unable to write to mysql database

[rush01]

It appears barnyard2 is unable to write to mysql as I have it configured. Snort is running OK on CentOS 6.3 as per a doc on snort.org; I follow directions I found at http://polaris.umuc.edu/~sgantz/Install.html as for the barnyard config, yet I still see this message:
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data
WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event
WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmph
dr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr
WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt W
HERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphd
r WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphd
r WHERE sid='1';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = localhost:eth0
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 317)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns firnsy@securixlive.com

WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Waiting for new spool file

and it doesn't appear to be writing to mysql.

[binf]

Do you have actual events being written in the unified2 file you monitor?

If you have no events, then no events will be logged to the database.

[rush01]

I ended up using Snort 2.9.2 which barely still supports mysql. I'll play with 2.9.4 again when I have time.

---

From: Eric Lauzon [mailto:notifications@github.com]
Sent: Wed 1/23/2013 8:51 AM
To: firnsy/barnyard2
Cc: Russ A. Haring
Subject: Re: [barnyard2] unable to write to mysql database (#62)

Do you have actual events being written in the unified2 file you monitor?

If you have no events, then no events will be logged to the database.

Reply to this email directly or view it on GitHub #62 (comment) .

[binf]

Ok, well if you have events written to a unified2 file it should be fairly straight forward.

One thing you have to make sure is that when you configure snort that you use the following line

output unified2: filename merged.log, limit 128

and not

output unified2: filename snort.log, limit 128, nostamp

(the filename prefix and filesize rotation limit could change to suit your needs) but if you have the nostamp option
snort will only generate a file named snort.log and barnyard2 will not read this file, also each time snort restart or when the file reach the limit the previous file would be overwritten.

So that would be the first step. Then when this is setup you have to check for the file to grow and have events in it.

Once you have this setup and the file grows barnyard2 should be processed by barnyard2 without a problem.

[d3sre]

Hi

i've got the same issue at our installation. If there is any configuration problem, I would appreciate any input, but we currently can't find the problem. OS is SLES 11 SP2, we've tried it with barnyard2 version 2.1.9, 2.1.10 and 2.1.11. Also debug mode wasn't any more helpful:

me@sensor:~> ps -ef | grep snort
snort 2109 1 0 13:40 ? 00:00:00 /usr/sbin/snort -A full -b -d -s -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
snort 2120 1 0 13:40 ? 00:00:00 /usr/sbin/snort -A full -b -d -s -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2
root 25248 1 0 Jan24 ? 00:00:24 /usr/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort/eth1 -f snort.log -w /var/log/snort/eth1/barnyard2.waldo -a /var/log/snort/eth1/archive -i eth1 -v
root 25250 1 0 Jan24 ? 00:00:24 /usr/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort/eth2 -f snort.log -w /var/log/snort/eth2/barnyard2.waldo -a /var/log/snort/eth2/archive -i eth2 -v

---

grep -vw '#' /etc/snort/snort.conf (only relevant part copied here):

output unified2: filename snort.u2, limit 128

output alert_syslog: LOG_LOCAL7 LOG_WARNING LOG_NDELAY

---

grep -vw '#' /etc/snort/barnyard2.conf(only relevant part copied here):

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map

config logdir: /var/log/barnyard2
config hostname: sensor

config alert_with_interface_name
config alert_on_each_packet_in_stream
config dump_payload_verbose
config verbose

input unified2

output log_tcpdump: snort-tcpdump.log
output database: log, mysql, user=snorbyinstall password=password dbname=snorby host=masterserver

---

before:
me@sensor:~> sudo lsof | grep 25248
barnyard2 25248 root cwd DIR 253,7 4096 8193 /home/me
barnyard2 25248 root rtd DIR 253,1 4096 2 /
barnyard2 25248 root txt REG 253,1 1110846 988077 /usr/bin/barnyard2.nodebug-2.1.10
barnyard2 25248 root mem REG 253,1 61622 1130521 /lib64/libnss_files-2.11.3.so
barnyard2 25248 root mem REG 253,1 19149 1130510 /lib64/libdl-2.11.3.so
barnyard2 25248 root mem REG 253,1 1685176 986572 /usr/lib64/libcrypto.so.0.9.8
barnyard2 25248 root mem REG 253,1 343040 987709 /usr/lib64/libssl.so.0.9.8
barnyard2 25248 root mem REG 253,1 57699 1130508 /lib64/libcrypt-2.11.3.so
barnyard2 25248 root mem REG 253,1 1754140 1130504 /lib64/libc-2.11.3.so
barnyard2 25248 root mem REG 253,1 541882 1130512 /lib64/libm-2.11.3.so
barnyard2 25248 root mem REG 253,1 108248 1130515 /lib64/libnsl-2.11.3.so
barnyard2 25248 root mem REG 253,1 217216 985943 /usr/lib64/libpcap.so.0.9.8
barnyard2 25248 root mem REG 253,1 88704 1130542 /lib64/libz.so.1.2.3
barnyard2 25248 root mem REG 253,1 1424512 988058 /usr/lib64/libmysqlclient.so.15.0.0
barnyard2 25248 root mem REG 253,1 151051 1131509 /lib64/ld-2.11.3.so
barnyard2 25248 root DEL REG 253,1 1123107 /var/run/nscd/dbRTo0Wv
barnyard2 25248 root mem REG 253,1 217016 1123098 /var/run/nscd/services
barnyard2 25248 root 0r REG 253,1 2056 1138746 /var/log/snort/eth1/barnyard2.waldo
barnyard2 25248 root 1u CHR 1,3 0t0 8283 /dev/null
barnyard2 25248 root 2u CHR 1,3 0t0 8283 /dev/null
barnyard2 25248 root 3u unix 0xffff8804327af480 0t0 67237891 socket
barnyard2 25248 root 4wW REG 253,1 0 1123102 /var/run/barnyard2_eth1.pid.lck
barnyard2 25248 root 5w REG 253,1 6 1123103 /var/run/barnyard2_eth1.pid
barnyard2 25248 root 6w REG 253,1 0 1171802 /var/log/barnyard2/snort-tcpdump.log.1359042114
barnyard2 25248 root 7u sock 0,7 0t0 67175013 can't identify protocol
barnyard2 25248 root 8r REG 253,1 0 1139472 /var/log/snort/eth1/snort.log.1359117629
barnyard2 25248 root 9w REG 253,1 2056 1138746 /var/log/snort/eth1/barnyard2.waldo

me@sensor:~> sudo lsof | grep 2109
snort 2109 snort cwd DIR 253,1 4096 1139679 /var/log/snort
snort 2109 snort rtd DIR 253,1 4096 2 /
snort 2109 snort txt REG 253,1 7650865 988053 /usr/sbin/snort-plain
snort 2109 snort mem REG 0,7 67951428 socket:[67951428](stat: No such file or directory)
snort 2109 snort mem REG 253,1 57699 1130508 /lib64/libcrypt-2.11.3.so
snort 2109 snort mem REG 253,1 98115 1130532 /lib64/libresolv-2.11.3.so
snort 2109 snort mem REG 253,1 249309 745626 /opt/quest/lib64/libvtcacheipc.so.1.0.0
snort 2109 snort mem REG 253,1 523342 745632 /opt/quest/lib64/libvtutil.so.1.0.0
snort 2109 snort mem REG 253,1 111866 745630 /opt/quest/lib64/libvtsmartcache.so.1.0.0
snort 2109 snort mem REG 253,1 96674 745637 /opt/quest/lib64/nss/libnss_vas4.so.2
snort 2109 snort mem REG 253,1 103589 1066389 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_ssh_preproc.so.0
snort 2109 snort mem REG 253,1 210043 1066377 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_reputation_preproc.so.0
snort 2109 snort mem REG 253,1 277652 1066383 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_sip_preproc.so.0
snort 2109 snort mem REG 253,1 281305 1066374 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_pop_preproc.so.0
snort 2109 snort mem REG 253,1 286937 1066368 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_imap_preproc.so.0
snort 2109 snort mem REG 253,1 105322 1066359 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_dns_preproc.so.0
snort 2109 snort mem REG 253,1 385142 1066386 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_smtp_preproc.so.0
snort 2109 snort mem REG 253,1 1175210 1066353 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_dce2_preproc.so.0
snort 2109 snort mem REG 253,1 513927 1066362 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
snort 2109 snort mem REG 253,1 195257 1066365 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_gtp_preproc.so.0
snort 2109 snort mem REG 253,1 165286 1066371 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_modbus_preproc.so.0
snort 2109 snort mem REG 253,1 213440 1066356 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_dnp3_preproc.so.0
snort 2109 snort mem REG 253,1 121314 1066392 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_ssl_preproc.so.0
snort 2109 snort mem REG 253,1 187233 1066380 /usr/lib64/snort-2.9.3.1_dynamicpreprocessor/libsf_sdf_preproc.so.0
snort 2109 snort mem REG 253,1 256143 1066350 /usr/lib64/snort-2.9.3.1_dynamicengine/libsf_engine.so.0
snort 2109 snort mem REG 253,1 61622 1130521 /lib64/libnss_files-2.11.3.so
snort 2109 snort mem REG 253,1 1754140 1130504 /lib64/libc-2.11.3.so
snort 2109 snort mem REG 253,1 135690 1130530 /lib64/libpthread-2.11.3.so
snort 2109 snort mem REG 253,1 88704 1130542 /lib64/libz.so.1.2.3
snort 2109 snort mem REG 253,1 371156 988052 /usr/lib64/libsfbpf.so.0.0.1
snort 2109 snort mem REG 253,1 19149 1130510 /lib64/libdl-2.11.3.so
snort 2109 snort mem REG 253,1 541882 1130512 /lib64/libm-2.11.3.so
snort 2109 snort mem REG 253,1 108248 1130515 /lib64/libnsl-2.11.3.so
snort 2109 snort mem REG 253,1 194816 986821 /usr/lib64/libpcre.so.0.0.1
snort 2109 snort mem REG 253,1 61208 988030 /usr/lib64/libdnet.so.1.0.1
snort 2109 snort mem REG 253,1 245952 988032 /usr/lib64/libpcap.so.1.3.0
snort 2109 snort mem REG 253,1 151051 1131509 /lib64/ld-2.11.3.so
snort 2109 snort 0u CHR 1,3 0t0 8283 /dev/null
snort 2109 snort 1u CHR 1,3 0t0 8283 /dev/null
snort 2109 snort 2u CHR 1,3 0t0 8283 /dev/null
snort 2109 snort 3u unix 0xffff880832308b00 0t0 67961859 socket
snort 2109 snort 4w REG 253,1 0 1138755 /var/log/snort/eth1/alert
snort 2109 snort 5u sock 0,7 0t0 67951428 can't identify protocol
snort 2109 snort 6wW REG 253,1 0 1123125 /var/run/snort_eth1.pid.lck
snort 2109 snort 7w REG 253,1 5 1123126 /var/run/snort_eth1.pid
snort 2109 snort 8w REG 253,1 0 1139472 /var/log/snort/eth1/snort.log.1359117629

=> it's writing to the correct file, which barnyard2 is reading

---

test was sending 4 pings to a server that is observed by snort

root@sensor:# strace -p 25248
Process 25248 attached - interrupt to quit
restart_syscall(<... resuming interrupted call ...>) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, /* 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries _/, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "\324\303\262\241\2\0\4\0", 8) = 8
mmap(NULL, 33558528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb5a6f67000
read(8, "\0\0\0\0\0\0\0\0\352\5\0\0\1\0\0\0\310\2Q\273K\t\0J\0\0\0J\0\0\0"..., 33555456) = 106
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, /_ 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "\311~\2QB,\t\0J\0\0\0J\0\0\0\0\34\304V\247\24\0\0031{\24\0\10\0E\0"..., 33555350) = 90
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "\312~\2Q\335'\t\0J\0\0\0J\0\0\0\0\34\304V\247\24\0\0031{\24\0\10\0E\0"..., 33555260) = 90
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "\313~\2Q\372\37\t\0J\0\0\0J\0\0\0\0\34\304V\247\24\0\0031{\24\0\10\0E\0"..., 33555170) = 90
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 11 entries /, 32768) = 432
getdents64(10, / 0 entries */, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, ^C <unfinished ...>
Process 25248 detached

---

root@sensor:~# ls -lR /var/log/snort/
/var/log/snort/:
total 8
drwxr-xr-x 3 snort snort 4096 Jan 25 13:40 eth1
drwxr-xr-x 3 snort snort 4096 Jan 25 13:40 eth2

/var/log/snort/eth1:
total 40
-rw-r--r-- 1 snort snort 780 Jan 25 13:47 alert
-rw-r----- 1 snort snort 4841 Jan 24 09:39 alert.20130124-104734.bz2
-rw-r--r-- 1 snort snort 14 Jan 24 10:47 alert.20130124-105013.bz2
-rw-r--r-- 1 snort snort 14 Jan 24 10:50 alert.20130124-164144.bz2
-rw-r--r-- 1 snort snort 367 Jan 24 17:02 alert.20130125-050123.bz2
-rw-r--r-- 1 snort snort 14 Jan 25 05:01 alert.20130125-134027.bz2
drwx------ 2 snort snort 4096 Jan 25 05:01 archive
-rw------- 1 snort snort 2056 Jan 25 13:40 barnyard2.waldo
-rw------- 1 snort snort 384 Jan 25 13:47 snort.log.1359117629

---

after:

root@sensor:~# cat /var/log/snort/eth1/alert
[] [1:477:0] Global ICMP Test Packet []
[Priority: 0]
01/25-13:47:04.609211 1.1.1.1 -> 2.2.2.2
ICMP TTL:118 TOS:0x0 ID:7615 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:1 ECHO

[] [1:477:0] Global ICMP Test Packet []
[Priority: 0]
01/25-13:47:05.601154 1.1.1.1 -> 2.2.2.2
ICMP TTL:118 TOS:0x0 ID:7622 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:2 ECHO

[] [1:477:0] Global ICMP Test Packet []
[Priority: 0]
01/25-13:47:06.600029 1.1.1.1 -> 2.2.2.2
ICMP TTL:118 TOS:0x0 ID:7629 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:3 ECHO

[] [1:477:0] Global ICMP Test Packet []
[Priority: 0]
01/25-13:47:07.598010 1.1.1.1 -> 2.2.2.2
ICMP TTL:118 TOS:0x0 ID:7636 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:4 ECHO

root@sensor:~# tcpdump -r /var/log/snort/eth1/snort.log.1359117629
reading from file /var/log/snort/eth1/snort.log.1359117629, link-type EN10MB (Ethernet)
13:47:04.609211 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 1, length 40
13:47:05.601154 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 2, length 40
13:47:06.600029 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 3, length 40
13:47:07.598010 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 4, length 40

root@sensor:~# lsof | grep 25248
barnyard2 25248 root cwd DIR 253,7 4096 8193 /home/me
barnyard2 25248 root rtd DIR 253,1 4096 2 /
barnyard2 25248 root txt REG 253,1 1110846 988077 /usr/bin/barnyard2.nodebug-2.1.10
barnyard2 25248 root mem REG 253,1 61622 1130521 /lib64/libnss_files-2.11.3.so
barnyard2 25248 root mem REG 253,1 19149 1130510 /lib64/libdl-2.11.3.so
barnyard2 25248 root mem REG 253,1 1685176 986572 /usr/lib64/libcrypto.so.0.9.8
barnyard2 25248 root mem REG 253,1 343040 987709 /usr/lib64/libssl.so.0.9.8
barnyard2 25248 root mem REG 253,1 57699 1130508 /lib64/libcrypt-2.11.3.so
barnyard2 25248 root mem REG 253,1 1754140 1130504 /lib64/libc-2.11.3.so
barnyard2 25248 root mem REG 253,1 541882 1130512 /lib64/libm-2.11.3.so
barnyard2 25248 root mem REG 253,1 108248 1130515 /lib64/libnsl-2.11.3.so
barnyard2 25248 root mem REG 253,1 217216 985943 /usr/lib64/libpcap.so.0.9.8
barnyard2 25248 root mem REG 253,1 88704 1130542 /lib64/libz.so.1.2.3
barnyard2 25248 root mem REG 253,1 1424512 988058 /usr/lib64/libmysqlclient.so.15.0.0
barnyard2 25248 root mem REG 253,1 151051 1131509 /lib64/ld-2.11.3.so
barnyard2 25248 root DEL REG 253,1 1123107 /var/run/nscd/dbRTo0Wv
barnyard2 25248 root mem REG 253,1 217016 1123098 /var/run/nscd/services
barnyard2 25248 root 0r REG 253,1 2056 1138746 /var/log/snort/eth1/barnyard2.waldo
barnyard2 25248 root 1u CHR 1,3 0t0 8283 /dev/null
barnyard2 25248 root 2u CHR 1,3 0t0 8283 /dev/null
barnyard2 25248 root 3u unix 0xffff8804327af480 0t0 67237891 socket
barnyard2 25248 root 4wW REG 253,1 0 1123102 /var/run/barnyard2_eth1.pid.lck
barnyard2 25248 root 5w REG 253,1 6 1123103 /var/run/barnyard2_eth1.pid
barnyard2 25248 root 6w REG 253,1 0 1171802 /var/log/barnyard2/snort-tcpdump.log.1359042114
barnyard2 25248 root 7u sock 0,7 0t0 67175013 can't identify protocol
barnyard2 25248 root 8r REG 253,1 384 1139472 /var/log/snort/eth1/snort.log.1359117629
barnyard2 25248 root 9w REG 253,1 2056 1138746 /var/log/snort/eth1/barnyard2.waldo

---

infos from /var/log/messages:
an 24 16:41:50 sensor sudo: me : TTY=pts/3 ; PWD=/home/me ; USER=root ; COMMAND=/etc/init.d/barnyard2 start
Jan 24 16:41:50 sensor barnyard2[25247]: Running in Continuous mode
Jan 24 16:41:50 sensor barnyard2[25247]:
Jan 24 16:41:50 sensor barnyard2[25247]: --== Initializing Barnyard2 ==--
Jan 24 16:41:50 sensor barnyard2[25247]: Initializing Input Plugins!
Jan 24 16:41:50 sensor barnyard2[25247]: Initializing Output Plugins!
Jan 24 16:41:50 sensor barnyard2[25247]: Parsing config file "/etc/snort/barnyard2.conf"
Jan 24 16:41:54 sensor barnyard2[25247]: Log directory = /var/log/barnyard2
Jan 24 16:41:54 sensor barnyard2[25247]: WARNING database: Defaulting Reconnect/Transaction Error limit to 10
Jan 24 16:41:54 sensor barnyard2[25247]: WARNING database: Defaulting Reconnect sleep time to 5 second
Jan 24 16:41:54 sensor barnyard2[25247]: Initializing daemon mode
Jan 24 16:41:54 sensor barnyard2[25247]: Daemon parent exiting
Jan 24 16:41:54 sensor barnyard2[25248]: Daemon initialized, signaled parent pid: 25247
Jan 24 16:41:54 sensor barnyard2[25248]: PID path stat checked out ok, PID path set to /var/run/
Jan 24 16:41:54 sensor barnyard2[25248]: Writing PID "25248" to file "/var/run//barnyard2_eth1.pid"
Jan 24 16:41:54 sensor barnyard2[25249]: Running in Continuous mode
Jan 24 16:41:54 sensor barnyard2[25249]:
Jan 24 16:41:54 sensor barnyard2[25249]: --== Initializing Barnyard2 ==--
Jan 24 16:41:54 sensor barnyard2[25249]: Initializing Input Plugins!
Jan 24 16:41:54 sensor barnyard2[25249]: Initializing Output Plugins!
Jan 24 16:41:54 sensor barnyard2[25249]: Parsing config file "/etc/snort/barnyard2.conf"
Jan 24 16:41:58 sensor barnyard2[25249]: Log directory = /var/log/barnyard2
Jan 24 16:41:58 sensor barnyard2[25249]: WARNING database: Defaulting Reconnect/Transaction Error limit to 10
Jan 24 16:41:58 sensor barnyard2[25249]: WARNING database: Defaulting Reconnect sleep time to 5 second
Jan 24 16:41:58 sensor barnyard2[25249]: Initializing daemon mode
Jan 24 16:41:58 sensor barnyard2[25249]: Daemon parent exiting
Jan 24 16:41:58 sensor barnyard2[25250]: Daemon initialized, signaled parent pid: 25249
Jan 24 16:41:58 sensor barnyard2[25250]: PID path stat checked out ok, PID path set to /var/run/
Jan 24 16:41:58 sensor barnyard2[25250]: Writing PID "25250" to file "/var/run//barnyard2_eth2.pid"
Jan 24 16:42:12 sensor barnyard2[25248]: Node unique name is: sensor:eth1
Jan 24 16:42:12 sensor barnyard2[25248]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';]
Jan 24 16:42:12 sensor barnyard2[25248]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';]
Jan 24 16:42:12 sensor barnyard2[25248]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';]
Jan 24 16:42:12 sensor barnyard2[25248]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';]
Jan 24 16:42:12 sensor barnyard2[25248]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';]
Jan 24 16:42:12 sensor barnyard2[25248]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';]
Jan 24 16:42:12 sensor barnyard2[25248]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';]
Jan 24 16:42:13 sensor barnyard2[25248]: [SignatureReferencePullDataStore()]: No Reference found in database ...
Jan 24 16:42:13 sensor barnyard2[25248]: database: compiled support for (mysql)
Jan 24 16:42:13 sensor barnyard2[25248]: database: configured to use mysql
Jan 24 16:42:13 sensor barnyard2[25248]: database: schema version = 107
Jan 24 16:42:13 sensor barnyard2[25248]: database: host = masterserver
Jan 24 16:42:13 sensor barnyard2[25248]: database: user = snorbyinstall
Jan 24 16:42:13 sensor barnyard2[25248]: database: database name = snorby
Jan 24 16:42:13 sensor barnyard2[25248]: database: sensor name = sensor:eth1
Jan 24 16:42:13 sensor barnyard2[25248]: database: sensor id = 1
Jan 24 16:42:13 sensor barnyard2[25248]: database: sensor cid = 3
Jan 24 16:42:13 sensor barnyard2[25248]: database: data encoding = hex
Jan 24 16:42:13 sensor barnyard2[25248]: database: detail level = full
Jan 24 16:42:13 sensor barnyard2[25248]: database: ignore_bpf = no
Jan 24 16:42:13 sensor barnyard2[25248]: database: using the "log" facility
Jan 24 16:42:13 sensor barnyard2[25248]:
Jan 24 16:42:13 sensor barnyard2[25248]: --== Initialization Complete ==--
Jan 24 16:42:13 sensor barnyard2[25248]: Barnyard2 initialization completed successfully (pid=25248)
Jan 24 16:42:13 sensor barnyard2[25248]: Using waldo file '/var/log/snort/eth1/barnyard2.waldo': spool directory = /var/log/snort/eth1 spool filebase = snort.log time_stamp = 1359021015 record_idx = 0
Jan 24 16:42:13 sensor barnyard2[25248]: Opened spool file '/var/log/snort/eth1/snort.log.1359042105'
Jan 24 16:42:13 sensor barnyard2[25248]: Waiting for new data
Jan 24 16:42:16 sensor barnyard2[25250]: Node unique name is: sensor:eth2
Jan 24 16:42:16 sensor barnyard2[25250]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='3';]
Jan 24 16:42:16 sensor barnyard2[25250]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='3';]
Jan 24 16:42:16 sensor barnyard2[25250]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='3';]
Jan 24 16:42:16 sensor barnyard2[25250]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='3';]
Jan 24 16:42:16 sensor barnyard2[25250]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='3';]
Jan 24 16:42:16 sensor barnyard2[25250]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='3';]
Jan 24 16:42:16 sensor barnyard2[25250]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='3';]
Jan 24 16:42:18 sensor barnyard2[25250]: [SignatureReferencePullDataStore()]: No Reference found in database ...
Jan 24 16:42:18 sensor barnyard2[25250]: database: compiled support for (mysql)
Jan 24 16:42:18 sensor barnyard2[25250]: database: configured to use mysql
Jan 24 16:42:18 sensor barnyard2[25250]: database: schema version = 107
Jan 24 16:42:18 sensor barnyard2[25250]: database: host = masterserver
Jan 24 16:42:18 sensor barnyard2[25250]: database: user = snorbyinstall
Jan 24 16:42:18 sensor barnyard2[25250]: database: database name = snorby
Jan 24 16:42:18 sensor barnyard2[25250]: database: sensor name = sensor:eth2
Jan 24 16:42:18 sensor barnyard2[25250]: database: sensor id = 3
Jan 24 16:42:18 sensor barnyard2[25250]: database: sensor cid = 3
Jan 24 16:42:18 sensor barnyard2[25250]: database: data encoding = hex
Jan 24 16:42:18 sensor barnyard2[25250]: database: detail level = full
Jan 24 16:42:18 sensor barnyard2[25250]: database: ignore_bpf = no
Jan 24 16:42:18 sensor barnyard2[25250]: database: using the "log" facility
Jan 24 16:42:18 sensor barnyard2[25250]:
Jan 24 16:42:18 sensor barnyard2[25250]: --== Initialization Complete ==--
Jan 24 16:42:18 sensor barnyard2[25250]: Barnyard2 initialization completed successfully (pid=25250)
Jan 24 16:42:18 sensor barnyard2[25250]: Using waldo file '/var/log/snort/eth2/barnyard2.waldo': spool directory = /var/log/snort/eth2 spool filebase = snort.log time_stamp = 1359021016 record_idx = 0
Jan 24 16:42:18 sensor barnyard2[25250]: Opened spool file '/var/log/snort/eth2/snort.log.1359042107'
Jan 24 16:42:18 sensor barnyard2[25250]: Waiting for new data

root@sensor:~# ls -l /var/log/barnyard2/
total 16
-rw-r--r-- 1 root root 0 Jan 18 14:20 alert
-rw-r--r-- 1 root root 0 Jan 23 15:14 barnyard2.alert
-rw------- 1 root root 24 Jan 24 09:34 snort-tcpdump.log.1359014745
-rw------- 1 root root 24 Jan 24 09:34 snort-tcpdump.log.1359014750
-rw------- 1 root root 24 Jan 24 16:41 snort-tcpdump.log.1359016486
-rw------- 1 root root 24 Jan 24 16:41 snort-tcpdump.log.1359016490
-rw------- 1 root root 0 Jan 24 16:41 snort-tcpdump.log.1359042114
-rw------- 1 root root 0 Jan 24 16:41 snort-tcpdump.log.1359042118

root@sensor:# rpm -qa | grep barn
barnyard2-2-1.11
root@sensor:# rpm -qa | grep snort
snort-2.9.3.1-1
root@sensor:~#

=> with strace we don't see anything more generated. As the whole setup didn't work with barnyard2 yet (upgrade from old snort version) i can't say what is supposed to happen when packets are received and added to the unified2 file. the error messages in /var/log/messages are now different than the ones posted above, but we also had them.
tcpdump recognizes packets sent to the masterserver when barnyard is restarted, but it's only select statements, most likely to check the position. no received packet has ever been sent to import. snorby has recognized 2 sniffing interfaces, but no alerts (but since there is nothing sent when received..).

Please let me know if you need more information.
Thank you

[binf]

Remove snort -b command line argument and -A (useless for unified2 logging)
since this will create a binary output file and this file is a pcap file eg:

use the command : file /var/log/snort/snort.log.XXXXX and you should see it.

And we highly recommend you to use 2-1.11

[d3sre]

hi, thank you for your fast reply. i removed -b, -A shouldn't make a difference if i understand it right, as full is default. unfortunately it doesn't make a difference:

root@sensor:~# ps -ef | grep snort
snort 5278 1 0 14:55 ? 00:00:00 /usr/sbin/snort -A full -d -s -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
snort 5288 1 0 14:55 ? 00:00:00 /usr/sbin/snort -A full -d -s -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2
root 5341 1 99 14:56 ? 00:00:12 /usr/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort/eth1 -f snort.log -w /var/log/snort/eth1/barnyard2.waldo -a /var/log/snort/eth1/archive -i eth1 -v
root 5343 1 99 14:56 ? 00:00:08 /usr/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort/eth2 -f snort.log -w /var/log/snort/eth2/barnyard2.waldo -a /var/log/snort/eth2/archive -i eth2 -v

root@sensor:~# strace -p 5341
Process 5341 attached - interrupt to quit
restart_syscall(<... resuming interrupted call ...>) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, /* 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 8) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "\324\303\262\241\2\0\4\0", 8) = 8
mmap(NULL, 33558528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c0f38e000
read(8, "\0\0\0\0\0\0\0\0\352\5\0\0\1\0\0\0Q\217\2Q\262\272\3\0J\0\0\0J\0\0\0"..., 33555456) = 106
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "R\217\2Q\252\254\3\0J\0\0\0J\0\0\0\0\34\304V\247\24\0\0031{\24\0\10\0E\0"..., 33555350) = 90
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "S\217\2Q0\245\3\0J\0\0\0J\0\0\0\0\34\304V\247\24\0\0031{\24\0\10\0E\0"..., 33555260) = 90
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "T\217\2Q>\240\3\0J\0\0\0J\0\0\0\0\34\304V\247\24\0\0031{\24\0\10\0E\0"..., 33555170) = 90
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries /, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0}) = 0
read(8, "", 33555080) = 0
open("/var/log/snort/eth1", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 10
getdents64(10, / 12 entries /, 32768) = 480
getdents64(10, / 0 entries */, 32768) = 0
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, ^C <unfinished ...>
Process 5341 detached

---

Jan 25 14:55:53 sensor barnyard2[25250]: Failed to archive file "/var/log/snort/eth2/snort.log.1359117630" to "/var/log/snort/eth2/archive/snort.log.1359117630": No such file or directory
Jan 25 14:55:53 sensor barnyard2[25250]: Closing spool file '/var/log/snort/eth2/snort.log.1359117630'. Read 0 records
Jan 25 14:55:53 sensor barnyard2[25250]: Opened spool file '/var/log/snort/eth2/snort.log.1359122152'
Jan 25 14:55:53 sensor barnyard2[25250]: Waiting for new data
Jan 25 14:56:33 sensor barnyard2[5340]: Running in Continuous mode
Jan 25 14:56:33 sensor barnyard2[5340]:
Jan 25 14:56:33 sensor barnyard2[5340]: --== Initializing Barnyard2 ==--
Jan 25 14:56:33 sensor barnyard2[5340]: Initializing Input Plugins!
Jan 25 14:56:33 sensor barnyard2[5340]: Initializing Output Plugins!
Jan 25 14:56:33 sensor barnyard2[5340]: Parsing config file "/etc/snort/barnyard2.conf"
Jan 25 14:56:36 sensor barnyard2[25250]: ERROR database: [UpdateLastCid()]: Error commiting transaction
Jan 25 14:56:36 sensor barnyard2[25248]: ERROR database: [UpdateLastCid()]: Error commiting transaction
Jan 25 14:56:36 sensor barnyard2[25250]: database: Closing connection to database "snorby"
Jan 25 14:56:36 sensor barnyard2[25248]: database: Closing connection to database "snorby"
Jan 25 14:56:36 sensor barnyard2[25250]: ===============================================================================
Jan 25 14:56:36 sensor barnyard2[25250]: Record Totals:
Jan 25 14:56:36 sensor barnyard2[25250]: Records: 0
Jan 25 14:56:36 sensor barnyard2[25248]: ===============================================================================
Jan 25 14:56:36 sensor barnyard2[25248]: Record Totals:
Jan 25 14:56:36 sensor barnyard2[25250]: Events: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: Records: 0
Jan 25 14:56:36 sensor barnyard2[25250]: Packets: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: Unknown: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ===============================================================================
Jan 25 14:56:36 sensor barnyard2[25250]: Packet breakdown by protocol (includes rebuilt packets):
Jan 25 14:56:36 sensor barnyard2[25248]: Events: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: Packets: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: Unknown: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ===============================================================================
Jan 25 14:56:36 sensor barnyard2[25248]: Packet breakdown by protocol (includes rebuilt packets):
Jan 25 14:56:36 sensor barnyard2[25248]: ETH: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ETHdisc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: VLAN: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: IPV6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ETH: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ETHdisc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: VLAN: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: IPV6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: IP6 EXT: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: IP6opts: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: IP6disc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: IP4: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: IP4disc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: TCP 6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: UDP 6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ICMP6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ICMP-IP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: TCP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: UDP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ICMP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: TCPdisc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: UDPdisc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ICMPdis: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: FRAG: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: FRAG 6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ARP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: EAPOL: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: ETHLOOP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: IPX: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: OTHER: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: DISCARD: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: InvChkSum: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: S5 G 1: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: S5 G 2: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25250]: Total: 0
Jan 25 14:56:36 sensor barnyard2[25250]: ===============================================================================
Jan 25 14:56:36 sensor barnyard2[25248]: IP6 EXT: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: IP6opts: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: IP6disc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: IP4: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: IP4disc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: TCP 6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: UDP 6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ICMP6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ICMP-IP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: TCP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: UDP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ICMP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: TCPdisc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: UDPdisc: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ICMPdis: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: FRAG: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: FRAG 6: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ARP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: EAPOL: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: ETHLOOP: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: IPX: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: OTHER: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: DISCARD: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: InvChkSum: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: S5 G 1: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: S5 G 2: 0 (0.000%)
Jan 25 14:56:36 sensor barnyard2[25248]: Total: 0
Jan 25 14:56:36 sensor barnyard2[25248]: ===============================================================================
Jan 25 14:56:38 sensor barnyard2[5340]: Log directory = /var/log/barnyard2
Jan 25 14:56:38 sensor barnyard2[5340]: WARNING database: Defaulting Reconnect/Transaction Error limit to 10
Jan 25 14:56:38 sensor barnyard2[5340]: WARNING database: Defaulting Reconnect sleep time to 5 second
Jan 25 14:56:38 sensor barnyard2[5340]: Initializing daemon mode
Jan 25 14:56:38 sensor barnyard2[5340]: Daemon parent exiting
Jan 25 14:56:38 sensor barnyard2[5341]: Daemon initialized, signaled parent pid: 5340
Jan 25 14:56:38 sensor barnyard2[5341]: PID path stat checked out ok, PID path set to /var/run/
Jan 25 14:56:38 sensor barnyard2[5341]: Writing PID "5341" to file "/var/run//barnyard2_eth1.pid"
Jan 25 14:56:38 sensor barnyard2[5342]: Running in Continuous mode
Jan 25 14:56:38 sensor barnyard2[5342]:
Jan 25 14:56:38 sensor barnyard2[5342]: --== Initializing Barnyard2 ==--
Jan 25 14:56:38 sensor barnyard2[5342]: Initializing Input Plugins!
Jan 25 14:56:38 sensor barnyard2[5342]: Initializing Output Plugins!
Jan 25 14:56:38 sensor barnyard2[5342]: Parsing config file "/etc/snort/barnyard2.conf"
Jan 25 14:56:42 sensor barnyard2[5342]: Log directory = /var/log/barnyard2
Jan 25 14:56:42 sensor barnyard2[5342]: WARNING database: Defaulting Reconnect/Transaction Error limit to 10
Jan 25 14:56:42 sensor barnyard2[5342]: WARNING database: Defaulting Reconnect sleep time to 5 second
Jan 25 14:56:42 sensor barnyard2[5342]: Initializing daemon mode
Jan 25 14:56:42 sensor barnyard2[5342]: Daemon parent exiting
Jan 25 14:56:42 sensor barnyard2[5343]: Daemon initialized, signaled parent pid: 5342
Jan 25 14:56:42 sensor barnyard2[5343]: PID path stat checked out ok, PID path set to /var/run/
Jan 25 14:56:42 sensor barnyard2[5343]: Writing PID "5343" to file "/var/run//barnyard2_eth2.pid"
Jan 25 14:56:55 sensor barnyard2[5341]: Node unique name is: sensor:eth1
Jan 25 14:56:55 sensor barnyard2[5341]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';]
Jan 25 14:56:55 sensor barnyard2[5341]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';]
Jan 25 14:56:55 sensor barnyard2[5341]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';]
Jan 25 14:56:55 sensor barnyard2[5341]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';]
Jan 25 14:56:55 sensor barnyard2[5341]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';]
Jan 25 14:56:55 sensor barnyard2[5341]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';]
Jan 25 14:56:55 sensor barnyard2[5341]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';]
Jan 25 14:56:57 sensor barnyard2[5341]: [SignatureReferencePullDataStore()]: No Reference found in database ...
Jan 25 14:56:57 sensor barnyard2[5341]: database: compiled support for (mysql)
Jan 25 14:56:57 sensor barnyard2[5341]: database: configured to use mysql
Jan 25 14:56:57 sensor barnyard2[5341]: database: schema version = 107
Jan 25 14:56:57 sensor barnyard2[5341]: database: host = mastersensor
Jan 25 14:56:57 sensor barnyard2[5341]: database: user = snorbyinstall
Jan 25 14:56:57 sensor barnyard2[5341]: database: database name = snorby
Jan 25 14:56:57 sensor barnyard2[5341]: database: sensor name = sensor:eth1
Jan 25 14:56:57 sensor barnyard2[5341]: database: sensor id = 1
Jan 25 14:56:57 sensor barnyard2[5341]: database: sensor cid = 4
Jan 25 14:56:57 sensor barnyard2[5341]: database: data encoding = hex
Jan 25 14:56:57 sensor barnyard2[5341]: database: detail level = full
Jan 25 14:56:57 sensor barnyard2[5341]: database: ignore_bpf = no
Jan 25 14:56:57 sensor barnyard2[5341]: database: using the "log" facility
Jan 25 14:56:57 sensor barnyard2[5341]:
Jan 25 14:56:57 sensor barnyard2[5341]: --== Initialization Complete ==--
Jan 25 14:56:57 sensor barnyard2[5341]: Barnyard2 initialization completed successfully (pid=5341)
Jan 25 14:56:57 sensor barnyard2[5341]: Using waldo file '/var/log/snort/eth1/barnyard2.waldo': spool directory = /var/log/snort/eth1 spool filebase = snort.log time_stamp = 1359122150 record_idx = 0
Jan 25 14:56:57 sensor barnyard2[5341]: Opened spool file '/var/log/snort/eth1/snort.log.1359122150'
Jan 25 14:56:57 sensor barnyard2[5341]: Waiting for new data
Jan 25 14:56:59 sensor barnyard2[5343]: Node unique name is: sensor:eth2
Jan 25 14:56:59 sensor barnyard2[5343]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='3';]
Jan 25 14:56:59 sensor barnyard2[5343]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='3';]
Jan 25 14:56:59 sensor barnyard2[5343]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='3';]
Jan 25 14:56:59 sensor barnyard2[5343]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='3';]
Jan 25 14:56:59 sensor barnyard2[5343]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='3';]
Jan 25 14:56:59 sensor barnyard2[5343]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='3';]
Jan 25 14:56:59 sensor barnyard2[5343]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='3';]
Jan 25 14:57:01 sensor barnyard2[5343]: [SignatureReferencePullDataStore()]: No Reference found in database ...
Jan 25 14:57:01 sensor barnyard2[5343]: database: compiled support for (mysql)
Jan 25 14:57:01 sensor barnyard2[5343]: database: configured to use mysql
Jan 25 14:57:01 sensor barnyard2[5343]: database: schema version = 107
Jan 25 14:57:01 sensor barnyard2[5343]: database: host = mastersensor
Jan 25 14:57:01 sensor barnyard2[5343]: database: user = snorbyinstall
Jan 25 14:57:01 sensor barnyard2[5343]: database: database name = snorby
Jan 25 14:57:01 sensor barnyard2[5343]: database: sensor name = sensor:eth2
Jan 25 14:57:01 sensor barnyard2[5343]: database: sensor id = 3
Jan 25 14:57:01 sensor barnyard2[5343]: database: sensor cid = 4
Jan 25 14:57:01 sensor barnyard2[5343]: database: data encoding = hex
Jan 25 14:57:01 sensor barnyard2[5343]: database: detail level = full
Jan 25 14:57:01 sensor barnyard2[5343]: database: ignore_bpf = no
Jan 25 14:57:01 sensor barnyard2[5343]: database: using the "log" facility
Jan 25 14:57:01 sensor barnyard2[5343]:
Jan 25 14:57:01 sensor barnyard2[5343]: --== Initialization Complete ==--
Jan 25 14:57:01 sensor barnyard2[5343]: Barnyard2 initialization completed successfully (pid=5343)
Jan 25 14:57:01 sensor barnyard2[5343]: Using waldo file '/var/log/snort/eth2/barnyard2.waldo': spool directory = /var/log/snort/eth2 spool filebase = snort.log time_stamp = 1359122152 record_idx = 0
Jan 25 14:57:01 sensor barnyard2[5343]: Opened spool file '/var/log/snort/eth2/snort.log.1359122152'
Jan 25 14:57:01 sensor barnyard2[5343]: Waiting for new data
Jan 25 14:57:37 sensor snort[5278]: [1:477:0] Global ICMP Test Packet {ICMP} 1.1.1.1 -> 2.2.2.2
Jan 25 14:57:38 sensor snort[5278]: [1:477:0] Global ICMP Test Packet {ICMP} 1.1.1.1 -> 2.2.2.2
Jan 25 14:57:39 sensor snort[5278]: [1:477:0] Global ICMP Test Packet {ICMP} 1.1.1.1 -> 2.2.2.2
Jan 25 14:57:40 sensor snort[5278]: [1:477:0] Global ICMP Test Packet {ICMP} 1.1.1.1 -> 2.2.2.2

version used is 2-1.11. and reading the tcpdump file wasn't the problem, the problem is the output to the db, the tcpdump was more for testing if it works at all.

[binf]

you need to delete your old unified2 file that where actually pcap file and not unified2 file.

Once you have deleted them it will work, if you do not delete them and reprocess old file you wont see a difference.

Also note the by2 error message.

Jan 25 14:56:36 sensor barnyard2[25250]: ERROR database: [UpdateLastCid()]: Error commiting transaction
Jan 25 14:56:36 sensor barnyard2[25248]: ERROR database: [UpdateLastCid()]: Error commiting transaction

And since your using mysql you need to have InnoDB storage and not MyIASM.

[d3sre]

thank you, i deleted the old files and it created a new one after my current test.

I'm currently adjusting the DB format and than try again.
thank you!

[rush01]

Well I finally got it to work, following this doc: "Snort 2.9.3 and Snort Report 1.3.3 on Ubuntu 12.04 LTS Installation Guide by David Gullett"; with some modifications, mainly some needed packages that weren't listed.
Close the case if you want.

---

From: Eric Lauzon [mailto:notifications@github.com]
Sent: Thu 1/24/2013 10:12 AM
To: firnsy/barnyard2
Cc: Russ A. Haring
Subject: Re: [barnyard2] unable to write to mysql database (#62)

Ok, well if you have events written to a unified2 file it should be fairly straight forward.

One thing you have to make sure is that when you configure snort that you use the following line

output unified2: filename merged.log, limit 128

and not

output unified2: filename snort.log, limit 128, nostamp

(the filename prefix and filesize rotation limit could change to suit your needs) but if you have the nostamp option
snort will only generate a file named snort.log and barnyard2 will not read this file, also each time snort restart or when the file reach the limit the previous file would be overwritten.

So that would be the first step. Then when this is setup you have to check for the file to grow and have events in it.

Once you have this setup and the file grows barnyard2 should be processed by barnyard2 without a problem.

Reply to this email directly or view it on GitHub #62 (comment) .

[binf]

Well packages dependancies where probably not related to by2 but i am happy
that you got it up and running.

On Fri, Jan 25, 2013 at 6:22 PM, rush01 notifications@github.com wrote:

Well I finally got it to work, following this doc: "Snort 2.9.3 and Snort
Report 1.3.3 on Ubuntu 12.04 LTS Installation Guide by David Gullett"; with
some modifications, mainly some needed packages that weren't listed.
Close the case if you want.

---

From: Eric Lauzon [mailto:notifications@github.com]
Sent: Thu 1/24/2013 10:12 AM
To: firnsy/barnyard2
Cc: Russ A. Haring
Subject: Re: [barnyard2] unable to write to mysql database (#62)

Ok, well if you have events written to a unified2 file it should be fairly
straight forward.

One thing you have to make sure is that when you configure snort that you
use the following line

output unified2: filename merged.log, limit 128

and not

output unified2: filename snort.log, limit 128, nostamp

(the filename prefix and filesize rotation limit could change to suit your
needs) but if you have the nostamp option
snort will only generate a file named snort.log and barnyard2 will not
read this file, also each time snort restart or when the file reach the
limit the previous file would be overwritten.

So that would be the first step. Then when this is setup you have to check
for the file to grow and have events in it.

Once you have this setup and the file grows barnyard2 should be processed
by barnyard2 without a problem.

Reply to this email directly or view it on GitHub <
https://github.com/firnsy/barnyard2/issues/62#issuecomment-12661689> .

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/62#issuecomment-12725788.

[d3sre]

so, apparently the db is in innoDB format (sorry, different responsibility people), but i'm wondering about that error message, cause the only thing i find is this one:

WARNING database: Defaulting Reconnect/Transaction Error limit to 10
WARNING database: Defaulting Reconnect sleep time to 5 second

still googeling what that is supposed to mean and if that requires me to do any changes.

i also removed the full -A tag, just in case, as well as all the old snort.log.* files including the ones in the archive. i'm right now waiting for another engineer (again, different responsibilities) to package u2spewfoo to verify that the output is in the right format.

is there anything else i can look for in the meantime?

[d3sre]

ok, i'm back, sorry for still bothering,
the snort output wasn't written in unified2, that's now working and verified.

i unfortunately again need your help:
i now write snort.u2 files as planned, but barnyard2 isn't reading them (it seems to be still looking for the snort.log file, as when the old snort configuration was activated again accidentally, it started reading that file).
although the barnyard parameter suggest that it's supposed to look for the right file:

root@sensor:/home/me# ps -ef | grep snort
snort 25086 1 0 09:25 ? 00:00:00 /usr/sbin/snort -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
snort 25096 1 0 09:25 ? 00:00:00 /usr/sbin/snort -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2
root 25113 1 52 09:25 ? 00:00:19 /usr/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort/eth1 -f snort.u2 -w /var/log/snort/eth1/barnyard2.waldo -a /var/log/snort/eth1/archive -i eth1 -v
root 25115 1 60 09:25 ? 00:00:19 /usr/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort/eth2 -f snort.u2 -w /var/log/snort/eth2/barnyard2.waldo -a /var/log/snort/eth2/archive -i eth2 -v
root 25134 24132 0 09:25 pts/1 00:00:00 grep snort

root@sensor:/home/me# lsof | grep 25113
barnyard2 25113 root cwd DIR 253,7 4096 8193 /home/me
barnyard2 25113 root rtd DIR 253,1 4096 2 /
barnyard2 25113 root txt REG 253,1 1110846 988077 /usr/bin/barnyard2.nodebug-2.1.10
barnyard2 25113 root mem REG 253,1 61622 1130521 /lib64/libnss_files-2.11.3.so
barnyard2 25113 root mem REG 253,1 19149 1130510 /lib64/libdl-2.11.3.so
barnyard2 25113 root mem REG 253,1 1685176 986572 /usr/lib64/libcrypto.so.0.9.8
barnyard2 25113 root mem REG 253,1 343040 987709 /usr/lib64/libssl.so.0.9.8
barnyard2 25113 root mem REG 253,1 57699 1130508 /lib64/libcrypt-2.11.3.so
barnyard2 25113 root mem REG 253,1 1754140 1130504 /lib64/libc-2.11.3.so
barnyard2 25113 root mem REG 253,1 541882 1130512 /lib64/libm-2.11.3.so
barnyard2 25113 root mem REG 253,1 108248 1130515 /lib64/libnsl-2.11.3.so
barnyard2 25113 root mem REG 253,1 217216 985943 /usr/lib64/libpcap.so.0.9.8
barnyard2 25113 root mem REG 253,1 88704 1130542 /lib64/libz.so.1.2.3
barnyard2 25113 root mem REG 253,1 1424512 988058 /usr/lib64/libmysqlclient.so.15.0.0
barnyard2 25113 root mem REG 253,1 151051 1131509 /lib64/ld-2.11.3.so
barnyard2 25113 root DEL REG 253,1 1123107 /var/run/nscd/dbRTo0Wv
barnyard2 25113 root mem REG 253,1 217016 1123098 /var/run/nscd/services
barnyard2 25113 root 0r REG 253,1 2056 1138746 /var/log/snort/eth1/barnyard2.waldo
barnyard2 25113 root 1u CHR 1,3 0t0 8283 /dev/null
barnyard2 25113 root 2u CHR 1,3 0t0 8283 /dev/null
barnyard2 25113 root 3u unix 0xffff88022effe3c0 0t0 72740378 socket
barnyard2 25113 root 4wW REG 253,1 0 1123102 /var/run/barnyard2_eth1.pid.lck
barnyard2 25113 root 5w REG 253,1 6 1123103 /var/run/barnyard2_eth1.pid
barnyard2 25113 root 6u IPv4 72761452 0t0 TCP sensor:47882->masterserver:mysql (ESTABLISHED)

root@sensor:/home/me# u2spewfoo /var/log/snort/eth1/snort.u2.1359620700

(Event)
sensor id: 0 event id: 1 event second: 1359621379 event microsecond: 13073
sig id: 477 gen id: 1 revision: 0 classification: 0
priority: 0 ip source: 1.1.1.1 ip destination: 2.2.2.2
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 1 event second: 1359621379
packet second: 1359621379 packet microsecond: 13073
linktype: 1 packet_length: 74
[ 0] 00 1C C4 56 A7 14 00 03 31 7B 14 00 08 00 45 00 ...V....1{....E.
[ 16] 00 3C 77 3B 00 00 76 01 F1 39 0A 2B 83 27 0A F0 .<w;..v..9.+.'..
[ 32] 44 0A 08 00 4D 26 00 01 00 35 61 62 63 64 65 66 D...M&...5abcdef
[ 48] 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
[ 64] 77 61 62 63 64 65 66 67 68 69 wabcdefghi

(Event)
sensor id: 0 event id: 2 event second: 1359621380 event microsecond: 8649
sig id: 477 gen id: 1 revision: 0 classification: 0
priority: 0 ip source: 1.1.1.1 ip destination: 2.2.2.2
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 2 event second: 1359621380
packet second: 1359621380 packet microsecond: 8649
linktype: 1 packet_length: 74
[ 0] 00 1C C4 56 A7 14 00 03 31 7B 14 00 08 00 45 00 ...V....1{....E.
[ 16] 00 3C 77 3C 00 00 76 01 F1 38 0A 2B 83 27 0A F0 .<w<..v..8.+.'..
[ 32] 44 0A 08 00 4D 25 00 01 00 36 61 62 63 64 65 66 D...M%...6abcdef
[ 48] 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
[ 64] 77 61 62 63 64 65 66 67 68 69 wabcdefghi

(Event)
sensor id: 0 event id: 3 event second: 1359621381 event microsecond: 9181
sig id: 477 gen id: 1 revision: 0 classification: 0
priority: 0 ip source: 1.1.1.1 ip destination: 2.2.2.2
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 3 event second: 1359621381
packet second: 1359621381 packet microsecond: 9181
linktype: 1 packet_length: 74
[ 0] 00 1C C4 56 A7 14 00 03 31 7B 14 00 08 00 45 00 ...V....1{....E.
[ 16] 00 3C 77 3D 00 00 76 01 F1 37 0A 2B 83 27 0A F0 .<w=..v..7.+.'..
[ 32] 44 0A 08 00 4D 24 00 01 00 37 61 62 63 64 65 66 D...M$...7abcdef
[ 48] 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
[ 64] 77 61 62 63 64 65 66 67 68 69 wabcdefghi

(Event)
sensor id: 0 event id: 4 event second: 1359621382 event microsecond: 8485
sig id: 477 gen id: 1 revision: 0 classification: 0
priority: 0 ip source: 1.1.1.1 ip destination: 2.2.2.2
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 4 event second: 1359621382
packet second: 1359621382 packet microsecond: 8485
linktype: 1 packet_length: 74
[ 0] 00 1C C4 56 A7 14 00 03 31 7B 14 00 08 00 45 00 ...V....1{....E.
[ 16] 00 3C 77 3E 00 00 76 01 F1 36 0A 2B 83 27 0A F0 ...v..6.+.'..
[ 32] 44 0A 08 00 4D 23 00 01 00 38 61 62 63 64 65 66 D...M#...8abcdef
[ 48] 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
[ 64] 77 61 62 63 64 65 66 67 68 69 wabcdefghi

is there any other location where barnyard caches the old information?

[binf]

On Thu, Jan 31, 2013 at 3:41 AM, d3sre notifications@github.com wrote:

unfortunately again need your help:
i now write snort.u2 files a

use the -f command line argument to barnyard2 to specify a unified2 prefix.

ex:
If your unified2 file is called abcd.unified2.

you will provide barnyard2 -f abcd.unified2 command line argument.

In your case it would be -f snort.u2

using your command line :

/usr/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort/eth1
-f snort.u2 -w /var/log/snort/eth1/barnyard2.waldo -a
/var/log/snort/eth1/archive -i eth1 -f snort.u2

And it should be working.

[d3sre]

hi binf

thanks for your help, but -f snort.u2 is already specified (or does it need to be at the end of the command?).
i just deleted the waldo file so it would create a new one (in case there was a problem with that), but now the process dies (it starts up correctly but as soon as i try to lsof a few seconds later to check if it locks the correct files, it's gone..).. i guess it's a permission thing or something, just going after it..
is there anything else that you could think of being an issue (as -f was specified)? thank you!

Update: it's only 1 interface where the barnyard process crashes, the other one is fine and is now correctly reading the .u2 file, i just can't test on that interface :/

[binf]

On Thu, Jan 31, 2013 at 4:07 AM, d3sre notifications@github.com wrote:

hi binf

thanks for your help, but -f snort.u2 is already specified (or does it need to be at the end of the command?).

My bad didin't saw it. (no it can be anywhere in the command line

i just deleted the waldo file so it would create a new one (in case there was a problem with that),

Yes if the waldo was containing the old file prefix, you needed to delete it.

but now the process dies (it starts up correctly but as soon as i try to lsof a few seconds later to check if it locks the correct files, it's gone..)..
i guess it's a permission thing or something, just going after it..
is there anything else that you could think of being an issue (as -f was specified)? thank you!

If you run barnyard2 in console what messages do you get?

I would suggest that you do so, so you can capture what its reporting,
or look at your syslog messages.

-elz

[d3sre]

ok, it aborts the startup of eth1 when it enters the for loop for every interface (that's line 45), but i didn't change anything there, i only deleted the old waldo file between it working (but accessing the wrong file) and now not working anymore for 1 interface (eth1, eth2 is fine):

---

root@sensor:/var/log/snort# /etc/init.d/barnyard2 start
Starting Snort Output Processor (barnyard2):
starting eth1... used -c /etc/snort/barnyard2.conf -d /var/log/snort/eth1 -f snort.u2 -w /var/log/snort/eth1/barnyard2.waldo -a /var/log/snort/eth1/archive -i eth1 -v
Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
WARNING database: Defaulting Reconnect/Transaction Error limit to 10
WARNING database: Defaulting Reconnect sleep time to 5 second
Node unique name is: sensor:eth1

database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = masterserver
database: user = snorbyinstall
database: database name = snorby
database: sensor name = sensor:eth1
database: sensor id = 1
database: sensor cid = 10
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.10 (Build 310)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns firnsy@securixlive.com

Using waldo file '/var/log/snort/eth1/barnyard2.waldo':
spool directory = /var/log/snort/eth1
spool filebase = snort.u2
time_stamp = 1359559987
record_idx = 1
Opened spool file '/var/log/snort/eth1/snort.u2.1359559987'
barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion `data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed.
/etc/init.d/barnyard2: line 45: 28210 Aborted $barnyardBin $BARNYARD_OPTS
starting eth2... used -c /etc/snort/barnyard2.conf -d /var/log/snort/eth2 -f snort.u2 -w /var/log/snort/eth2/barnyard2.waldo -a /var/log/snort/eth2/archive -i eth2 -v
Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
WARNING database: Defaulting Reconnect/Transaction Error limit to 10
WARNING database: Defaulting Reconnect sleep time to 5 second
Node unique name is: sensor:eth2

database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='3';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = masterserver
database: user = snorbyinstall
database: database name = snorby
database: sensor name = sensor:eth2
database: sensor id = 3
database: sensor cid = 7
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.10 (Build 310)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns firnsy@securixlive.com

Using waldo file '/var/log/snort/eth2/barnyard2.waldo':
spool directory = /var/log/snort/eth2
spool filebase = snort.u2
time_stamp = 1359623770
record_idx = 0
Opened spool file '/var/log/snort/eth2/snort.u2.1359623770'
Closing spool file '/var/log/snort/eth2/snort.u2.1359623770'. Read 0 records
Opened spool file '/var/log/snort/eth2/snort.u2.1359624946'
Waiting for new data

---

my init.d/barnyard2 file's start looks like this:

RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"
barnyardBin="/usr/bin/barnyard2"

start() {
echo $"Starting $desc ($prog): "
for INT in $INTERFACES; do
echo -n "starting $INT..."
PIDFILE="/var/run/barnyard2-$INT.pid"
ARCHIVEDIR="$SNORTDIR/$INT/archive"
WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
# We need Interfaced PIDs, otherwise we can't lock
EXTRA_ARGS="-i $INT -v"
BARNYARD_OPTS="-c $CONF -d $SNORTDIR/${INT} -f $LOG_FILE -w $WALDO_FILE -a $ARCHIVEDIR $EXTRA_ARGS"
echo " used $BARNYARD_OPTS"
$barnyardBin $BARNYARD_OPTS
done
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/run/$prog
return $RETVAL
}

/usr/bin/barnyard2 points to the barnyard2.nodebug-2.1.10 version. was there such a bug that was solved with 2.1.11?

btw, the file does exist, but it's only the oldest (i guess it's supposed to access the others after the oldest):
drwx------ 2 snort snort 4096 Jan 30 16:32 archive
-rw------- 1 snort snort 2056 Jan 31 10:36 barnyard2.waldo
-rw------- 1 snort snort 1360 Jan 30 16:40 snort.u2.1359559987
-rw------- 1 snort snort 1360 Jan 30 16:44 snort.u2.1359560508
-rw------- 1 snort snort 680 Jan 31 09:16 snort.u2.1359620046
-rw------- 1 snort snort 680 Jan 31 09:36 snort.u2.1359620700
-rw------- 1 snort snort 0 Jan 31 09:59 snort.u2.1359622755
-rw------- 1 snort snort 0 Jan 31 10:16 snort.u2.1359623768
-rw------- 1 snort snort 0 Jan 31 10:35 snort.u2.1359624945

is there a problem with a check and the files having same sizes?

just wondering about this output from the log above:
Opened spool file '/var/log/snort/eth1/snort.u2.1359559987'
barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion `data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed.
/etc/init.d/barnyard2: line 45: 28210 Aborted $barnyardBin $BARNYARD_OPTS

[binf]

Upgrade to current master alot of little issue have been fixed.

On Thu, Jan 31, 2013 at 4:48 AM, d3sre notifications@github.com wrote:

ok, it aborts the startup of eth1 when it enters the for loop for every
interface (that's line 45), but i didn't change anything there, i only
deleted the old waldo file between it working (but accessing the wrong

file) and now not working anymore for 1 interface (eth1, eth2 is fine):

root@sensor:/var/log/snort# /etc/init.d/barnyard2 start
Starting Snort Output Processor (barnyard2):
starting eth1... used -c /etc/snort/barnyard2.conf -d /var/log/snort/eth1
-f snort.u2 -w /var/log/snort/eth1/barnyard2.waldo -a
/var/log/snort/eth1/archive -i eth1 -v
Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
WARNING database: Defaulting Reconnect/Transaction Error limit to 10
WARNING database: Defaulting Reconnect sleep time to 5 second
Node unique name is: sensor:eth1

database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
data WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
event WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
icmphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
iphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
opt WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
tcphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
udphdr WHERE sid='1';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = masterserver
database: user = snorbyinstall

database: database name = snorby
database: sensor name = sensor:eth1
database: sensor id = 1
database: sensor cid = 10

database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

--== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.10 (Build 310)

|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns firnsy@securixlive.com

Using waldo file '/var/log/snort/eth1/barnyard2.waldo':
spool directory = /var/log/snort/eth1
spool filebase = snort.u2
time_stamp = 1359559987
record_idx = 1
Opened spool file '/var/log/snort/eth1/snort.u2.1359559987'
barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion
`data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed.
/etc/init.d/barnyard2: line 45: 28210 Aborted $barnyardBin $BARNYARD_OPTS
starting eth2... used -c /etc/snort/barnyard2.conf -d /var/log/snort/eth2
-f snort.u2 -w /var/log/snort/eth2/barnyard2.waldo -a
/var/log/snort/eth2/archive -i eth2 -v
Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
WARNING database: Defaulting Reconnect/Transaction Error limit to 10
WARNING database: Defaulting Reconnect sleep time to 5 second
Node unique name is: sensor:eth2

database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
data WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
event WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
icmphdr WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
iphdr WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
opt WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
tcphdr WHERE sid='3';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM
udphdr WHERE sid='3';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = masterserver
database: user = snorbyinstall

database: database name = snorby
database: sensor name = sensor:eth2
database: sensor id = 3
database: sensor cid = 7
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

--== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.10 (Build 310)

|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns firnsy@securixlive.com

Using waldo file '/var/log/snort/eth2/barnyard2.waldo':
spool directory = /var/log/snort/eth2
spool filebase = snort.u2
time_stamp = 1359623770
record_idx = 0
Opened spool file '/var/log/snort/eth2/snort.u2.1359623770'
Closing spool file '/var/log/snort/eth2/snort.u2.1359623770'. Read 0
records
Opened spool file '/var/log/snort/eth2/snort.u2.1359624946'

Waiting for new data

my init.d/barnyard2 file's start looks like this:

RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"
barnyardBin="/usr/bin/barnyard2"

start() {
echo $"Starting $desc ($prog): "
for INT in $INTERFACES; do
echo -n "starting $INT..."
PIDFILE="/var/run/barnyard2-$INT.pid"
ARCHIVEDIR="$SNORTDIR/$INT/archive"
WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"

We need Interfaced PIDs, otherwise we can't lock

EXTRA_ARGS="-i $INT -v"
BARNYARD_OPTS="-c $CONF -d $SNORTDIR/${INT} -f $LOG_FILE -w $WALDO_FILE -a
$ARCHIVEDIR $EXTRA_ARGS"
echo " used $BARNYARD_OPTS"
$barnyardBin $BARNYARD_OPTS
done
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/run/$prog
return $RETVAL
}

/usr/bin/barnyard2 points to the barnyard2.nodebug-2.1.10 version. was
there such a bug that was solved with 2.1.11?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/62#issuecomment-12934856.

[d3sre]

thank you, very much, it's working now. there was a little issue still cause i didn't have a rev: defined for my test rule but after adjusting that i now finally had my first db entries! :D

thank you again!

[binf]

On Thu, Jan 31, 2013 at 6:12 AM, d3sre notifications@github.com wrote:

a little issue still cause

Good stuff.

I would also encourage you to join the barnyard2 mailing list so if you
have any issue or question those will be easier to acces for people
googleling for a problem.

Look for barnyard2-users on google groups.

[d3sre]

i will do that.. also thinking about writing a how-to on all the stuff i stumbled upon.. so many small things, that would have helped to know and understand from the beginning.. and i guess it's difficult to see those things if you've been working on the project for a while :/

[binf]

On Thu, Jan 31, 2013 at 7:23 AM, d3sre notifications@github.com wrote:

i will do that.. also thinking about writing a how-to on all the stuff i stumbled upon.. so many small things, that
would have helped to know and understand from the beginning.. and i guess it's difficult to see those things
if you've been working on the project for a while :/

Sure, well you already did some good things like separating your log
directory by instance.
One thing to keep in mind is that guides are usualy static, if your
intend to write something
make sure to follow whats comming up so you can update it as things
changes. Also
be ready to answer question of people who have followed your guide and
have encountered issues :).

Also the by2 mailing list is a good place to ask question and help people.

[liebazi]

Hi , all . I get some problems like these , and I 've no idea now .
With advices from solved snort DAQ, like http://seclists.org/snort/2010/q2/939
There'r some reasons for "waiting for new spool file", as follows:
1)output file format, must be unified2;
2)output filename should with timestamp ex;
3)DB engine type should InnoDB, not MyIASM ( I think it's no relationgship with this problem);
4)no events

environment info:
winsnort 2.9.4.1 , windows xp sp3( same result in 2003), mysql 5.5.31

Ok. I've checked these above:
step 1:

1. & 2) my snort.conf for output plugin configuration
   ;# unified2
   ;# Recommended for most installs
   ;#output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

;# Additional configuration for specific types of installs
;# output alert_unified2: filename snort.alert, limit 128, nostamp
;# output log_unified2: filename snort.log, limit 128, nostamp
output alert_unified2: filename alert.u2, limit 128
output log_unified2: filename log.u2, limit 128

Additional, with barnyard2 command: barnyard2 -c barnyard2.conf -o c:\Snort\log\log.u2.1367683785, i get result:
Running in Batch mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "barnyard2.conf"
cygwin warning:
MS-DOS style path detected: C:\Snort\etc\classification.config
Preferred POSIX equivalent is: /Snort/etc/classification.config
CYGWIN environment variable option "nodosfilewarning" turns off this warning.
Consult the user's guide for more details about POSIX paths:
http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
Log directory = C:\by2-latest\log
Last event seen for sid 8 was 0
database: compiled support for (postgresql)
database: configured to use mysql
database: schema version = 107
database: host = 127.0.0.1
database: user = snortuser
database: database name = snortdb
database: sensor name = localhost:\Device\NPF_{EC7A2CDB-6780-4C9E-9E8F-7F710C
B73237}
database: sensor id = 8
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.10-beta2 (Build 266)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2011 Ian Firns firnsy@securixlive.com

Processing 1 files...
Opened spool file 'c:\Snort\log\log.u2.1367683785'
Closing spool file 'c:\Snort\log\log.u2.1367683785'. Read 318 records
;=========================================================
Record Totals:
Records: 318
Events: 0 (0.000%)
Packets: 318 (100.000%)
Unknown: 0 (0.000%)
;==========================================================
so , i improved 2 things:

• barnyard2 is work well running in batch mode.
  *snort log data work well ( log file data is raising )
  maybe , it also finger out that : file format is unified2?
  if not , on the other hand , I 've maked sure it is with snort tool :u2spewfoo ( cp the log.u2 file to linux host and check )

step2: for 3)
i checked mysql's engine, with mysql command: show variables like '%storage_engine%'; get result :
+----------------------------+--------+
| Variable_name | Value |
+----------------------------+--------+
| default_storage_engine | InnoDB |
| default_tmp_storage_engine | InnoDB |
| storage_engine | InnoDB |
+----------------------------+--------+
3 rows in set (0.06 sec)

and more: show create table sensor;
| sensor | CREATE TABLE sensor (
sid int(10) unsigned NOT NULL AUTO_INCREMENT,
hostname text,
interface text,
filter text,
detail tinyint(4) DEFAULT NULL,
encoding tinyint(4) DEFAULT NULL,
last_cid int(10) unsigned NOT NULL,
PRIMARY KEY (sid)
) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=utf8 |

step 3: for 4)
use u2spewfoo, i found some events.

when i running barnyard2 in Continuous mode with command:
barnyard2 -c barnyard2.conf -d c:\Snort\log -f c:\Snort\log\log.u2, get result:
Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "barnyard2.conf"
cygwin warning:
MS-DOS style path detected: C:\Snort\etc\classification.config
Preferred POSIX equivalent is: /Snort/etc/classification.config
CYGWIN environment variable option "nodosfilewarning" turns off this warning.
Consult the user's guide for more details about POSIX paths:
http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
Log directory = C:\by2-latest\log
Last event seen for sid 8 was 0
database: compiled support for (postgresql)
database: configured to use mysql
database: schema version = 107
database: host = 127.0.0.1
database: user = snortuser
database: database name = snortdb
database: sensor name = localhost:\Device\NPF_{EC7A2CDB-6780-4C9E-9E8F-7F710C
B73237}
database: sensor id = 8
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.10-beta2 (Build 266)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2011 Ian Firns firnsy@securixlive.com

Waiting for new spool file
;===========================================================
Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
;===========================================================
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
......

[liebazi]

maybe u would advise to run barnyard like this:
C:\by2-latest>barnyard2 -c barnyard2.conf -d c:\Snort\log -f c:\Snort\log\log.u2
-w c:\Snort\log\barnyard2.waldo
but winsnort installed with no waldo file, and barnyard2 generates no waldo file.
barnyard2 started with the warning:
WARNING: Unable to open waldo file 'c:\Snort\log\barnyard2.waldo' (No such file
or directory)
Waiting for new spool file
;===============================================================
......

and then i touch a barnyard2.waldo file, it started with msg:
WARNING: Ignoring corrupt/truncated waldofile 'c:\Snort\log\barnyard2.waldo'
Waiting for new spool file
;===============================================================

Maybe , the key point is waldo file( now my derivation ), but i don't know what should i do.

U experts have any ideas ?

[binf]

The problem seems to lie in the fact that snort is not generating any event.

Did you try to run snort with command line argument -k none to disable
checksuming, this can also help
depending on the type of networking interface you are trying to monitor.

For further assistance,debugging please uses the barnyard2 mailing list :
barnyard2-users@googlegroups.com.

-elz

On Sat, May 4, 2013 at 9:27 PM, liebazi notifications@github.com wrote:

Bold font because of '#' char(s) , GitHub encoded or format it .:)

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/62#issuecomment-17444299
.

[liebazi]

i use snort with -k none arguments, and run barnyard2 in batch mode ,get as follows:
C:\by2-latest>barnyard2 -c barnyard2.conf -o c:\Snort\log\alert.u2.1367759868
Running in Batch mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "barnyard2.conf"
cygwin warning:
MS-DOS style path detected: C:\Snort\etc\classification.config
Preferred POSIX equivalent is: /Snort/etc/classification.config
CYGWIN environment variable option "nodosfilewarning" turns off this warning.
Consult the user's guide for more details about POSIX paths:
http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
Log directory = C:\by2-latest\log
Last event seen for sid 8 was 0
database: compiled support for (postgresql)
database: configured to use mysql
database: schema version = 107
database: host = 127.0.0.1
database: user = snortuser
database: database name = snortdb
database: sensor name = localhost:\Device\NPF_{EC7A2CDB-6780-4C9E-9E8F-7F710
B73237}
database: sensor id = 8
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.10-beta2 (Build 266)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2011 Ian Firns firnsy@securixlive.com

Processing 1 files...
Opened spool file 'c:\Snort\log\alert.u2.1367759868'
Closing spool file 'c:\Snort\log\alert.u2.1367759868'. Read 257 records
;===============================================================================
Record Totals:
Records: 257
Events: 257 (100.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
;===============================================================================
Packet breakdown by protocol (includes rebuilt packets):

It shows 257 events and 0 packets , but i also find a strange msg: Last event seen for sid 8 was 0

and then i run barnyard2 in Continuous mode, still "waiting for new spool file"

[liebazi]

from #17
"I still wonder why Snort misses some packet data though, it means that barnyard2 will always discard these events." ------yunzheng

i check my alert.u2 & log.u2, found that alert.u2 just have only events, log.u2 only packets.
so i change snort.conf output plugin, like this:
;# unified2
;# Recommended for most installs
;#output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
output unified2: filename merged.log, limit 128

;# Additional configuration for specific types of installs
;;# output alert_unified2: filename snort.alert, limit 128, nostamp
;# output log_unified2: filename snort.log, limit 128, nostamp
;#output alert_unified2: filename alert.u2, limit 128
;#output log_unified2: filename log.u2, limit 128

then run snort , generate merge.log.xxxx
Run barnyard2 in batch mode, get result that contains events & packets.
And Qeury mysql select count() frome event; get result as follows:
+----------+
| count() |
+----------+
| 58 |
+----------+
1 row in set (0.11 sec)

but Running barnyard2 in Continuous mode, still "wait for new spool file"

[Djm512]

So this is my problem I run barnyard using this command
/root/barnyard2-install/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.. -w /var/log/snort/barnyard2.waldo .

and I get this in syslog

Sep 13 13:57:39 VMLSnort snort[1773]: Commencing packet processing (pid=1773)
Sep 13 13:59:04 VMLSnort barnyard2: #12#012+[ Signature Suppress list ]+#12----------------------------
Sep 13 13:59:04 VMLSnort barnyard2: +[No entry in Signature Suppress List]+
Sep 13 13:59:04 VMLSnort barnyard2: ----------------------------#12+[ Signature Suppress list ]+#12
Sep 13 13:59:27 VMLSnort barnyard2: Barnyard2 spooler: Event cache size set to [2048]
Sep 13 13:59:27 VMLSnort barnyard2: Log directory = /var/log/snort
Sep 13 13:59:27 VMLSnort barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Sep 13 13:59:27 VMLSnort barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second
Sep 13 13:59:27 VMLSnort barnyard2: Initializing daemon mode
Sep 13 13:59:27 VMLSnort barnyard2: Daemon parent exiting
Sep 13 13:59:27 VMLSnort barnyard2: Daemon initialized, signaled parent pid: 1779
Sep 13 13:59:27 VMLSnort barnyard2: PID path stat checked out ok, PID path set to /var/run/
Sep 13 13:59:27 VMLSnort barnyard2: Writing PID "1780" to file "/var/run//barnyard2_eth1.pid"

so Im using a mysql server and snort writes the file as mergerd.u2 timestamp the files appear and grow. However the database is empty and no waldo file ever appers so I'm really new to snort but I think I need to test if barnyard2 is reading the file and then look at maybe the mysql schemas that came with barnyard2.
This the relevant part of my barnyard2.conf

cat > /etc/snort/barnyard2.conf << EOF

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname: VMLSnort
config interface: eth1
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database:log, mysql, dbname=snortdb user=xxxx password=xxxx host=localhost full

So What might be the problem? If need be how can I test barnyard2 and mysql? Also you mentioned above updating the master but I have no clue what you mean. Would updating the master fix it and if so how do I do that?