?
Solved

Snort and Barnyard -  No input plugin found for magic: a1b2c3d4

Posted on 2011-10-28
12
Medium Priority
?
1,165 Views
Last Modified: 2013-11-29
I am trying to fix our installation of snort.  It seems someone broke this a while back and I have been tasked with fixing it.  I can start snort without and issues, but when I start barnyard I get the following in my logs:

Oct 28 13:33:48 stables barnyard[28532]: Initializing daemon mode
Oct 28 13:33:48 stables barnyard[28533]: Opened spool file '/var/log/snort/snort.log.1319808021'
Oct 28 13:33:48 stables barnyard[28533]: FATAL ERROR: ERROR: No input plugin found for magic: a1b2c3d4
Oct 28 13:33:48 stables barnyard[28533]: Exiting

After doing some reading it seems I was trying to make barnyard read a pcap file, which I believe is wrong.  I read this:

http://nsmwiki.org/Sguil_FAQ#Barnyard_says_.22No_input_plugin_found.22.

I made the necessary changes but I am still unable to start barnyard.  

Any suggestions?

BTW, I am running my snort sensors and collector on RHEL5.

0
Comment
Question by:savone
  • 6
  • 5
12 Comments
 
LVL 7

Expert Comment

by:unSpawn
ID: 37049365
Please post your snort.conf (as in 'grep ^# snort.conf|grep .;'), the complete command line you run Snort with and the output of running snort with the "-T" flag.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37049747
What is the barnyard command, the only part of the snort.conf I need to see is the output plugin, to use barnyard you'll need something like this in your snort.conf
# unified2
# Recommended for most installs
#    Remove "nostamp" to use in continuous mode!!
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp

Then I'd need to know if BY2 is part of a cron job or what runs it on a regular basis if anything.
-rich
0
 
LVL 23

Author Comment

by:savone
ID: 37049927
Thanks for your help, I won't be back at work until Monday but I will post the info soon as I get in.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 23

Author Comment

by:savone
ID: 37056537
Ok guys, I hope you can help....


-bash-3.2# grep "output" /etc/snort/snort.conf | grep -v "^#"
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

There is nothing in cron for user snort or root that would point to barnyard.  I imagined it worked as a daemon.

Anything else you need please let me know.



0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37056689
ps -aef | grep barnyard
it could be running as daemon, the process status command should give you the command line being used. Your current snort config is correct, the "nostamp" should not be present typically when using by2. You may need to post your barnyard.conf file as well (locate barnyard2.conf)
-rich
0
 
LVL 23

Author Comment

by:savone
ID: 37056734
I dont think we are using barnyard2 just barnyard.

Since barnyard will not start I can not give you the output of ps -aef | grep barnyard as it will not return anything.

Here is my barnyard.conf file with comments and blank lines removed:

-bash-3.2# grep -v "^#" /etc/snort/barnyard.conf

config hostname: stables.x.x.x
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server x.x.x.x, user snort, password xxxxxxxxxxxxxxx, detail full

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37057106
I see, snort is using the old unified output, and your using an older barnyard, ok no problem there that should be ok. The command line for starting barnyard may be the issue, I assume your pointing it to the the snort log folder (/etc/snort/log ?)
./barnyard -c /etc/snort/barnyard.conf -p /etc/snort/classification.config -f snort.alert -g /etc/snort/rules/gen-msg.map -s etc/snort/rules/sid-msg.map

The error you mention means BY is looking at a Snort log, but not one in a Unified format
/var/log/snort/snort.log.1319808021

You may consider using BY2, perhaps it will be more informative, I'm having trouble locating a barnyard(1) source to have a look... http://www.securixlive.com/barnyard2/index.php
-rich
0
 
LVL 23

Author Comment

by:savone
ID: 37057279
Well we are also using an old snort version.


-bash-3.2# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006


This may help you determine what string it is trying to start barnyard with:

Taken from /etc/init.d/barnyard:

# program name
BASE=barnyard

# program options
CONF="/etc/snort/barnyard.conf"
GEN_MAP="/etc/snort/gen-msg.map"
SID_MAP="/etc/snort/sid-msg.map"
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort/barnyard.waldo"
DAEMON="-D"

/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON


Do you think you can help?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 37057441
So first, rename the output files to "unified" in snort.conf

Snort.conf
 #output alert_unified: filename snort.alert, limit 128 #commented out for now
 output log_unified: filename snort.unified, limit 128 #renamed to unified

Make sure Snort isn't using the "-b" option

Then edit /etc/init.d/barnyard:
from
LOG_FILE="snort.log"
to
 LOG_FILE="snort.unified"

That should do it, according to http://nsmwiki.org/Sguil_FAQ#Barnyard_says_.22No_input_plugin_found.22.
-rich
0
 
LVL 23

Author Comment

by:savone
ID: 37057500
I went through that same thing before.  But just for arguments sake I did it again and now barnyard will start.  But like last time it usually dies within 10 minutes.

-bash-3.2# ps -ef | grep barnyard
root      5763     1  0 10:29 pts/0    00:00:00 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.unified -w /var/log/snort/barnyard.waldo -D

I will check it in 15 and post back if it dies.
0
 
LVL 23

Author Comment

by:savone
ID: 37057505
Another thing is my barnyard.waldo file... Is that supposed to update?  
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37057531
it should, you could delete it and it should be recreated. It should update only when it has written a new alert to the db, otherwise it will remain the same.
-rich
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question