort/snort.*.* ssh x.x.x.x /etc/init.d/snort start /usr/local/bin/barnyard -o /var/log/snort/7124/snort.*.* -c /etc/snort/barnyard.conf The script will be started by cron every 10 min. If I'm starting the script manually it's working fine. The next curious thing is, when I'm activating the alert logging additional on DMZ Snort the error disappears. But then I get no Payload in Snort Database. So I have to disable alert_unified. I've tested it on a new installed machine and it worked for a time. After a while the error came up again. So please can anybody help me out? I have really no idea anymore. Maybe it's a support request? Many thanks in advance Susanne Susanne Gruttmann CNS - Client & Network Services Hannover Entertainment Distribution Company GmbH Emil-Berliner-Str. 13 30851 Langenhagen/ Germany www.edc-gmbh.com <file:///C:\Dokumente%20und%20Einstellungen\gruttms\Anwendungsdaten\Microsoft\Signatures\www.edc-gmbh.com> Tel.: +49 (0)511 - 972 1424 Fax.: +49 (0)511 - 972 1104 sus...@ed... <mailto:sus...@ed...> Geschäftsführung: Uwe Ilgenfritz-Donné, Yorck Köhn, Michael Kosemund, Dr. Bodo Wiechmann Vorsitzende des Aufsichtsrats: Dr. Kerstin Mast Sitz: Langenhagen, Amtsgericht Hannover, HRB 200073 |
|
From: Gruttmann, S. <Sus...@ed...> - 2009-02-18 09:49:51
|
Hi, does anyone know the problem "file size limit exceeded"? It only occurs if I'm starting Barnyard with a cron job. When I'm starting Barnyard by command line everything is fine. ulimit -a shows following: core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) unlimited cpu time (seconds, -t) unlimited max user processes (-u) 2040 virtual memory (kbytes, -v) unlimited I have no idea anymore :-O any help would be great many thanks Susanne |
|
From: Bamm V. <bam...@gm...> - 2009-02-11 16:56:15
|
One BY instance can only handle alert or log format. Remove all the snort.alert stuff in your snort and barnyard confs and then try. Bammkkkk On Wed, Feb 11, 2009 at 6:41 AM, Gruttmann, Susanne <Sus...@ed...> wrote: > Hi, > > I know there where already several posts, relating this problem, but nothing > of those workarounds really gave me a resolution. > > snort.conf as following: > > output alert_unified: filename snort.alert, limit 128 > output log_unified: filename snort.log, limit 128 > > barnyard.conf: > > processor dp_log > processor dp_alert > ( I know it´s not necessary with Barnyard 0.2.0, just for testing) > > output log_dump > > output alert_acid_db: mysql, sensor_id dehanlx-xxxx ,database snort, server > xxx.xxx.xxx.xxx, user snort, password xxx, detail full > > output log_acid_db: mysql, sensor_id dehanlx-xxxx, database snort, server > xxx.xxx.xxx.xxx, user snort, password xxx, detail full > > > However, disabling output alert unified returns back the payload. But alerts > are processed in a file called alert (ASCII) and will not processed by > Barnyard. The result is alerts are missing in database. > > > > Start options as following: > > > > snort start: > snort -c /etc/snort/snort.conf -i eth0 -o -D -u snort -l /var/log/snort/ > > barnyard start: > barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s > /etc/snort/sid-msg.map -o /var/log/snort/7124/snort.*.* > > > > I will be grateful for any help. > > > > Thanks Susanne > > > > ------------------------------------------------------------------------------ > Create and Deploy Rich Internet Apps outside the browser with > Adobe(R)AIR(TM) > software. With Adobe AIR, Ajax developers can use existing skills and code > to > build responsive, highly engaging applications that combine the power of > local > resources and data with the reach of the web. Download the Adobe AIR SDK and > Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com > _______________________________________________ > Barnyard-users mailing list > Bar...@li... > https://lists.sourceforge.net/lists/listinfo/barnyard-users > > -- sguil - The Analyst Console for NSM http://sguil.sf.net |
|
From: Gruttmann, S. <Sus...@ed...> - 2009-02-11 13:53:18
|
Hi, I know there where already several posts, relating this problem, but nothing of those workarounds really gave me a resolution. snort.conf as following: output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 barnyard.conf: processor dp_log processor dp_alert ( I know it´s not necessary with Barnyard 0.2.0, just for testing) output log_dump output alert_acid_db: mysql, sensor_id dehanlx-xxxx ,database snort, server xxx.xxx.xxx.xxx, user snort, password xxx, detail full output log_acid_db: mysql, sensor_id dehanlx-xxxx, database snort, server xxx.xxx.xxx.xxx, user snort, password xxx, detail full However, disabling output alert unified returns back the payload. But alerts are processed in a file called alert (ASCII) and will not processed by Barnyard. The result is alerts are missing in database. Start options as following: snort start: snort -c /etc/snort/snort.conf -i eth0 -o -D -u snort -l /var/log/snort/ barnyard start: barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -o /var/log/snort/7124/snort.*.* I will be grateful for any help. Thanks Susanne |
|
From: Edward E. <elb...@co...> - 2008-10-03 19:36:48
|
Hello fellow pig farmers, I am attempting to generate two output streams for my snort data using barnyard. I have barnyard correctly using acid_db to provide alerts to BASE. However I also need to generate realtime alerts to email high priority alerts using swatch so I need to produce syslog output as well. I read the earlier post that indicated that I need two separate barnyard implementations so I have created a new barnyard_syslog.conf as well as a separate waldo file and then kick of two separate instances of barnyard. However I still do not get any data in syslog format. Here is the output that I get: root@snort:/var/log/snort# /usr/local/bin/barnyard -c /etc/snort/ barnyard_syslog.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid- msg.map -d /var/log/snort -f snort.log -w /etc/snort/ bylog_syslog.waldo -L /var/log/snort/syslog -vvvvv Barnyard Version 0.2.0 (Build 32) Command line arguments: Config file: /etc/snort/barnyard_syslog.conf Spool dir: /var/log/snort Gen-msg file: /etc/snort/gen-msg.map Sid-msg file: /etc/snort/sid-msg.map Class file: Not specified Log dir: /var/log/snort/syslog Archive dir: Not specified File base: snort.log Waldo file: /etc/snort/bylog_syslog.waldo Pid file: Not specified Verbosity level: 5 Dry run flag: Not Set Batch mode flag: Not Set Daemon flag: Not Set New records only flag: Not Set Usage flag: Not Set Version flag: Not Set Config file variables: Hostname: snort Interface: eth1 BPF Filter: not port 22 Class file: Not specified Sid-msg file: Not specified Gen-msg file: Not specified Daemon flag: Not Set Localtime flag: Set Starting data processing using information from bookmark file Program Variables: Continual processing mode Config dir: /etc/snort Config file: /etc/snort/barnyard_syslog.conf Sid-msg file: /etc/snort/sid-msg.map Gen-msg file: /etc/snort/gen-msg.map Class file: /etc/snort/classification.config Hostname: snort Interface: eth1 BPF Filter: not port 22 Log dir: /var/log/snort/syslog Verbosity: 5 Localtime: 1 Spool dir: /var/log/snort Spool file: snort.log Bookmark file: /etc/snort/bylog_syslog.waldo Record Number: 75 Timet: 1223059222 Start at end: 0 Opened spool file '/var/log/snort/snort.log.1223059222' Waiting for new data |
|
From: Rachmat H. Al-A. <rac...@ya...> - 2008-05-08 10:07:33
|
Thanks for both of you, Joel Esler and Bamm Visscher
:)
I have no problem at all with snort's output plugin or
barnyard's output plugin.
For snort, I set it up to unified file format and for
barnyard, I set it up to MySQL
database.
The problem exist because I didn't remove the
snort.log.xxxxx binary
file from snort's log directory. I was cheated by its
name snort.log. I thought it was
unified file format, because they both have same name
format.
Barnyard now can run smoothly with no problem.
Case closed
Thanks in advance
Everyone love when people post solutions ;)
Matt
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
|
|
From: Bamm V. <bam...@gm...> - 2008-05-07 20:25:18
|
You're trying to make barnyard read a pcap file not a unified log. http://nsmwiki.org/Sguil_FAQ#Barnyard_says_.22No_input_plugin_found.22. On Wed, May 7, 2008 at 1:33 PM, Rachmat Hidayat Al-Anshar <rac...@ya...> wrote: > In a last 2 day, i try to find out why did this happen and try to find the solution. I still didn't make it. I have no idea, why barnyard still didn't working. Barnyard always say that it can't find any input plugin. I never find this kind of problem on linux based os. I beg for a help :-(. Could anyone who has successfully applying barnyard to share your experience with me. > > Regard. > Matt > > > > Rachmat Hidayat Al-Anshar wrote: > > I try to installing snort-2.8.0.1 on OpenBSD-4.2, before that, I try to patching it with snortsam's patch diff file (snortsam-2.8.0.1.diff). There is nothing to problem at all when I have to compiling and installing Snort. But I got this following error when issuing "make" to installing Barnyard: ProgVars.c: In function `ProgVars_Fprintf': ProgVars.c:672: warning: long unsigned int format, time_t arg (arg 3) gcc -g -O2 -Wall -L/usr/local/lib/mysql/ -o barnyard barnyard.o mstring.o strlcatu.o strlcpyu.o util.o spool.o sid.o debug.o classification.o CommandLineArgs.o ConfigFile.o ProgVars.o output-plugins/libop.a input-plugins/libdp.a -lz -lssl -lmysqlclient /usr/local/lib/mysql//libmysqlclient.so.18.0: warning: strcpy() is almost always misused, please use strlcpy() output-plugins/libop.a(op_sguil.o)(.text+0xea): In function `OpSguil_Start': /etc/barnyard/src/output-plugins/op_sguil.c:220: warning: sprintf() is often misused, > > please use snprintf() output-plugins/libop.a(op_sguil.o)(.text+0x4da): In function `OpSguil_Log': /etc/barnyard/src/output-plugins/op_sguil.c:366: warning: strcat() is almost always misused, please use strlcat() I try to continue the process with hope there is nothing wrong with barnyard processing the snort's unified file. But lately I know that I was wrong... Barnyard produce this messages # tail /var/log/messages May 7 09:01:00 snort barnyard: No bookmark file found, processing all events May 7 09:01:03 snort barnyard[10430]: Initializing daemon mode May 7 09:01:03 snort barnyard[23654]: Opened spool file '/var/log/snort//snort.log.1210120583' May 7 09:01:03 snort barnyard[23654]: FATAL ERROR: ERROR: No input plugin found for magic: a1b2c3d4 May 7 09:01:03 snort barnyard[23654]: Exiting when I try to running it with: # /usr/local/bin/barnyard \ -c /etc/snort/barnyard.conf > > \ -d /var/log/snort/ \ -L /var/log/snort/ \ -s /etc/snort/sid-msg.map \ -g /etc/snort/gen-msg.map \ -p /etc/snort/classification.config \ -a /var/log/snort/archive/ \ -f snort.log \ -w /var/log/snort/barnyard.waldo \ -X /var/run/barnyard.pid \ -D Now, what should I do? Thanks in advance Regard Matt > > Be a better friend, newshound, and > > know-it-all with Yahoo! Mobile. Try it now. > > > > ____________________________________________________________________________________ > > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Barnyard-users mailing list > Bar...@li... > https://lists.sourceforge.net/lists/listinfo/barnyard-users > -- sguil - The Analyst Console for NSM http://sguil.sf.net |
|
From: Rachmat H. Al-A. <rac...@ya...> - 2008-05-07 19:33:32
|
In a last 2 day, i try to find out why did this happen and try to find the solution. I still didn't make it. I have no idea, why barnyard still didn't working. Barnyard always say that it can't find any input plugin. I never find this kind of problem on linux based os. I beg for a help :-(. Could anyone who has successfully applying barnyard to share your experience with me.
Regard.
Matt
Rachmat Hidayat Al-Anshar wrote:
> I try to installing snort-2.8.0.1 on OpenBSD-4.2, before that, I try to patching it with snortsam's patch diff file (snortsam-2.8.0.1.diff). There is nothing to problem at all when I have to compiling and installing Snort. But I got this following error when issuing "make" to installing Barnyard: ProgVars.c: In function `ProgVars_Fprintf': ProgVars.c:672: warning: long unsigned int format, time_t arg (arg 3) gcc -g -O2 -Wall -L/usr/local/lib/mysql/ -o barnyard barnyard.o mstring.o strlcatu.o strlcpyu.o util.o spool.o sid.o debug.o classification.o CommandLineArgs.o ConfigFile.o ProgVars.o output-plugins/libop.a input-plugins/libdp.a -lz -lssl -lmysqlclient /usr/local/lib/mysql//libmysqlclient.so.18.0: warning: strcpy() is almost always misused, please use strlcpy() output-plugins/libop.a(op_sguil.o)(.text+0xea): In function `OpSguil_Start': /etc/barnyard/src/output-plugins/op_sguil.c:220: warning: sprintf() is often misused,
> please use snprintf() output-plugins/libop.a(op_sguil.o)(.text+0x4da): In function `OpSguil_Log': /etc/barnyard/src/output-plugins/op_sguil.c:366: warning: strcat() is almost always misused, please use strlcat() I try to continue the process with hope there is nothing wrong with barnyard processing the snort's unified file. But lately I know that I was wrong... Barnyard produce this messages # tail /var/log/messages May 7 09:01:00 snort barnyard: No bookmark file found, processing all events May 7 09:01:03 snort barnyard[10430]: Initializing daemon mode May 7 09:01:03 snort barnyard[23654]: Opened spool file '/var/log/snort//snort.log.1210120583' May 7 09:01:03 snort barnyard[23654]: FATAL ERROR: ERROR: No input plugin found for magic: a1b2c3d4 May 7 09:01:03 snort barnyard[23654]: Exiting when I try to running it with: # /usr/local/bin/barnyard \ -c /etc/snort/barnyard.conf
> \ -d /var/log/snort/ \ -L /var/log/snort/ \ -s /etc/snort/sid-msg.map \ -g /etc/snort/gen-msg.map \ -p /etc/snort/classification.config \ -a /var/log/snort/archive/ \ -f snort.log \ -w /var/log/snort/barnyard.waldo \ -X /var/run/barnyard.pid \ -D Now, what should I do? Thanks in advance Regard Matt
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
|
|
From: Rachmat H. Al-A. <rac...@ya...> - 2008-05-06 21:06:57
|
I try to installing snort-2.8.0.1 on OpenBSD-4.2, before that, I try to patching it with snortsam's patch diff file (snortsam-2.8.0.1.diff). There is nothing to problem at all when I have to compiling and installing Snort. But I got this following error when issuing "make" to installing Barnyard:
ProgVars.c: In function `ProgVars_Fprintf':
ProgVars.c:672: warning: long unsigned int format, time_t arg (arg 3)
gcc -g -O2 -Wall -L/usr/local/lib/mysql/ -o barnyard barnyard.o mstring.o strlcatu.o strlcpyu.o util.o spool.o sid.o debug.o classification.o CommandLineArgs.o ConfigFile.o ProgVars.o output-plugins/libop.a input-plugins/libdp.a -lz -lssl -lmysqlclient
/usr/local/lib/mysql//libmysqlclient.so.18.0: warning: strcpy() is almost always misused, please use strlcpy()
output-plugins/libop.a(op_sguil.o)(.text+0xea): In function `OpSguil_Start':
/etc/barnyard/src/output-plugins/op_sguil.c:220: warning: sprintf() is often misused, please use snprintf()
output-plugins/libop.a(op_sguil.o)(.text+0x4da): In function `OpSguil_Log':
/etc/barnyard/src/output-plugins/op_sguil.c:366: warning: strcat() is almost always misused, please use strlcat()
I try to continue the process with hope there is nothing wrong with barnyard processing the snort's unified file.
But lately I know that I was wrong...
Barnyard produce this messages
# tail /var/log/messages
May 7 09:01:00 snort barnyard: No bookmark file found, processing all events
May 7 09:01:03 snort barnyard[10430]: Initializing daemon mode
May 7 09:01:03 snort barnyard[23654]: Opened spool file '/var/log/snort//snort.log.1210120583'
May 7 09:01:03 snort barnyard[23654]: FATAL ERROR: ERROR: No input plugin found for magic: a1b2c3d4
May 7 09:01:03 snort barnyard[23654]: Exiting
when I try to running it with:
# /usr/local/bin/barnyard \
-c /etc/snort/barnyard.conf \
-d /var/log/snort/ \
-L /var/log/snort/ \
-s /etc/snort/sid-msg.map \
-g /etc/snort/gen-msg.map \
-p /etc/snort/classification.config \
-a /var/log/snort/archive/ \
-f snort.log \
-w /var/log/snort/barnyard.waldo \
-X /var/run/barnyard.pid \
-D
Now, what should I do?
Thanks in advance
Regard
Matt
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. |
|
From: Bamm V. <bam...@gm...> - 2008-04-10 15:16:43
|
Susanne, You shouldn't need to use both log and alert. Unified log should contain all the info alert does plus the packet info. Bammkkkk On Thu, Apr 10, 2008 at 8:56 AM, Gruttmann, Susanne <Sus...@ed...> wrote: > > > Hi, > > I´m using snort VS 2.8.0 and log traffic in unified format. > I`m doing an import with barnyard for snort.log.xxx and alert.log.xxx in a > mysql database. The problem is I have duplicate sensor and duplicate alerts > entries in database now. > > How can I merge snort.log and snort.alert to one file before importing > datas? > > thanks and regards > Susanne > > > > Susanne Gruttmann > > CNS - Client & Network Services Hannover > > > > Entertainment Distribution Company GmbH > > Emil-Berliner-Str. 13 > > 30851 Langenhagen/ Germany > > www.edc-gmbh.com > > > > Tel.: +49 (0)511 - 972 1424 > > Fax.: +49 (0)511 - 972 1104 > > sus...@ed... > > > > Geschäftsführung: Uwe Ilgenfritz-Donné, Yorck Köhn, Michael Kosemund, Dr. > Bodo Wiechmann > > Vorsitzende des Aufsichtsrats: Dr. Kerstin Mast > > Sitz: Langenhagen, Amtsgericht Hannover, HRB 200073 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Barnyard-users mailing list > Bar...@li... > https://lists.sourceforge.net/lists/listinfo/barnyard-users > > -- sguil - The Analyst Console for NSM http://sguil.sf.net |
|
From: Gruttmann, S. <Sus...@ed...> - 2008-04-10 14:57:18
|
Hi, I´m using snort VS 2.8.0 and log traffic in unified format. I`m doing an import with barnyard for snort.log.xxx and alert.log.xxx in a mysql database. The problem is I have duplicate sensor and duplicate alerts entries in database now. How can I merge snort.log and snort.alert to one file before importing datas? thanks and regards Susanne Susanne Gruttmann CNS - Client & Network Services Hannover Entertainment Distribution Company GmbH Emil-Berliner-Str. 13 30851 Langenhagen/ Germany www.edc-gmbh.com <file:///C:/Dokumente%20und%20Einstellungen/gruttms/Anwendungsdaten/Microsoft/Signatures/www.edc-gmbh.com> Tel.: +49 (0)511 - 972 1424 Fax.: +49 (0)511 - 972 1104 sus...@ed... Geschäftsführung: Uwe Ilgenfritz-Donné, Yorck Köhn, Michael Kosemund, Dr. Bodo Wiechmann Vorsitzende des Aufsichtsrats: Dr. Kerstin Mast Sitz: Langenhagen, Amtsgericht Hannover, HRB 200073 |
36 messages has been excluded from this view by a project administrator.
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X