search

firnsy / barnyard2

Barnyard2 is a dedicated spooler for Snort's unified2 binary output format.
GNU General Public License v2.0
344 stars 190 forks source link

barnyard2 is not writing on mysql database. #119

Closed kleberdomingues closed 9 years ago

kleberdomingues commented 10 years ago

Hi,

I have a Centos 6.5 64bits with Mysql, httpd, snort, snroby and barnyard2, I'm trying to make it work, but barnyard2 is not writing in mysql database. I have been working around in this problem for two weeks, and the results are the same:

barnyard2[12009]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 barnyard2[12009]: INFO database: Defaulting Reconnect sleep time to 5 seconds

Snort is dumping the .u2 file without problems, but barnyard2 is not writing on the database:

mysql> select count() from event; +----------+ | count() | +----------+ | 0 | +----------+ 1 row in set (0.00 sec)

binf commented 10 years ago

Are you sure that the file is a unified2 file.

from the shell use the command file to determine the type of file you want barnyard2 to read.

Many people have had the same issue in the past weeks only to find out that their snort process was outputing pcap file which barnyard2 does not process since its expecting unified2 file.

Also i would encourage you to use the barnyard2-users google group rather than github.

Cheers, -elz

On Mon, Sep 1, 2014 at 8:48 AM, kleberdomingues notifications@github.com wrote:

Hi,

I have a Centos 6.5 64bits with Mysql, httpd, snort, snroby and barnyard2, I'm trying to make it work, but barnyard2 is not writing in mysql database. I have been working around in this problem for two weeks, and the results are the same:

barnyard2[12009]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 barnyard2[12009]: INFO database: Defaulting Reconnect sleep time to 5 seconds

Snort is dumping the .u2 file without problems, but barnyard2 is not writing on the database:

mysql> select count(

) from event; +----------+ | count() | +----------+ | 0 | +----------+ 1 row in set (0.00 sec)

— Reply to this email directly or view it on GitHub https://github.com/firnsy/barnyard2/issues/119.

kleberdomingues commented 10 years ago

Here is the result for my u2 file:

[root@br1ips02 ~]# file /var/log/snort/snort.u2.1409580711 /var/log/snort/snort.u2.1409580711: data

Now I'm getting this errors from /var/log/messages:

Sep 1 11:16:54 br1ips02 barnyard2[12733]: INFO: Current event with event_id [14125] Event Second:Microsecond [1409581014:488673] and signature id of [1] was logged with a revision of [0]#012 Make sure you verify your triggering rule body so it include the snort keyword "rev:xxx;" Where xxx is greater than 0 #012>>>>>>The event has not been logged to the database<<<<<<

binf commented 10 years ago

Use a signature revision in your signature.

On Mon, Sep 1, 2014 at 10:17 AM, Kleber Domingues notifications@github.com wrote:

Here is the result for my u2 file:

[root@br1ips02 ~]# file /var/log/snort/snort.u2.1409580711 /var/log/snort/snort.u2.1409580711: data

Now I'm getting this errors from /var/log/messages:

Sep 1 11:16:54 br1ips02 barnyard2[12733]: INFO: Current event with event_id [14125] Event Second:Microsecond [1409581014:488673] and signature id of [1] was logged with a revision of [0]#12 https://github.com/firnsy/barnyard2/pull/12 Make sure you verify your triggering rule body so it include the snort keyword "rev:xxx;" Where xxx is greater than 0 #12 https://github.com/firnsy/barnyard2/pull/12>>>>>>The event has not been logged to the database<<<<<<

— Reply to this email directly or view it on GitHub https://github.com/firnsy/barnyard2/issues/119#issuecomment-54064767.