Snort and Barnyard - No input plugin found for magic: a1b2c3d4

I am trying to fix our installation of snort.  It seems someone broke this a while back and I have been tasked with fixing it.  I can start snort without and issues, but when I start barnyard I get the following in my logs:

Oct 28 13:33:48 stables barnyard[28532]: Initializing daemon mode
Oct 28 13:33:48 stables barnyard[28533]: Opened spool file '/var/log/snort/snort.log.1319808021'
Oct 28 13:33:48 stables barnyard[28533]: FATAL ERROR: ERROR: No input plugin found for magic: a1b2c3d4
Oct 28 13:33:48 stables barnyard[28533]: Exiting

After doing some reading it seems I was trying to make barnyard read a pcap file, which I believe is wrong.  I read this:

http://nsmwiki.org/Sguil_FAQ#Barnyard_says_.22No_input_plugin_found.22.

I made the necessary changes but I am still unable to start barnyard.  

Any suggestions?

BTW, I am running my snort sensors and collector on RHEL5.

LVL 23
savoneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

unSpawnCommented:
Please post your snort.conf (as in 'grep ^# snort.conf|grep .;'), the complete command line you run Snort with and the output of running snort with the "-T" flag.
0
Rich RumbleSecurity SamuraiCommented:
What is the barnyard command, the only part of the snort.conf I need to see is the output plugin, to use barnyard you'll need something like this in your snort.conf
# unified2
# Recommended for most installs
#    Remove "nostamp" to use in continuous mode!!
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp

Then I'd need to know if BY2 is part of a cron job or what runs it on a regular basis if anything.
-rich
0
savoneAuthor Commented:
Thanks for your help, I won't be back at work until Monday but I will post the info soon as I get in.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

savoneAuthor Commented:
Ok guys, I hope you can help....


-bash-3.2# grep "output" /etc/snort/snort.conf | grep -v "^#"
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

There is nothing in cron for user snort or root that would point to barnyard.  I imagined it worked as a daemon.

Anything else you need please let me know.



0
Rich RumbleSecurity SamuraiCommented:
ps -aef | grep barnyard
it could be running as daemon, the process status command should give you the command line being used. Your current snort config is correct, the "nostamp" should not be present typically when using by2. You may need to post your barnyard.conf file as well (locate barnyard2.conf)
-rich
0
savoneAuthor Commented:
I dont think we are using barnyard2 just barnyard.

Since barnyard will not start I can not give you the output of ps -aef | grep barnyard as it will not return anything.

Here is my barnyard.conf file with comments and blank lines removed:

-bash-3.2# grep -v "^#" /etc/snort/barnyard.conf

config hostname: stables.x.x.x
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server x.x.x.x, user snort, password xxxxxxxxxxxxxxx, detail full

0
Rich RumbleSecurity SamuraiCommented:
I see, snort is using the old unified output, and your using an older barnyard, ok no problem there that should be ok. The command line for starting barnyard may be the issue, I assume your pointing it to the the snort log folder (/etc/snort/log ?)
./barnyard -c /etc/snort/barnyard.conf -p /etc/snort/classification.config -f snort.alert -g /etc/snort/rules/gen-msg.map -s etc/snort/rules/sid-msg.map

The error you mention means BY is looking at a Snort log, but not one in a Unified format
/var/log/snort/snort.log.1319808021

You may consider using BY2, perhaps it will be more informative, I'm having trouble locating a barnyard(1) source to have a look... http://www.securixlive.com/barnyard2/index.php
-rich
0
savoneAuthor Commented:
Well we are also using an old snort version.


-bash-3.2# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006


This may help you determine what string it is trying to start barnyard with:

Taken from /etc/init.d/barnyard:

# program name
BASE=barnyard

# program options
CONF="/etc/snort/barnyard.conf"
GEN_MAP="/etc/snort/gen-msg.map"
SID_MAP="/etc/snort/sid-msg.map"
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort/barnyard.waldo"
DAEMON="-D"

/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON


Do you think you can help?
0
Rich RumbleSecurity SamuraiCommented:
So first, rename the output files to "unified" in snort.conf

Snort.conf
 #output alert_unified: filename snort.alert, limit 128 #commented out for now
 output log_unified: filename snort.unified, limit 128 #renamed to unified

Make sure Snort isn't using the "-b" option

Then edit /etc/init.d/barnyard:
from
LOG_FILE="snort.log"
to
 LOG_FILE="snort.unified"

That should do it, according to http://nsmwiki.org/Sguil_FAQ#Barnyard_says_.22No_input_plugin_found.22.
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
savoneAuthor Commented:
I went through that same thing before.  But just for arguments sake I did it again and now barnyard will start.  But like last time it usually dies within 10 minutes.

-bash-3.2# ps -ef | grep barnyard
root      5763     1  0 10:29 pts/0    00:00:00 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.unified -w /var/log/snort/barnyard.waldo -D

I will check it in 15 and post back if it dies.
0
savoneAuthor Commented:
Another thing is my barnyard.waldo file... Is that supposed to update?  
0
Rich RumbleSecurity SamuraiCommented:
it should, you could delete it and it should be recreated. It should update only when it has written a new alert to the db, otherwise it will remain the same.
-rich
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.