Snort and Barnyard - No input plugin found for magic: a1b2c3d4
I am trying to fix our installation of snort. It seems someone broke this a while back and I have been tasked with fixing it. I can start snort without and issues, but when I start barnyard I get the following in my logs:
Oct 28 13:33:48 stables barnyard[28532]: Initializing daemon mode
Oct 28 13:33:48 stables barnyard[28533]: Opened spool file '/var/log/snort/snort.log.
Oct 28 13:33:48 stables barnyard[28533]: FATAL ERROR: ERROR: No input plugin found for magic: a1b2c3d4
Oct 28 13:33:48 stables barnyard[28533]: Exiting
After doing some reading it seems I was trying to make barnyard read a pcap file, which I believe is wrong. I read this:
http://nsmwiki.org/Sguil_FAQ#Barnyard_says_.22No_input_plugin_found.22.
I made the necessary changes but I am still unable to start barnyard.
Any suggestions?
BTW, I am running my snort sensors and collector on RHEL5.
Oct 28 13:33:48 stables barnyard[28532]: Initializing daemon mode
Oct 28 13:33:48 stables barnyard[28533]: Opened spool file '/var/log/snort/snort.log.
Oct 28 13:33:48 stables barnyard[28533]: FATAL ERROR: ERROR: No input plugin found for magic: a1b2c3d4
Oct 28 13:33:48 stables barnyard[28533]: Exiting
After doing some reading it seems I was trying to make barnyard read a pcap file, which I believe is wrong. I read this:
http://nsmwiki.org/Sguil_FAQ#Barnyard_says_.22No_input_plugin_found.22.
I made the necessary changes but I am still unable to start barnyard.
Any suggestions?
BTW, I am running my snort sensors and collector on RHEL5.
unSpawn
Please post your snort.conf (as in 'grep ^# snort.conf|grep .;'), the complete command line you run Snort with and the output of running snort with the "-T" flag.
What is the barnyard command, the only part of the snort.conf I need to see is the output plugin, to use barnyard you'll need something like this in your snort.conf
# unified2
# Recommended for most installs
# Remove "nostamp" to use in continuous mode!!
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp
Then I'd need to know if BY2 is part of a cron job or what runs it on a regular basis if anything.
-rich
# unified2
# Recommended for most installs
# Remove "nostamp" to use in continuous mode!!
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp
Then I'd need to know if BY2 is part of a cron job or what runs it on a regular basis if anything.
-rich
ASKER
Thanks for your help, I won't be back at work until Monday but I will post the info soon as I get in.
ASKER
Ok guys, I hope you can help....
-bash-3.2# grep "output" /etc/snort/snort.conf | grep -v "^#"
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
There is nothing in cron for user snort or root that would point to barnyard. I imagined it worked as a daemon.
Anything else you need please let me know.
-bash-3.2# grep "output" /etc/snort/snort.conf | grep -v "^#"
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
There is nothing in cron for user snort or root that would point to barnyard. I imagined it worked as a daemon.
Anything else you need please let me know.
ps -aef | grep barnyard
it could be running as daemon, the process status command should give you the command line being used. Your current snort config is correct, the "nostamp" should not be present typically when using by2. You may need to post your barnyard.conf file as well (locate barnyard2.conf)
-rich
it could be running as daemon, the process status command should give you the command line being used. Your current snort config is correct, the "nostamp" should not be present typically when using by2. You may need to post your barnyard.conf file as well (locate barnyard2.conf)
-rich
ASKER
I dont think we are using barnyard2 just barnyard.
Since barnyard will not start I can not give you the output of ps -aef | grep barnyard as it will not return anything.
Here is my barnyard.conf file with comments and blank lines removed:
-bash-3.2# grep -v "^#" /etc/snort/barnyard.conf
config hostname: stables.x.x.x
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server x.x.x.x, user snort, password xxxxxxxxxxxxxxx, detail full
Since barnyard will not start I can not give you the output of ps -aef | grep barnyard as it will not return anything.
Here is my barnyard.conf file with comments and blank lines removed:
-bash-3.2# grep -v "^#" /etc/snort/barnyard.conf
config hostname: stables.x.x.x
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server x.x.x.x, user snort, password xxxxxxxxxxxxxxx, detail full
I see, snort is using the old unified output, and your using an older barnyard, ok no problem there that should be ok. The command line for starting barnyard may be the issue, I assume your pointing it to the the snort log folder (/etc/snort/log ?)
./barnyard -c /etc/snort/barnyard.conf -p /etc/snort/classification.
The error you mention means BY is looking at a Snort log, but not one in a Unified format
/var/log/snort/snort.log.1
You may consider using BY2, perhaps it will be more informative, I'm having trouble locating a barnyard(1) source to have a look... http://www.securixlive.com/barnyard2/index.php
-rich
./barnyard -c /etc/snort/barnyard.conf -p /etc/snort/classification.
The error you mention means BY is looking at a Snort log, but not one in a Unified format
/var/log/snort/snort.log.1
You may consider using BY2, perhaps it will be more informative, I'm having trouble locating a barnyard(1) source to have a look... http://www.securixlive.com/barnyard2/index.php
-rich
ASKER
Well we are also using an old snort version.
-bash-3.2# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.8.6.1 (Build 39)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 6.6 06-Feb-2006
This may help you determine what string it is trying to start barnyard with:
Taken from /etc/init.d/barnyard:
# program name
BASE=barnyard
# program options
CONF="/etc/snort/barnyard.
GEN_MAP="/etc/snort/gen-ms
SID_MAP="/etc/snort/sid-ms
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort
DAEMON="-D"
/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
Do you think you can help?
-bash-3.2# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.8.6.1 (Build 39)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 6.6 06-Feb-2006
This may help you determine what string it is trying to start barnyard with:
Taken from /etc/init.d/barnyard:
# program name
BASE=barnyard
# program options
CONF="/etc/snort/barnyard.
GEN_MAP="/etc/snort/gen-ms
SID_MAP="/etc/snort/sid-ms
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort
DAEMON="-D"
/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
Do you think you can help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I went through that same thing before. But just for arguments sake I did it again and now barnyard will start. But like last time it usually dies within 10 minutes.
-bash-3.2# ps -ef | grep barnyard
root 5763 1 0 10:29 pts/0 00:00:00 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.unified -w /var/log/snort/barnyard.wa
I will check it in 15 and post back if it dies.
-bash-3.2# ps -ef | grep barnyard
root 5763 1 0 10:29 pts/0 00:00:00 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.unified -w /var/log/snort/barnyard.wa
I will check it in 15 and post back if it dies.
ASKER
Another thing is my barnyard.waldo file... Is that supposed to update?
it should, you could delete it and it should be recreated. It should update only when it has written a new alert to the db, otherwise it will remain the same.
-rich
-rich