Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Barnyard2 not logging snort log into mysql database. #64

Closed
sumitkamboj opened this Issue Jan 27, 2013 · 7 comments

Comments

Projects
None yet
4 participants

Hi,

I have setup snort 2.9.4 , barnyard2-1.11 on a ubuntu 11.10 box, all seems ok, however the events generated by snort are not written to the mysql database.

---- below the setup in snort.conf

output unified2: filename snort.log, limit 128

----- below the barnyard2 config

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/community-sid-msg.map
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

---- below the barnyard startup command

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

---- below the stdout from above barnyard job ----------------------

Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='2';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = sumit-laptop:NULL
database: sensor id = 2
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 317)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

Using waldo file '/var/log/snort/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = snort.log
time_stamp = 1359316800
record_idx = 0
Opened spool file '/var/log/snort/snort.log.1359316800'
Waiting for new data

database: Closing connection to database "snort"

Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)

Unknown: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0

Problem: I am running snort on ppp0 interface using command
snort -c /etc/snort/snort.conf -i ppp0 -A console
snort logs all alert into directory /var/log/snort. when i run barnyard it reads 0 records from all logs files that are generated by snort(snort log files are full of alerts).
In short barnyard2 reading files but thinks there is no content in the file.

-------------------Sample log file..............(partial part of snort log file)

\D4ò\A1�\00�\00\00\00\00\00\00\00\00\00\EA�\00\00q\00\00\00O\87�Q\FB\A9
\00\C4�\00\00\C4�\00\00\00\00�\00\00\00\00\00\00\00\00\00\00\00�\00E\00�\B4\EE�@\00-�D\92S\A7\E6\B0u\E0e[\00P\B2�\B1gw\B1\FE�\F8�\80�\00;-\97\00\00���
\B2晭\00=�\CFHTTP/1.1 200 OK
Date: Sun, 27 Jan 2013 20:00:14 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

Please guys help as soon as possible.

Collaborator

binf commented Jan 27, 2013

How large is your unified2 file?

The recors you printed seem's to be a EXTRA DATA record. And Barnyard2 and the default database schema does not support EXTRA DATA type of unified2 records but you should have statistics for unknown record when you exit barnyard2.

But if you have regular events in the unified2 file they should be logged without an issue.

Also if you want to have valid unified2 output you should not run snort using the -A console output mode.

Just run snort normaly, using snort -c /snort.conf -i IFACENAME

Size of my unified file is 75.1KB. I am again paste content of unified with more detail.

----------content of unified file.....................

\D4ò\A1�\00�\00\00\00\00\00\00\00\00\00\EA�\00\00q\00\00\00�\95�Q\97\E5�\00\C4�\00\00\C4�\00\00\00\00�\00\00\00\00\00\00\00\00\00\00\00�\00E\00�\B4\DA\FE@\00,�\B0\C1S\A7\E6\B0u\E0
L\00P\D2\EA\8E;\FDu\8C\CAkj\80�\00:�t\00\00���
\B3�'\88\00JuGHTTP/1.1 200 OK
Date: Sun, 27 Jan 2013 20:58:43 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

2023

<title>Songs.PK - Download Bollywood Songs,Songspk,Mp3 Songs,Bollywood Music,Indian Movie Songs,Hindi Music,Indian Mp3</title> <style> </style>
<script language="JavaScript"> var zflag_nid="1549"; var zflag_cid="388"; var zflag_sid="68"; var zflag_width="1"; var zflag_height="1"; var zflag_sz="16"; var zflag_charset="utf-8"; </script> <script language="JavaScript" src="http://c2.zedo.com/jsc/c2/fo.js"></script> <script type='text/javascript'> var googletag = googletag || {}; googletag.cmd = googletag.cmd || []; (function() { var gads = document.createElement('script'); gads.async = true; gads.type = 'text/javascript'; var useSSL = 'https:' == document.location.protocol; gads.src = (useSSL ? 'https:' : 'http:') + '//www.googletagservices.com/tag/js/gpt.js'; var node = document.getElementsByTagName('script')[0]; node.parentNode.insertBefore(gads, node); })(); </script> <script type='text/javascript'> googletag.cmd.push(function() { googletag.defineSlot('/4069560/techmagnate728', [728, 90], 'div-gpt-ad-1334276924706-0').addService(googletag.pubads()); googletag.enableServices(); }); </script>
<script type='text/javascript'> googletag.cmd.push(function() { googletag.display('div-gpt-ad-1334276924706-0'); }); </script>
<table border="0" width="697" id="table1" cellspacing="0" cellpadding="0" bgcolor="#629ABD" style="background-color: #629ABD">

    <tr>

        <td width="4">&nbsp;</td>

        <td width="781" valign="top">
<tr>

    <td rowspan="2" width="19">

        <�\95�Q�\FD�\00\C4�\00\00\C4�\00\00\00\00�\00\00\00\00\00\00\00\00\00\00\00�\00E\00�\B4\DB�@\00,�\B0\BES\A7\E6\B0u\E0

L\00P\D2\EA\8E<
\F5\8C\CAkj\80�\00:\B8U\00\00���
\B3�(\DB\00Ju\B9img src="http://images.songspk.pk/images/cellpk_01.gif" width="19" height="15" alt="">

    <td colspan="2" width="4">

        <img src="http://images.songspk.pk/images/cellpk_02.gif" width="4" height="4" alt=""></td>

    <td colspan="8" width="737">

        <img src="http://images.songspk.pk/images/cellpk_03.gif" width="737" height="4" alt=""></td>

    <td rowspan="3" width="20">

        <img src="http://images.songspk.pk/images/cellpk_04.gif" width="20" height="17" alt=""></td>

    <td width="1">

        <img src="http://images.songspk.pk/images/spacer.gif" width="1" height="4" alt=""></td>

</tr>

<tr>

    <td colspan="7" rowspan="3" width="227">

        <img src="http://images.songspk.pk/images/cellpk_05.gif" width="227" height="87" alt="Songs.PK - Bollywood Music Indian Songs Mp3"></td>

    <td rowspan="3" width="29">

        <img src="http://images.songspk.pk/images/cellpk_06.gif" width="32" height="87" alt=""></td>

    <td rowspan="3" width="4">

        <img src="http://images.songspk.pk/images/cellpk_07.gif" width="4" height="87" alt=""></td>

    <td rowspan="3" background="http://images.songspk.pk/images/cellpk_07.gif" width="481">

        <p align="center">

        <!--/* OpenX Javascript Tag v2.8.8 */-->
<script type='text/javascript'></script>

 

    <td width="1">

        <img src="http://images.songspk.pk/images/spacer.gif" width="1" height="11" alt=""></td>

</tr>

<tr>

    <td rowspan="10" background="http://images.songspk.pk/images/cellpk_01.gif" width="19">&nbsp;

        </td>

    <td width="1">

        <img src="http://images.songspk.pk/im�\95�Q\83��\00\C4�\00\00\C4�\00\00\00\00�\00\00\00\00\00\00\00\00\00\00\00�\00E\00�\B4\DB�@\00,�\B0\BCS\A7\E6\B0u\E0

L\00P\D2\EA\8E<�\F5\8C\CAkj\80�\00:\95\AD\00\00���
\B3�(\DB\00Ju\B9ages/spacer.gif" width="1" height="2" alt="">

</tr>

<tr>

    <td rowspan="10" background="http://images.songspk.pk/images/cellpk_04.gif" width="20">&nbsp;

        </td>

    <td width="1">

        <img src="http://images.songspk.pk/images/spacer.gif" width="1" height="74" alt=""></td>

</tr>

<tr>

    <td colspan="3" width="8">

        <img src="http://images.songspk.pk/images/cellpk_11.gif" width="8" height="21" alt=""></td>

    <td colspan="7" background="http://images.songspk.pk/images/cellpk_11.gif" width="733" bgcolor="#959595">

        <p align="center"><font color="#FFFFFF">

        <a href="http://www.songspk.pk"><font color="#FFFFFF">Home</font></a> | 

        <a href="bollywood_songs.html"><font color="#FFFFFF">Bollywood Songs</font></a> |

        <a href="pakistani_songs.html"><font color="#FFFFFF">Pakistani Songs 

        </font> </a>|

        <a href="indian_pop_remix_songs.html"><font color="#FFFFFF">Indian Pop And Remix Songs</font></a> |

        <a href="bhangra_songs.html"><font color="#FFFFFF">Bhangra Songs</font></a> | 

        <a href="ghazals.html"><font color="#FFFFFF">Ghazals</font></a> | 

        <a href="contact_us.html"><font color="#FFFFFF">Contact Us</font></a></font></td>

    <td width="1">

        <img src="http://images.songspk.pk/images/spacer.gif" width="1" height="21" alt=""></td>

</tr>

3a9e

Have a look, is the issue is same that you are telling.

Sorry guys previous comment got split into many parts due to having html tags.

Collaborator

binf commented Jan 28, 2013

unified2 file are binary format, you should use u2spewfoo tool that comes with snort source to output relevant information from the unified2 file your trying to process.

Im still under the impression that the event you pasted is a EXTRA DATA event type and as previously stated this is not logged to the database due to format restriction.

Thank you Binf
Now it's working using snort -c /snort.conf -i IFACENAME
thanks again for helping

@sumitkamboj sumitkamboj closed this Feb 1, 2013

hy i have the same problem i'm running xubuntu and i start snort like this over the init:

/etc/init/snort.conf

description "Snort NIDS Service"
stop on runlevel [!2345]
start on runlevel [2345]
script
    exec /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
end script

if i get it right the only thing that changes here is

  • prozess runs as snort:snort
  • -q quite disable outputs
  • -D deamon

So why should there be a difference ?

when i start it from command line: sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

every thing works fine :S

Hi maxbit89,

Can you certify that Snort is really running after the system boot? Ie, via init process.

Try, the command " ps auxw | grep snort "

If yes, take a look at the logs configured at your syslog, maybe /var/log/daemon.log or /var/log/snort.log, to see what is happening with snort.

Just to remember you that snort should save the events in a file (generally an unfied2 file) and barnyard2 is "responsible" to read this file and save in MySQL. So, you will need barnyard2 running too.

[]'s
PA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment