I have two snort sensors setup on Debian feeding to mysql via barnyard. Alerts from both sensors showing in alerts log but the Base only shows the sensors of the most recent snort/barnyard sensor config started. Shows both sensors correctly in sensors table.
If I start sensor on eth1 - those alerts show up correctly in base. Then if I start sensor on eth2 those alerts show up but the new ones for eth1 no longer how up unless I restart it.
All alerts are in mysql and in alert log.
Any help appreciated.
As an update - what I am seeing is both sensors showing up in Base but when it writes whichever sensor alerts for the one I most recently restarted it shows up under sensors as those alerts for both sensors.
For examples here are the listings from the sensors section. It is showing the same alerts for both sensors even though they only came in on eth1. None of the alerts in the dbase or alert log for eth2 are showing up in Base.
3 xxxx:eth1:not port 22 10 6 2 3 2008-11-06 10:09:26 2008-11-06 10:13:55
5 xxxx:eth2:not port 22 10 6 2 3 2008-11-06 10:09:26 2008-11-06 10:13:55
Sorry, finally figuring out the issue. Barnyard is only writing whichever sensor was last started to dbase that is why base is not seeing it. Need to fix my barnyard - I have both sensors writing to same alert and log files and was using same bylog.waldo file but maybe can't do that.
as an alternative to barnyard you could give FLoP a try:
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.