Barnyard2 does not read the output of snort - mysql empty

[Tmolle]

Hello all,

Like many people, Barnyard2 does not read logs from Snort. But I don't understand why. Some help is welcome.

I use :

Version 2.9.4 GRE (Build 40)
Barnyard2 - version 2-1.13

I test with only one local rule which is :

alert icmp any any -> any any (msg: "test ICMP"; sid: 10000001;)

I tried with rev: 1; but it's not better.

When I run Snort, I can see the ICMP alerts.

#  snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
05/23-09:55:37.102206  [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.121 -> 10.70.0.178
05/23-09:55:37.102224  [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.178 -> 10.70.0.121
05/23-09:55:38.102885  [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.121 -> 10.70.0.178

And Barnyard2 is waiting for new data :

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
[...]
barnyard2: Closing spool file '/var/log/snort/snort.log.1369295582'. Read 0 records
barnyard2: Opened spool file '/var/log/snort/snort.log.1369295736'
barnyard2: Waiting for new data

ls -l /var/log/snort
-rw-------  1 snort snort    384 May 23 09:55 snort.log.1369295736

But my database is empty

    mysql> select * from event;
    Empty set (0.00 sec)

Where

mysql> select * from sensor;
+-----+----------------+-----------+--------+--------+----------+----------+
| sid | hostname       | interface | filter | detail | encoding | last_cid |
+-----+----------------+-----------+--------+--------+----------+----------+
|   1 | localhost:eth0 | eth0      | NULL   |      1 |        0 |        0 |
+-----+----------------+-----------+--------+--------+----------+----------+
1 row in set (0.00 sec)

Below my config :

Snort :

# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128

Barnyard2 :

 output database: alert, mysql, user=snort password=******** dbname=snort host=localhost

Do you see a mistake somewhere?
Thanks in advance.

[Tmolle]

It's better with

snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

my apologies

[binf]

You can also close it your self if you do not mind.
And if you have further questions do not hesitate to use our users or devel
google groups.
barnyard2-users and barnyard2-devel.

Cheers,
-elz

On Thu, May 23, 2013 at 5:13 AM, Tmolle notifications@github.com wrote:

It's better with

snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

my apologies

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/89#issuecomment-18331920
.

[gegez]

I have the same problem, alerts do not want to get into the database. Almost same as Tmolle. I've been using the syntax snort-q-u snort-g snort-c / etc / snort / snort.conf-i eth0-D ... but database still empty. How do I know that barnyrad2 work well to loging alerts? and how use of waldo file, using var / log / snort / barnyard.waldo or var/log/barnyard2/barnyard2.waldo?

Thanks you

[binf]

If you read the thread you would see how this was fixed, you can also read
the archive of the barnyard2-users mailing list

Cheers.

On Mon, Jul 29, 2013 at 7:58 PM, gegez notifications@github.com wrote:

I have the same problem, alerts do not want to get into the database.
Almost same as Tmolle. I've been using the syntax snort-q-u snort-g snort-c
/ etc / snort / snort.conf-i eth0-D ... but database still empty. How do I
know that barnyrad2 work well to loging alerts? and how use of waldo file,
using var / log / snort / barnyard.waldo or
var/log/barnyard2/barnyard2.waldo?

Thanks you

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/89#issuecomment-21760800
.

[shorif2000]

i have a similair problem. its not writing to database

Sep 1 16:39:06 snort barnyard2: +[ Signature Suppress list ]+

Sep 1 16:39:06 snort barnyard2: +[No entry in Signature Suppress List]+
Sep 1 16:39:06 snort barnyard2: ----------------------------
+[ Signature Suppress list ]+
Sep 1 16:39:14 snort barnyard2: Barnyard2 spooler: Event cache size set to [2048]
Sep 1 16:39:14 snort barnyard2: Log directory = /var/log/snort
Sep 1 16:39:14 snort barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Sep 1 16:39:14 snort barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second
Sep 1 16:39:14 snort barnyard2: Initializing daemon mode
Sep 1 16:39:14 snort barnyard2: Daemon initialized, signaled parent pid: 4138
Sep 1 16:39:14 snort barnyard2: PID path stat checked out ok, PID path set to /var/run/
Sep 1 16:39:14 snort barnyard2: Writing PID "4139" to file "/var/run//barnyard2_ens32.pid"
Sep 1 16:39:14 snort barnyard2: Daemon parent exiting

Sep 1 16:40:40 snort barnyard2: Node unique name is: snort:ens32
Sep 1 16:40:41 snort barnyard2: [SignatureReferencePullDataStore()]: No Reference found in database ...
Sep 1 16:40:41 snort barnyard2: database: compiled support for (mysql)
Sep 1 16:40:41 snort barnyard2: database: configured to use mysql
Sep 1 16:40:41 snort barnyard2: database: schema version = 107
Sep 1 16:40:41 snort barnyard2: database: host = 127.0.0.1
Sep 1 16:40:41 snort barnyard2: database: user = root
Sep 1 16:40:41 snort barnyard2: database: database name = snorby
Sep 1 16:40:41 snort barnyard2: database: sensor name = snort:ens32
Sep 1 16:40:41 snort barnyard2: database: sensor id = 1
Sep 1 16:40:41 snort barnyard2: database: sensor cid = 8
Sep 1 16:40:41 snort barnyard2: database: data encoding = hex
Sep 1 16:40:41 snort barnyard2: database: detail level = full
Sep 1 16:40:41 snort barnyard2: database: ignore_bpf = no
Sep 1 16:40:41 snort barnyard2: database: using the "log" facility
Sep 1 16:40:41 snort barnyard2:
Sep 1 16:40:41 snort barnyard2: --== Initialization Complete ==--
Sep 1 16:40:41 snort barnyard2: Barnyard2 initialization completed successfully (pid=4139)
Sep 1 16:40:41 snort barnyard2: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Sep 1 16:40:41 snort barnyard2: Opened spool file '/var/log/snort/snort.log.1409583679'
Sep 1 16:40:41 snort barnyard2: Closing spool file '/var/log/snort/snort.log.1409583679'. Read 0 records
Sep 1 16:40:41 snort barnyard2: Opened spool file '/var/log/snort/snort.log.1409584351'
Sep 1 16:40:41 snort barnyard2: Waiting for new data

but the file snort.log.1409584351 is being written to, i have a constant ping running.

[binf]

Same answer.
This had been answered many times.

On Mon, Sep 1, 2014 at 11:46 AM, shorif2000 notifications@github.com
wrote:

i have a similair problem. its not writing to database
Sep 1 16:39:06 snort barnyard2: +[ Signature Suppress list ]+

Sep 1 16:39:06 snort barnyard2: +[No entry in Signature Suppress List]+
Sep 1 16:39:06 snort barnyard2: ----------------------------
+[ Signature Suppress list ]+
Sep 1 16:39:14 snort barnyard2: Barnyard2 spooler: Event cache size set to
[2048]
Sep 1 16:39:14 snort barnyard2: Log directory = /var/log/snort
Sep 1 16:39:14 snort barnyard2: INFO database: Defaulting
Reconnect/Transaction Error limit to 10
Sep 1 16:39:14 snort barnyard2: INFO database: Defaulting Reconnect sleep
time to 5 second
Sep 1 16:39:14 snort barnyard2: Initializing daemon mode
Sep 1 16:39:14 snort barnyard2: Daemon initialized, signaled parent pid:
4138
Sep 1 16:39:14 snort barnyard2: PID path stat checked out ok, PID path set
to /var/run/
Sep 1 16:39:14 snort barnyard2: Writing PID "4139" to file
"/var/run//barnyard2_ens32.pid"
Sep 1 16:39:14 snort barnyard2: Daemon parent exiting

Sep 1 16:40:40 snort barnyard2: Node unique name is: snort:ens32
Sep 1 16:40:41 snort barnyard2: [SignatureReferencePullDataStore()]: No
Reference found in database ...
Sep 1 16:40:41 snort barnyard2: database: compiled support for (mysql)
Sep 1 16:40:41 snort barnyard2: database: configured to use mysql
Sep 1 16:40:41 snort barnyard2: database: schema version = 107
Sep 1 16:40:41 snort barnyard2: database: host = 127.0.0.1
Sep 1 16:40:41 snort barnyard2: database: user = root
Sep 1 16:40:41 snort barnyard2: database: database name = snorby
Sep 1 16:40:41 snort barnyard2: database: sensor name = snort:ens32
Sep 1 16:40:41 snort barnyard2: database: sensor id = 1
Sep 1 16:40:41 snort barnyard2: database: sensor cid = 8
Sep 1 16:40:41 snort barnyard2: database: data encoding = hex
Sep 1 16:40:41 snort barnyard2: database: detail level = full
Sep 1 16:40:41 snort barnyard2: database: ignore_bpf = no
Sep 1 16:40:41 snort barnyard2: database: using the "log" facility
Sep 1 16:40:41 snort barnyard2:
Sep 1 16:40:41 snort barnyard2: --== Initialization Complete ==--
Sep 1 16:40:41 snort barnyard2: Barnyard2 initialization completed
successfully (pid=4139)
Sep 1 16:40:41 snort barnyard2: WARNING: Ignoring corrupt/truncated
waldofile '/var/log/snort/barnyard2.waldo'
Sep 1 16:40:41 snort barnyard2: Opened spool file
'/var/log/snort/snort.log.1409583679'
Sep 1 16:40:41 snort barnyard2: Closing spool file
'/var/log/snort/snort.log.1409583679'. Read 0 records
Sep 1 16:40:41 snort barnyard2: Opened spool file
'/var/log/snort/snort.log.1409584351'
Sep 1 16:40:41 snort barnyard2: Waiting for new data

but the file snort.log.1409584351 is being written to, i have a constant
ping running.

—
Reply to this email directly or view it on GitHub
#89 (comment).

[drew1kun]

Where can I find the answer??? There are only questions on this thread (as well as on any thread about snort...)

[purefan]

I really don't think this was solved by running snort in daemon mode (which is what Tmolle did when he said it "worked better" -> notice he didn't say it fixes it).

I have the same issue, snort is capturing packets and processing alerts, if I run
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
I can see in console how it processes the rules for a simple ping (for testing purposes).

I have been following the official guide which does have some deviations that I was able to fix, the only hint that I can see now is that the waldo file is corrupted/truncated:

WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'

My waldo file is empty (as per the instructions in that guide), and after changing permissions and ownerships to everything I could think of (snort and barnyard2 run as snort:snort and my waldo file is owned by snort:snort) I went to the source code, here's what I found:

• in the file barnyard2.c in line 350 that's where the warning is outputted:

else if (ret == WALDO_FILE_ETRUNC)

• ret is assigned in the same file by ret = spoolerReadWaldo(&barnyard2_conf->waldo);
• The function spoolerReadWaldo is in spooler.c starting in line 1154, and it returns WALDO_FILE_ETRUNC when read and sizeof are not equal (lines 1181 and 1184)

I understand the logic behind it as: if the number of bytes that we read from the waldo file does not match the size of the WaldoData object then the file is corrupted or empty.
But it fails, My understanding of the internals of barnyard2 is limited, but I guess the WaldoData object is not initialized to the contents of the waldo file. I have tried adding random data to the waldo file to discard just a return mismatch (read returning 0 and sizeof returning something else...) but it didn't help.

I suppose that to those whom this worked out of the box were maybe using a different build or followed a different set of instructions, but if someone is more familiar with barnyard2 please chip in, I strongly believe that running snort in daemon mode does not fix the issue of barnyard not reading snort logs

Edit: I should also add that I have started barnyard2 pointing to the latest snort log file, for example if ls /var/log/snort tells that snort.u2.1 is the newest file then I start barnyard2 with

sudo barnyard2 -vv -c /etc/snort/barnyard2.conf -d /var/log/snort -f /var/log/snort/snort.u2.1 -u snort -g snort