Barnyard2 read snort unifed2 log file but does not write to log #65

Closed
lutphi opened this Issue Jan 30, 2013 · 5 comments

Projects

None yet

4 participants

@lutphi
lutphi commented Jan 30, 2013

Hi I am a newbie on barnyard. I want barnyard to write log to a file like snort-alert log.

In snort.con I got the line

output alert_unified2: filename snort.u2, limit 128

And in barnyard2.conf file I got (just the relevant parts)

config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map

config logdir: /var/log/snort
config hostname: saturn
config interface: eth1
config alert_with_interface_name
config alert_on_each_packet_in_stream
config show_year
config verbose
config archivedir: /var/log/snort/archive
config process_new_records_only
Input unified2
output alert_fast : snort-alert.log

I run the snort with command
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort/ -p -N -D

and barnyard2 with command

/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -w /var/log/snort/bylog.waldo -f snort.u2

after running barnyard command in debug mode where debug level is 10 I got the output
barnyard2.c:558: Parsing command line...
barnyard2.c:627: Processing cmd line switch: c
barnyard2.c:627: Processing cmd line switch: d
barnyard2.c:627: Processing cmd line switch: w
barnyard2.c:627: Processing cmd line switch: f
barnyard2.c:1513: Config file = /usr/local/snort/etc/barnyard2.conf, config dir = /usr/local/snort/etc/
Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
spi_unified2.c:97: Input plugin: Unified2 is setup...
Initializing Output Plugins!
spo_alert_cef.c:105: Output plugin: Alert-CEF is setup...
spo_alert_syslog.c:106: Output plugin: Alert-Syslog is setup...
spo_log_tcpdump.c:139: Output plugin: Log-Tcpdump is setup...
spo_database.c:292: database(debug): database plugin is registered...
spo_alert_fast.c:117: Output plugin: AlertFast is setup...
spo_alert_full.c:110: Output plugin: AlertFull is setup...
DEBUG => Alert_FWsam Output plugin is plugged in...
spo_alert_unixsock.c:107: Output plugin: AlertUnixSock is setup...
spo_alert_csv.c:121: Output plugin: alert_csv is setup...
spo_alert_test.c:128: Output plugin: AlertTest is setup...
Parsing config file "/usr/local/snort/etc/barnyard2.conf"
INFO: Alerting on each packet associated with an event: is now enabled by default.
use: command line argument --disable-alert-on-each-packet-in-stream or
configure file argument disable-alert-on-each-packet-in-stream to disable the feature
parser.c:2147: Enabled year in timestamp
parser.c:2195: Verbose Flag active
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/snort
spi_unified2.c:105: Linking UnifiedLog functions to call lists...
spo_alert_cef.c:123: Output: Alert-CEF Initialized
WARNING => Unrecognized syslog facility/priority: host=localhost
spo_alert_cef.c:133: Linking CEF alert function to call list...
spo_alert_fast.c:136: Output: AlertFast Initialized
spo_alert_fast.c:400: alert_fast: '/var/log/snort/snort-alert.log' 0 134217728
log.c:517: Opening alert file: /var/log/snort/snort-alert.log

spo_alert_fast.c:141: Linking AlertFast functions to call lists...

Keyword | Input @

unified2 : init() = 0x43edfe
unified2 : - readRecordHeader() = 0x43ee71

unified2 : - readRecord() = 0x43f030


Keyword | Output @

alert_cef : 0x4268ca
alert_syslog : 0x42ce57
log_tcpdump : 0x42f9f3
database : 0x436420
alert_fast : 0x4286c6
alert_full : 0x4292d2
alert_fwsam : 0x429a89
alert_unixsock: 0x42e3f3
alert_csv : 0x4273a5
log_null : 0x42f8d7
log_ascii : 0x42ec6b
alert_test : 0x42dc63
sguil : 0x43077c
alert_syslog_full: 0x43193a

log_syslog_full: 0x43191b

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 317) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

Using waldo file '/var/log/snort/bylog.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1359534001
record_idx = 5346
Opened spool file '/var/log/snort/snort.u2.1359534001'
Waiting for new data

and snort is running I got a test rule for snort and I trigger the alert the snort.u2 file gets larger as the alerts are generated after I hit ctrl+c the barnyard stops working :)

and I got
^C===============================================================================
Record Totals:
Records: 6528
Events: 6528 (100.000%)
Packets: 0 (0.000%)

Unknown: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
IPv4/IPv4: 0 (0.000%)
IPv4/IPv6: 0 (0.000%)
IPv6/IPv4: 0 (0.000%)
IPv6/IPv6: 0 (0.000%)
GRE: 0 (0.000%)
GRE ETH: 0 (0.000%)
GRE VLAN: 0 (0.000%)
GRE IPv4: 0 (0.000%)
GRE IPv6: 0 (0.000%)
GRE IP6 E: 0 (0.000%)
GRE PPTP: 0 (0.000%)
GRE ARP: 0 (0.000%)
GRE IPX: 0 (0.000%)
GRE LOOP: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)

Total: 0

However there is nothing in /var/log/snort/snort-alert.log file its empty at all.

If delete the the snort-alert.log file barnyard creates the new one.

What may be the problem?

Thanks

@binf
Collaborator
binf commented Jan 30, 2013

On Wed, Jan 30, 2013 at 4:46 AM, lutphi notifications@github.com wrote:

Hi I am a newbie on barnyard. I want barnyard to write log to a file like
snort-alert log.

In snort.con I got the line

output alert_unified2: filename snort.u2, limit 128

You need to use the following snort unified2 output directive for barnyard2
to process the unified2 file correctly.

output unified2: filename snort.u2, limit 128

If your unified2 file does not contain any events , then none of them will
get logged to the database.

Thus you need to ensure that you have events being written to your unified2
file if you want anything
to be written to the database.

@lutphi
lutphi commented Jan 31, 2013

Thanks I changed my snort.conf just like you said. But situation is still the same and snort writes logs to new file "alerts". which is not unified2 the snort.con now likes,

#output alert_unified2: filename snort.u2, limit 128
output unified2: filename snort.u2, limit 128

and no snort.u2 file. But if I try to run snort as

output alert_unified2: filename snort.u2, limit 128
output unified2: filename snort.u2, limit 128

configuration options then snort writes to snort.u2 file.

And barnyard2 reads the file but does not write logs to file snort-alert.log

For snort I have test rule
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)

There is no problem with snort in here

So what may be the problem here

@binf
Collaborator
binf commented Jan 31, 2013

For snort to create a unified2 file supported by barnyard2 you need
only one line in the snort.conf.

output unified2: filename snort.u2, limit 128

filename option can vary depending on your needs.
limit option can vary depending on your needs also.

You will also need to delete previous created unified2 files.

Also you might want to run snort without the -p and the -N arguement

-p disabling promiscuous mode
and
-N being the nolog option (disalbling logging)

Also you might want to add a revision to your test rule if you want to log to database

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;) alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:1;)

Hope this helps, also we have a mailing list which is mabey more suited for this than gihub.

Search for barnyard2-users on google groups.

@lutphi
lutphi commented Jan 31, 2013

thanks again I tried everthing but it still does not work.

I am already running snort with -N and -p options. I posted in barnyard2-users google group:)

https://groups.google.com/forum/?fromgroups=#!topic/barnyard2-users/371IMkL-_4Q

@terjehaarstad

Hi there. Recently I had the same issue while using snort ips. I fixed the problem by deleting the waldo file, you could try that

@firnsy firnsy closed this Apr 8, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment