barnyard cannot write to database

[esride-dre]

Hello,

I habe a problem with my barnyard 2.1.13 installation. I see alerts in /var/log/snort/alert, but barnyard failed to write the event to the database. I found the following message in /var/log/messages:

WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x26b5ff0], information has not been outputed.

barynards started without any errors:

    --== Initializing Barnyard2 ==--

Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf"

012#012+[ Signature Suppress list ]+#012----------------------------

+[No entry in Signature Suppress List]+ ----------------------------#012+[ Signature Suppress list ]+#012 Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/snort INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second Initializing daemon mode Daemon parent exiting Daemon initialized, signaled parent pid: 5249 PID path stat checked out ok, PID path set to /var/run/ Writing PID "5250" to file "/var/run//barnyard2_eth0.pid" Oct 29 15:51:43 test barnyard2[5250]: Node unique name is: test.domain:eth0#012 [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = root database: database name = snorby database: sensor name = test.domain:eth0 database: sensor id = 1 database: sensor cid = 3 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility

     --== Initialization Complete ==--

Barnyard2 initialization completed successfully (pid=5250) Using waldo file '/etc/snort/barnyard2-log.waldo':#012 spool directory = /var/log/snort#012 spool filebase = snort.log#012 time_stamp = 1446115796#012 record_idx = 2 Opened spool file '/var/log/snort/snort.log.1446115796

file /var/log/snort/snort.log.1446115796

/var/log/snort/snort.log.1446115796: data

The snort seems ok for me. u2spewfoo /var/log/snort/snort.log.1446115796 shows a human readable version of the content.

A hint would be helpfull.

Best Regards

[pauloangelo]

@esride-dre

WARNING database [Database()]: Called with Event**[0x0]** Event Type 0acket **[0x26b5ff0]**, information has not been outputed.

The msg above occurs when you have log rules in Snort. Ie, it saves a packet without its event. One solution is changing the line below in barnyard2.conf.

 output database: log, ....

to

 output database: alert, ....

This will avoid the msg. Barnyard2 will (always) save just alerts in Database, not Packets!

Can you see in the output of command "u2spewfoo /var/log/snort/snort.log." any event?

[]'s

PA

[jonpulsifer]

@esride-dre What does your output line look like? I'm willing to bet it's the appid_event_types

[CyberTaoFlow]

Judging from the response to issue #122 there wont be support for appid either?

[firnsy]

@CyberTaoFlow: they won't be supported in the existing DB plugin due to it's legacy schema. a new schema and thus a new DB plugin needs to be developed that supports all the new information including IPv6 data types, appid, etc.

IPv6 has long been delayed due to mysql not providing an endorsed storage type (http://bugs.mysql.com/bug.php?id=34037). if people didn't care about mysql and only cared about postgresql it could be done tomorrow, but sadly mysql is still a thing people use.

[ghost]

So this means IPv6 is not supported on 2.1.14? I have the same problem with suricata.

WARNING database [Database()]: Called with Event[0x5b92e50] Event Type 72acket [0x0], information has not been outputed. WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x30946e0], information has not been outputed.

The event is logged in fast.log

I've changed output database: alert... without any change...

u2spewfoo shows the even as well as the packet

[KaedeKun]

I have the same problem and I resolved recompile barnyard2 again a add follow lines ./autogen.sh ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --enable-ipv6 --enable-gre ( If you use postgresql is --with-postgres) make && make install

I use mysql 5.7 and centos 6.7 x64 when you review the version of barnyard2 show like this:

__ -> Barnyard2 <- / ,,_ \ Version 2.1.14 (Build 336) IPv6 |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2013 Ian Firns firnsy@securixlive.com

And If you run in continuous mode the log show some like this:

2/05/16-15:50:55.288393 [] [1:1000001:1] ICMP Testing Rule [] [Classification: Attempted Information Leak] [Priority: 2] {IPV6-ICMP} fe80:0000:0000:0000:0000:0000:0000:0001 -> ff02:0000:0000:0000:0000:0000:0000:0001

I hope it helps you

[ghost]

Thanks for the answer.

I've already have it compiled with ipv6:

barnyard2 -V

__ -> Barnyard2 <- / ,,_ \ Version 2.1.14 (Build 336) IPv6 |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2013 Ian Firns firnsy@securixlive.com

  $ ./configure --prefix=/usr/local --sysconfdir=/etc/suricata --localstatedir=/var --enab le-64bit-gcc --enable-ipv6 --enable-gre --with-mysql-libraries=/usr/lib64/mysql --with-mys ql-includes=/usr/include