snort +barnyard-0.2.0+ mysql

Dear Experts:

recently installed snort and configured same is successfully working also installed barnyard-0.2.0 and copied the barnyard.conf to /etc/snort/barnyard.conf, attahced the /etc/snort/barnyard.conf for your reference ,
1. Please tell me how integerate barnyard to snort
2. How to start or stop the barnyard service i tried in few links to download the executet he script but none of them is accesible , please help how to start the barnyard service.

Thanks in advance.

D_wathiAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
D_wathiConnect With a Mentor Author Commented:
Sir, As my server and OS is of 64 bit for this patch was required for the barnyard and this is available at http://www.snort.org/users/jbrvenik/Site/Code_files/barnyard.64bit.diff by executing the

wget http://www.snort.org/users/jbrvenik/Site/Code_files/barnyard.64bit.diff
#patch –p1 < barnyard.64bit.diff
You will something like this:
[root@FLT barnyard-0.2.0]# patch -p1 < barnyard.64bit.diff

patching file src/barnyard.h
patching file src/event.h

patching file src/input-plugins/dp_alert.h
patching file src/util.c
patching file src/util.h

1.Edit op_acid_db.c  and the line “mysql->reconnect = 1; “ below
#cd /usr/local/src/barnyard-0.2.0/src/output-plugins
#vi  op_acid_db.c
From:
LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
while(mysql_ping(mysql) != 0)
To:
LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
mysql->reconnect = 1;
while(mysql_ping(mysql) != 0)

1.Compile# ./configure –enable-mysql  –with-mysql-libraries=/usr/lib64/mysql

Problem got resolved . Thank you very much.

0
 
Dave HoweSoftware and Hardware EngineerCommented:
No attachment here, but..

1) you pretty much just need to tell barnyard where to find the snort logs it is reading (usually /var/log/snort/snort.log) and if you want to ensure you don't lose any data in restarts, a waldo file (in fact, I think you NEED a waldo file for barnyard to work properly in recent versions)

2) you just run it. if you want it to start as a service on boot, then there is usually a service item already in /etc/init.d if you install from rpm (or .deb) - if you compile from source, you dont' get that (and have to be careful to tell it to compile in mysql support)
  when running it from a command prompt, you want to specify at least the path to the config file (usually /etc/barnyard.conf), the log dir and filename, and the waldo filespec.
0
 
D_wathiAuthor Commented:
Thank you very much for the help, sorry forgot to attach the barnyard.conf now have attached the same,
 I have installed from the soucre hence not able to start and stop from /etc/init.d also i have enabled the mysql support while doing the compilation, eveything is ready but please give me the command line command so that i can start the barnyard service
barnyard.txt
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
Dave HoweSoftware and Hardware EngineerCommented:
looks ok, although I usually use database not alert_acid_db - I obviously haven't got the latest version :)

try this:

/usr/local/bin/barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.log

0
 
D_wathiAuthor Commented:
Thank you very much when tried to start the service following is the message

#/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /v                                                                             ar/log/snort -f snort.log-w /var/log/snort/barnyard.log &
[1] 4205
[root@authserver opt]# Barnyard Version 0.2.0 (Build 32)
ERROR => Unable to open SID file "/etc/snort/sid-msg.map": No such file or direc                                                                             tory
Waiting for new spool file
-----------------------------------------------
please help
0
 
Dave HoweSoftware and Hardware EngineerCommented:
odd, that file should be created by snort when you load its rulebase. does it exist?
0
 
D_wathiAuthor Commented:
Sir, managed to start the service by copying the sid-msg.map from /etc/snort/etc/sid-msg.map to /etc/snort
also iam getting and fatal error not able to start until i commented the below in branyard.conf

#output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password ij+74mysql
#output log_acid_db: mysql, database snort, server localhost, user snort, password ij+74mysql, detail full

Sir as you said you are using the database i also tried like the following:
output database: mysql, sensor_id 1, database snort, server localhost, user snort, password ij+74mysql
output database: mysql, database snort, server localhost, user snort, password ij+74mysql, detail full

still the same problem can you please correct me like how exactly the output should be

Please help







0
 
D_wathiAuthor Commented:
Sir, when try to start the barnyard service iam getting the error , posted below for your reference:
/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g                                                               /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log                                                               -w /var/log/snort/barnyard.waldo
Barnyard Version 0.2.0 (Build 32)
WARNING /etc/snort/barnyard.conf(134) => Unknown output plugin "alert_acid_db" r                                                              eferenced, ignoring!Fatal Error, Quitting..
Exiting
------------------------------------------

also attached the /etc/snort/barnyard.conf for your reference please help me to fix this. i have compiled and installed the barnyard with the mysql support.

0
 
D_wathiAuthor Commented:
did cd to /barnyard-0.2.0 and executed the below commands
make clean
make dist clean
./configure -enable-mysql -with-mysql-libraries=/usr/lib64/mysql
make
make install
after this when try to start the barnyard like the following now the error message is different , the same is posted below:
 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
Barnyard Version 0.2.0 (Build 32)
Opened spool file '/var/log/snort/snort.log.1290089887'
ERROR: No input plugin found for magic: a1b2c3d4
Fatal Error, Quitting..
Exiting
-------------------------
please please help


0
 
Dave HoweSoftware and Hardware EngineerCommented:
ah. for some reason, your snort is outputting a -b (pcap) file not a unified log. what is the "output" line in your snort config?
0
 
D_wathiAuthor Commented:
Sir, Thanks for the reply

the output line is :
 output database: log, mysql, user=snort password=ij+74mysql dbname=snort host=localhost

0
 
Dave HoweSoftware and Hardware EngineerCommented:
erm, that looks like the output line from barnyard config, not from snort. are you sure that's from the snort config?
0
 
D_wathiAuthor Commented:
Sir , iam sure also check once again the output line posted is from /etc/snort/snort.conf and also i have commented all the other ouptline but for this one
output database: log, mysql, user=snort password=ij+74mysql dbname=snort host=localhost

i mean commented the ununified output lines in the snort.conf, also i have started the snort with the -c option not with -b still iam not able to start the barnyard, please help

0
 
Dave HoweSoftware and Hardware EngineerCommented:
ok, will double check it when I get home, no linux box here...
0
 
D_wathiAuthor Commented:
Thank you very much sir , i have started the snort with -c  for your reference posted below

ps aux | grep snort
root     13407 43.4  2.7 317260 209984 pts/2   S    21:28   0:10 snort -c /etc/s                                                                             nort/snort.conf -i eth0

please hlep
0
 
D_wathiAuthor Commented:
Sir:

also tried with the following uncommented
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128
output log_unified2: filename snort.log, limit 128

output database: log, mysql, user=snort password=ij+74mysql dbname=snort host=localhost

----------------------------------------
now with the above changes deleted all the log files of previous one from /var/log/snort  and started the snort like : snort -c /etc/snort/snort.conf -i eth0 &
with this log files got created under /var/log/snort :
/var/log/snort
[root@authserver snort]# dir
barnyard.waldo  snort.alert.1290099756  snort.log.1290099756
then created the barnyard.waldo with the content as :
cat barnyard.waldo
/var/log/snort
snort.log
1290099756
0
---------------------
and finally started the service with the command

/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
Barnyard Version 0.2.0 (Build 32)
Opened spool file '/var/log/snort/snort.log.1290099756'
ERROR: No input plugin found for magic: 02000000
Fatal Error, Quitting..
Exiting
-------------------------------------

please help to fix this.










0
 
D_wathiAuthor Commented:
Sir, i did the following change in the output line of the snort.conf this i did by refering to the article
http://searchenterpriselinux.techtarget.com/tip/Improving-Snort-performance-with-Barnyard
--------------------------/etc/snort/snort.conf--------------------
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
--------------------------------------------------

then executed the barnyard below command:

#/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Barnyard Version 0.2.0 (Build 32)
Opened spool file '/var/log/snort/snort.log.1290101687'
ERROR: Invalid packet length: 199666180
Read error
Fatal Error, Quitting..
Exiting
----------------------------

sir now the error looks different it says Invalid packet length, please help me to fix this.
Thank you.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
ok, the

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

matches what I have here.

bad packet length sounds like there is some "old" data in either your logfile or waldo file - try stopping snort, deleting /var/log/snort/* then start snort and finally barnyard again.
0
 
D_wathiAuthor Commented:
Sir, thanks for the reply, i deleted all the log files from /var/losg/snort then started snort and created barnyrad.waldo and added the suffix of snort file in the waldo file still the same invalid packet error
posted below for your reference:
Opened spool file '/var/log/snort/snort.log.1290136058'
ERROR: Invalid packet length: 1728330752
Read error
Fatal Error, Quitting..
Exiting
-------------------------------------------------

also by default the output lines in the snort.conf looks like the below
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

when numeric 2 in the above output lines are removed while starting the barnyard gives the error  as Invalid packet but  when numeric 2 is retained and start the barnyard service then will get error like the below posted :
ERROR: No input plugin found for magic: 02000000
-----------------------------

also attached the /var/log/snort/snort.log.1290136058 for your reference. please help to fix this problem. Thank you.



snortlog.txt
0
 
D_wathiAuthor Commented:
Sir , request you to read the above post also while searching in the internet i got to know if if 64bit barnyard should be pactched but iam not finding the link to download the patch please help me
0
 
D_wathiAuthor Commented:
I could fix by self.
0
All Courses

From novice to tech pro — start learning today.