Solved

snort +barnyard-0.2.0+ mysql

Posted on 2010-11-15
21
2,822 Views
Last Modified: 2013-11-29
Dear Experts:

recently installed snort and configured same is successfully working also installed barnyard-0.2.0 and copied the barnyard.conf to /etc/snort/barnyard.conf, attahced the /etc/snort/barnyard.conf for your reference ,
1. Please tell me how integerate barnyard to snort
2. How to start or stop the barnyard service i tried in few links to download the executet he script but none of them is accesible , please help how to start the barnyard service.

Thanks in advance.

0
Comment
Question by:D_wathi
  • 14
  • 7
21 Comments
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
No attachment here, but..

1) you pretty much just need to tell barnyard where to find the snort logs it is reading (usually /var/log/snort/snort.log) and if you want to ensure you don't lose any data in restarts, a waldo file (in fact, I think you NEED a waldo file for barnyard to work properly in recent versions)

2) you just run it. if you want it to start as a service on boot, then there is usually a service item already in /etc/init.d if you install from rpm (or .deb) - if you compile from source, you dont' get that (and have to be careful to tell it to compile in mysql support)
  when running it from a command prompt, you want to specify at least the path to the config file (usually /etc/barnyard.conf), the log dir and filename, and the waldo filespec.
0
 

Author Comment

by:D_wathi
Comment Utility
Thank you very much for the help, sorry forgot to attach the barnyard.conf now have attached the same,
 I have installed from the soucre hence not able to start and stop from /etc/init.d also i have enabled the mysql support while doing the compilation, eveything is ready but please give me the command line command so that i can start the barnyard service
barnyard.txt
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
looks ok, although I usually use database not alert_acid_db - I obviously haven't got the latest version :)

try this:

/usr/local/bin/barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.log

0
 

Author Comment

by:D_wathi
Comment Utility
Thank you very much when tried to start the service following is the message

#/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /v                                                                             ar/log/snort -f snort.log-w /var/log/snort/barnyard.log &
[1] 4205
[root@authserver opt]# Barnyard Version 0.2.0 (Build 32)
ERROR => Unable to open SID file "/etc/snort/sid-msg.map": No such file or direc                                                                             tory
Waiting for new spool file
-----------------------------------------------
please help
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
odd, that file should be created by snort when you load its rulebase. does it exist?
0
 

Author Comment

by:D_wathi
Comment Utility
Sir, managed to start the service by copying the sid-msg.map from /etc/snort/etc/sid-msg.map to /etc/snort
also iam getting and fatal error not able to start until i commented the below in branyard.conf

#output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password ij+74mysql
#output log_acid_db: mysql, database snort, server localhost, user snort, password ij+74mysql, detail full

Sir as you said you are using the database i also tried like the following:
output database: mysql, sensor_id 1, database snort, server localhost, user snort, password ij+74mysql
output database: mysql, database snort, server localhost, user snort, password ij+74mysql, detail full

still the same problem can you please correct me like how exactly the output should be

Please help







0
 

Author Comment

by:D_wathi
Comment Utility
Sir, when try to start the barnyard service iam getting the error , posted below for your reference:
/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g                                                               /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log                                                               -w /var/log/snort/barnyard.waldo
Barnyard Version 0.2.0 (Build 32)
WARNING /etc/snort/barnyard.conf(134) => Unknown output plugin "alert_acid_db" r                                                              eferenced, ignoring!Fatal Error, Quitting..
Exiting
------------------------------------------

also attached the /etc/snort/barnyard.conf for your reference please help me to fix this. i have compiled and installed the barnyard with the mysql support.

0
 

Author Comment

by:D_wathi
Comment Utility
did cd to /barnyard-0.2.0 and executed the below commands
make clean
make dist clean
./configure -enable-mysql -with-mysql-libraries=/usr/lib64/mysql
make
make install
after this when try to start the barnyard like the following now the error message is different , the same is posted below:
 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
Barnyard Version 0.2.0 (Build 32)
Opened spool file '/var/log/snort/snort.log.1290089887'
ERROR: No input plugin found for magic: a1b2c3d4
Fatal Error, Quitting..
Exiting
-------------------------
please please help


0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
ah. for some reason, your snort is outputting a -b (pcap) file not a unified log. what is the "output" line in your snort config?
0
 

Author Comment

by:D_wathi
Comment Utility
Sir, Thanks for the reply

the output line is :
 output database: log, mysql, user=snort password=ij+74mysql dbname=snort host=localhost

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
erm, that looks like the output line from barnyard config, not from snort. are you sure that's from the snort config?
0
 

Author Comment

by:D_wathi
Comment Utility
Sir , iam sure also check once again the output line posted is from /etc/snort/snort.conf and also i have commented all the other ouptline but for this one
output database: log, mysql, user=snort password=ij+74mysql dbname=snort host=localhost

i mean commented the ununified output lines in the snort.conf, also i have started the snort with the -c option not with -b still iam not able to start the barnyard, please help

0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
ok, will double check it when I get home, no linux box here...
0
 

Author Comment

by:D_wathi
Comment Utility
Thank you very much sir , i have started the snort with -c  for your reference posted below

ps aux | grep snort
root     13407 43.4  2.7 317260 209984 pts/2   S    21:28   0:10 snort -c /etc/s                                                                             nort/snort.conf -i eth0

please hlep
0
 

Author Comment

by:D_wathi
Comment Utility
Sir:

also tried with the following uncommented
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128
output log_unified2: filename snort.log, limit 128

output database: log, mysql, user=snort password=ij+74mysql dbname=snort host=localhost

----------------------------------------
now with the above changes deleted all the log files of previous one from /var/log/snort  and started the snort like : snort -c /etc/snort/snort.conf -i eth0 &
with this log files got created under /var/log/snort :
/var/log/snort
[root@authserver snort]# dir
barnyard.waldo  snort.alert.1290099756  snort.log.1290099756
then created the barnyard.waldo with the content as :
cat barnyard.waldo
/var/log/snort
snort.log
1290099756
0
---------------------
and finally started the service with the command

/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
Barnyard Version 0.2.0 (Build 32)
Opened spool file '/var/log/snort/snort.log.1290099756'
ERROR: No input plugin found for magic: 02000000
Fatal Error, Quitting..
Exiting
-------------------------------------

please help to fix this.










0
 

Author Comment

by:D_wathi
Comment Utility
Sir, i did the following change in the output line of the snort.conf this i did by refering to the article
http://searchenterpriselinux.techtarget.com/tip/Improving-Snort-performance-with-Barnyard
--------------------------/etc/snort/snort.conf--------------------
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
--------------------------------------------------

then executed the barnyard below command:

#/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Barnyard Version 0.2.0 (Build 32)
Opened spool file '/var/log/snort/snort.log.1290101687'
ERROR: Invalid packet length: 199666180
Read error
Fatal Error, Quitting..
Exiting
----------------------------

sir now the error looks different it says Invalid packet length, please help me to fix this.
Thank you.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
ok, the

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

matches what I have here.

bad packet length sounds like there is some "old" data in either your logfile or waldo file - try stopping snort, deleting /var/log/snort/* then start snort and finally barnyard again.
0
 

Author Comment

by:D_wathi
Comment Utility
Sir, thanks for the reply, i deleted all the log files from /var/losg/snort then started snort and created barnyrad.waldo and added the suffix of snort file in the waldo file still the same invalid packet error
posted below for your reference:
Opened spool file '/var/log/snort/snort.log.1290136058'
ERROR: Invalid packet length: 1728330752
Read error
Fatal Error, Quitting..
Exiting
-------------------------------------------------

also by default the output lines in the snort.conf looks like the below
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

when numeric 2 in the above output lines are removed while starting the barnyard gives the error  as Invalid packet but  when numeric 2 is retained and start the barnyard service then will get error like the below posted :
ERROR: No input plugin found for magic: 02000000
-----------------------------

also attached the /var/log/snort/snort.log.1290136058 for your reference. please help to fix this problem. Thank you.



snortlog.txt
0
 

Author Comment

by:D_wathi
Comment Utility
Sir , request you to read the above post also while searching in the internet i got to know if if 64bit barnyard should be pactched but iam not finding the link to download the patch please help me
0
 

Accepted Solution

by:
D_wathi earned 0 total points
Comment Utility
Sir, As my server and OS is of 64 bit for this patch was required for the barnyard and this is available at http://www.snort.org/users/jbrvenik/Site/Code_files/barnyard.64bit.diff by executing the

wget http://www.snort.org/users/jbrvenik/Site/Code_files/barnyard.64bit.diff
#patch –p1 < barnyard.64bit.diff
You will something like this:
[root@FLT barnyard-0.2.0]# patch -p1 < barnyard.64bit.diff

patching file src/barnyard.h
patching file src/event.h

patching file src/input-plugins/dp_alert.h
patching file src/util.c
patching file src/util.h

1.Edit op_acid_db.c  and the line “mysql->reconnect = 1; “ below
#cd /usr/local/src/barnyard-0.2.0/src/output-plugins
#vi  op_acid_db.c
From:
LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
while(mysql_ping(mysql) != 0)
To:
LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
mysql->reconnect = 1;
while(mysql_ping(mysql) != 0)

1.Compile# ./configure –enable-mysql  –with-mysql-libraries=/usr/lib64/mysql

Problem got resolved . Thank you very much.

0
 

Author Closing Comment

by:D_wathi
Comment Utility
I could fix by self.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now