search

Snorby / snorby

Ruby On Rails Application For Network Security Monitoring
Other
1k stars 225 forks source link

No Alerts on snorby-barnyard2 #455

Open lambis7 opened 7 years ago

lambis7 commented 7 years ago

i have succesfully deployed snort-barnyard2-pulledpork-snorby on raspberry pi 3, but i have no alerts on snorby gui nor on snorby database.

  1. I tried to reboot the server with no effect.
  2. I tried deleting all of snort's uni ed2 event logs and recreate the waldo fi le also with no effect.

On

/etc/snort/barnyard2.conf

i have added at the end the next line

output database: log, mysql, user=snorby password=password dbname=snorby host=localhost sensor_name=sensor1

With top command i see 2 instances of barnyard2. One from user snort, and one from root.

Here is my system log issued with

cat /var/log/syslog | grep barnyard

where i get an FATAL ERROR: Failed to Lock PID File "/var/run//barnyard2_eth0.pid" for PID "5022". 

Jan 10 23:19:29 raspberrypi-black barnyard2[4346]: ===============================================================================
Jan 10 23:19:29 raspberrypi-black barnyard2[4346]: Could not remove pid file /var/run//barnyard2_eth0.pid: No such file or directory
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]: Running in Continuous mode
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]:
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]:         --== Initializing Barnyard2 ==--
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]: Initializing Input Plugins!
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]: Initializing Output Plugins!
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]: Parsing config file "/etc/snort/barnyard2.conf"
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]: #012#012+[ Signature Suppress list ]+#012----------------------------
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]: +[No entry in Signature Suppress List]+
Jan 10 23:19:30 raspberrypi-black barnyard2[4349]: ----------------------------#012+[ Signature Suppress list ]+
Jan 10 23:28:59 raspberrypi-black barnyard2[4349]: Barnyard2 spooler: Event cache size set to [2048]
Jan 10 23:28:59 raspberrypi-black barnyard2[4349]: Log directory = /var/log/barnyard2
Jan 10 23:28:59 raspberrypi-black barnyard2[4349]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Jan 10 23:28:59 raspberrypi-black barnyard2[4349]: INFO database: Defaulting Reconnect sleep time to 5 second
Jan 10 23:28:59 raspberrypi-black barnyard2[4349]: Initializing daemon mode
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: Daemon initialized, signaled parent pid: 4349
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: PID path stat checked out ok, PID path set to /var/run/
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: FATAL ERROR: Failed to Lock PID File "/var/run//barnyard2_eth0.pid" for PID "5022"
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: Barnyard2 exiting
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: database: Closing connection to database "snorby"
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: ===============================================================================
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: Record Totals:
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    Records:           0
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    Events:           0 (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    Packets:           0 (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    Unknown:           0 (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    Suppressed:           0 (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: ===============================================================================
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: Packet breakdown by protocol (includes rebuilt packets):
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:       ETH: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   ETHdisc: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:      VLAN: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:      IPV6: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   IP6 EXT: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   IP6opts: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   IP6disc: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:       IP4: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   IP4disc: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:     TCP 6: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[4349]: Daemon parent exiting
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:     UDP 6: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:     ICMP6: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   ICMP-IP: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:       TCP: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:       UDP: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:      ICMP: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   TCPdisc: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   UDPdisc: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   ICMPdis: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:      FRAG: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    FRAG 6: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:       ARP: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:     EAPOL: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   ETHLOOP: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:       IPX: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:     OTHER: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:   DISCARD: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: InvChkSum: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    S5 G 1: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:    S5 G 2: 0          (0.000%)
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]:     Total: 0
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: ===============================================================================
Jan 10 23:28:59 raspberrypi-black barnyard2[5022]: Could not remove pid file /var/run//barnyard2_eth0.pid: No such file or directory
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]: Running in Continuous mode
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]:
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]:         --== Initializing Barnyard2 ==--
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]: Initializing Input Plugins!
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]: Initializing Output Plugins!
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]: Parsing config file "/etc/snort/barnyard2.conf"
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]: #012#012+[ Signature Suppress list ]+#012----------------------------
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]: +[No entry in Signature Suppress List]+
Jan 10 23:29:00 raspberrypi-black barnyard2[5025]: ----------------------------#012+[ Signature Suppress list ]+

Can someone help?

mattalexhoward commented 7 years ago

You have to define some filters/alerts. You're not getting anything here because it looks like maybe you didnt define any rules.

-or at least thats what was wrong when i had this "error"