Barnyard requires sid-msg-map to name the variables

[purefan]

After posting here I decided to open an issue hoping to get more attention.

Background Info

• OS: Ubuntu Server, Trusty 64 bit
• Following the installation guide from snort
• Installation of both Snort and Barnyard2 went smoothly without any errors

What I have done

• Created a test rules file to alert on ICMP requests
• Checked permissions and ownership of /var/log/snort and everything in it, tried several combinations (especially with permissions) and none of it helped. The current values for ownerships are snort:snort

What happens

• Snort triggers the alert when doing a ping request and the /var/log/snort.u2 file is populated (this is good)
• Running Barnyard2 throws these warnings:

$ sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f /var/log/snort/snort.u2.1454679345 -w /var/log/snort/barnyard2.waldo

WARNING: invalid Reference spec '001'. Ignored
WARNING: invalid Reference spec 'icmp-event'. Ignored
WARNING: invalid Reference spec '0'. Ignored
WARNING: invalid Reference spec 'ICMP Test detected'. Ignored

• This is the sid-msg.map I had (copied from the installation guide):

1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

How I "fixed" it

After reading a post by beenph I was able to come up with this solution. Basically the sid-msg.map file needs to have the "names" of the variables, something like this: varname,value || varname,value.

This works for me in terms of Barnyard2 not throwing those warnings anymore:

gid,1 || sid,10000001 || ref,001 || classification,icmp-event || priority,0 || msg,ICMP Test detected || url,tools.ietf.org/html/rfc792

But this is not a real solution because pulledpork does not add those varnames, and when using snort for anything serious it becomes impractical to keep the sid-msg.map up to date

[stoggy875]

I am having the same problem. Did you ever find a solution?

Even when I put the labels I still get an error from mysql. Its not the write error and the logs/alerts are going into the DB. I have only seen it when stopping barnyard2, so maybe its just telling me i disconnected? Odd disconnect message from mysql.

2016-12-08T05:15:53.392026Z 75 [Note] Aborted connection 75 to db: 'database' user: 'mysqluser' host: 'localhost' (Got an error reading communication packets)

/usr/local/bin/barnyard2 -V
______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.14 (Build 337)

[Simon1207]

Hi, I have two big problems when i configure my IDS. I used snort IDS, barnyard2 with BASE. I don't undestand why when i add a new rule in sid-msg-map and i see the new rule in BASE. BASE show me the alert somethink linke alert[1:10002:]; i can't solve this problem.