604 is connecting into the mysql instance from the Google Cloud Engine VM using mysql-client
Any clues would be greatly appreciated on why Barnyard2 is not able to connect to the same database? Bad build local compile?
Barnyard2 Running in Test mode
$ barnyard2 -T -c barnyard2.confRunning in Test mode` --== Initializing Barnyard2 ==--Initializing Input Plugins!Initializing Output Plugins!Parsing config file "barnyard2.conf"+[ Signature Suppress list ]+----------------------------+[No entry in Signature Suppress List]+----------------------------+[ Signature Suppress list ]+Barnyard2 spooler: Event cache size set to [2048]INFO database: Defaulting Reconnect/Transaction Error limit to 10INFO database: Defaulting Reconnect sleep time to 5 seconddatabase mysql_error: Access denied for user 'cyberxxxxxxxx'@'xxx.xxx.4.217' (using password: YES)Barnyard2 exitingdatabase: Closing connection to database "cyberxxx_xxxx"
Contents of barnyard2.conf
$ cat barnyard2.conf# set the appropriate paths to the file(s) your Snort process is using.#config reference_file: /etc/snort/reference.configconfig classification_file: /etc/snort/classification.configconfig gen_file: /etc/snort/gen-msg.mapconfig sid_file: /etc/snort/sid-msg.map` # Configure signature suppression at the spooler level see doc/README.sig_suppress###config sig_suppress: 1:10# set the directory for any output logging#config logdir: /var/cyberxxx/xxxx/eth0/log# to ensure that any plugins requiring some level of uniqueness in their output# the alert_with_interface_name, interface and hostname directives are provided.# An example of usage would be to configure them to the values of the associated# snort process whose unified files you are reading.#config hostname: cyberxxxxxxxxconfig interface: eth0# config alert_with_interface_name# enable daemon mode##config daemon# enable verbose logging#config verbose# define the full waldo filepath.#config waldo_file: /var/cyberxxx/Home/eth0/barnyard2.waldo## CONTINUOUS MODE## set the archive directory for use with continuous mode#config archivedir: /var/cyberxxx/xxxx/eth0# when in operating in continous mode, only process new records and ignore any# existing unified files##config process_new_records_only## setup the input plugins## this is not hard, only unified2 is supported ;)input unified2# alert_bro# ----------------------------------------------------------------------------## Purpose: Send alerts to a Bro-IDS instance.## Arguments: hostname:port## Examples:# output alert_bro: 127.0.0.1:47757output database: log, mysql, user=cyberxxxxxxxx password=Password dbname=cyberxxx_xxxx host=xxx.xxx.253.205# to forward alerts also to syslog, uncomment the following 2 lines:# output alert_syslog_full: sensor_name snortIds1-eth1, local# output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT`
I built barnyard2 compiled from the git repository on a Google Compute Engine using Ubuntu 14.04LTS . I am running a MySQL instance on Google Cloud.
My goal is to have barnyard2 act as a snort unified2 log processor for multiple sensors spread over a geographic area. SNORT is loaded, but not used.
From the compute engine, I am able to connect to the MySQL instance using the MySQL client and the same credentials assigned to BarnYard2.
I am also able to connect to the database from other data sources as can be seen below.
| Id | User | Host | db | Command | Time | State | Info |
| 460 | cyberxxxxxxxx | xx.xxx.55.90 | cyberxxx_xxxx | Sleep | 0 | | NULL |
| 483 | cyberxxxxxxxx | xx.xxx.55.90 | cyberxxx_xxxx | Sleep | 0 | | NULL |
| 604 | cyberxxxxxxxx | xxx.xxx.4.217 | cyberxxx_xxxx | Query | 0 | cleaning up | show processlist |
460 and 483 are from the different data source.
604 is connecting into the mysql instance from the Google Cloud Engine VM using mysql-client
Any clues would be greatly appreciated on why Barnyard2 is not able to connect to the same database? Bad build local compile?
Barnyard2 Running in Test mode
$ barnyard2 -T -c barnyard2.conf
Running in Test mode
`
--== Initializing Barnyard2 ==--Contents of barnyard2.conf
$ cat barnyard2.conf
# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
`
# Configure signature suppression at the spooler level see doc/README.sig_suppress