-
Notifications
You must be signed in to change notification settings - Fork 190
Barnyard2 read snort unifed2 log file but does not write to log #65
Comments
On Wed, Jan 30, 2013 at 4:46 AM, lutphi notifications@github.com wrote:
output unified2: filename snort.u2, limit 128 If your unified2 file does not contain any events , then none of them will Thus you need to ensure that you have events being written to your unified2 |
Thanks I changed my snort.conf just like you said. But situation is still the same and snort writes logs to new file "alerts". which is not unified2 the snort.con now likes, #output alert_unified2: filename snort.u2, limit 128 and no snort.u2 file. But if I try to run snort as output alert_unified2: filename snort.u2, limit 128 configuration options then snort writes to snort.u2 file. And barnyard2 reads the file but does not write logs to file snort-alert.log For snort I have test rule There is no problem with snort in here So what may be the problem here |
For snort to create a unified2 file supported by barnyard2 you need output unified2: filename snort.u2, limit 128 filename option can vary depending on your needs. You will also need to delete previous created unified2 files. Also you might want to run snort without the -p and the -N arguement -p disabling promiscuous mode Also you might want to add a revision to your test rule if you want to log to database alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;) alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:1;)Hope this helps, also we have a mailing list which is mabey more suited for this than gihub. Search for barnyard2-users on google groups. |
thanks again I tried everthing but it still does not work. I am already running snort with -N and -p options. I posted in barnyard2-users google group:) https://groups.google.com/forum/?fromgroups=#!topic/barnyard2-users/371IMkL-_4Q |
Hi there. Recently I had the same issue while using snort ips. I fixed the problem by deleting the waldo file, you could try that |
Hi I am a newbie on barnyard. I want barnyard to write log to a file like snort-alert log.
In snort.con I got the line
output alert_unified2: filename snort.u2, limit 128
And in barnyard2.conf file I got (just the relevant parts)
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config logdir: /var/log/snort
config hostname: saturn
config interface: eth1
config alert_with_interface_name
config alert_on_each_packet_in_stream
config show_year
config verbose
config archivedir: /var/log/snort/archive
config process_new_records_only
Input unified2
output alert_fast : snort-alert.log
I run the snort with command
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort/ -p -N -D
and barnyard2 with command
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -w /var/log/snort/bylog.waldo -f snort.u2
after running barnyard command in debug mode where debug level is 10 I got the output
barnyard2.c:558: Parsing command line...
barnyard2.c:627: Processing cmd line switch: c
barnyard2.c:627: Processing cmd line switch: d
barnyard2.c:627: Processing cmd line switch: w
barnyard2.c:627: Processing cmd line switch: f
barnyard2.c:1513: Config file = /usr/local/snort/etc/barnyard2.conf, config dir = /usr/local/snort/etc/
Running in Continuous mode
Initializing Input Plugins!
spi_unified2.c:97: Input plugin: Unified2 is setup...
Initializing Output Plugins!
spo_alert_cef.c:105: Output plugin: Alert-CEF is setup...
spo_alert_syslog.c:106: Output plugin: Alert-Syslog is setup...
spo_log_tcpdump.c:139: Output plugin: Log-Tcpdump is setup...
spo_database.c:292: database(debug): database plugin is registered...
spo_alert_fast.c:117: Output plugin: AlertFast is setup...
spo_alert_full.c:110: Output plugin: AlertFull is setup...
DEBUG => Alert_FWsam Output plugin is plugged in...
spo_alert_unixsock.c:107: Output plugin: AlertUnixSock is setup...
spo_alert_csv.c:121: Output plugin: alert_csv is setup...
spo_alert_test.c:128: Output plugin: AlertTest is setup...
Parsing config file "/usr/local/snort/etc/barnyard2.conf"
INFO: Alerting on each packet associated with an event: is now enabled by default.
use: command line argument --disable-alert-on-each-packet-in-stream or
configure file argument disable-alert-on-each-packet-in-stream to disable the feature
parser.c:2147: Enabled year in timestamp
parser.c:2195: Verbose Flag active
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/snort
spi_unified2.c:105: Linking UnifiedLog functions to call lists...
spo_alert_cef.c:123: Output: Alert-CEF Initialized
WARNING => Unrecognized syslog facility/priority: host=localhost
spo_alert_cef.c:133: Linking CEF alert function to call list...
spo_alert_fast.c:136: Output: AlertFast Initialized
spo_alert_fast.c:400: alert_fast: '/var/log/snort/snort-alert.log' 0 134217728
log.c:517: Opening alert file: /var/log/snort/snort-alert.log
spo_alert_fast.c:141: Linking AlertFast functions to call lists...
Keyword | Input @
unified2 : init() = 0x43edfe
unified2 : - readRecordHeader() = 0x43ee71
unified2 : - readRecord() = 0x43f030
Keyword | Output @
alert_cef : 0x4268ca
alert_syslog : 0x42ce57
log_tcpdump : 0x42f9f3
database : 0x436420
alert_fast : 0x4286c6
alert_full : 0x4292d2
alert_fwsam : 0x429a89
alert_unixsock: 0x42e3f3
alert_csv : 0x4273a5
log_null : 0x42f8d7
log_ascii : 0x42ec6b
alert_test : 0x42dc63
sguil : 0x43077c
alert_syslog_full: 0x43193a
log_syslog_full: 0x43191b
______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 317) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
Using waldo file '/var/log/snort/bylog.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1359534001
record_idx = 5346
Opened spool file '/var/log/snort/snort.u2.1359534001'
Waiting for new data
and snort is running I got a test rule for snort and I trigger the alert the snort.u2 file gets larger as the alerts are generated after I hit ctrl+c the barnyard stops working :)
and I got
^C===============================================================================
Record Totals:
Records: 6528
Events: 6528 (100.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
IPv4/IPv4: 0 (0.000%)
IPv4/IPv6: 0 (0.000%)
IPv6/IPv4: 0 (0.000%)
IPv6/IPv6: 0 (0.000%)
GRE: 0 (0.000%)
GRE ETH: 0 (0.000%)
GRE VLAN: 0 (0.000%)
GRE IPv4: 0 (0.000%)
GRE IPv6: 0 (0.000%)
GRE IP6 E: 0 (0.000%)
GRE PPTP: 0 (0.000%)
GRE ARP: 0 (0.000%)
GRE IPX: 0 (0.000%)
GRE LOOP: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0
However there is nothing in /var/log/snort/snort-alert.log file its empty at all.
If delete the the snort-alert.log file barnyard creates the new one.
What may be the problem?
Thanks
The text was updated successfully, but these errors were encountered: