search

firnsy / barnyard2

Barnyard2 is a dedicated spooler for Snort's unified2 binary output format.
GNU General Public License v2.0
343 stars 189 forks source link

Barnyard2 doesn't write to mysql database even the snort log file has new data #173

Open wykw opened 8 years ago

wykw commented 8 years ago

Here is the version installed snort version 2.9.6.1 barnyard2 version 2.1.13 Build 327 mysql version 5.1.73-3 64bit

The current configuration is work fine for monitor eth0 only (both snort and barnyard2). Recently, we want to add monitor another LAN port. So we create 2 snort instances to monitor port separately. The snort log file can logged, however the barnyard2 seem do nothing after initial completed. Do everyone have any ideas why?

Output from /var/log/messages:

Nov 24 19:10:25 IPCMON01 barnyard2[3611]: Running in Continuous mode Nov 24 19:10:25 IPCMON01 barnyard2[3611]: Nov 24 19:10:25 IPCMON01 barnyard2[3611]: --== Initializing Barnyard2 ==-- Nov 24 19:10:25 IPCMON01 barnyard2[3611]: Initializing Input Plugins! Nov 24 19:10:25 IPCMON01 barnyard2[3611]: Initializing Output Plugins! Nov 24 19:10:25 IPCMON01 barnyard2[3611]: Parsing config file "/etc/snort/barnyard_0.conf" Nov 24 19:10:25 IPCMON01 barnyard2[3611]: #012#012+[ Signature Suppress list ]+#012---------------------------- Nov 24 19:10:25 IPCMON01 barnyard2[3611]: +[No entry in Signature Suppress List]+ Nov 24 19:10:25 IPCMON01 barnyard2[3611]: ----------------------------#012+[ Signature Suppress list ]+#012 Nov 24 19:10:31 IPCMON01 barnyard2[3611]: Barnyard2 spooler: Event cache size set to [2048] Nov 24 19:10:31 IPCMON01 barnyard2[3611]: Log directory = /var/log/snort0 Nov 24 19:10:31 IPCMON01 barnyard2[3611]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 Nov 24 19:10:31 IPCMON01 barnyard2[3611]: INFO database: Defaulting Reconnect sleep time to 5 second Nov 24 19:10:31 IPCMON01 barnyard2[3611]: Initializing daemon mode Nov 24 19:10:31 IPCMON01 barnyard2[3611]: Daemon parent exiting Nov 24 19:10:31 IPCMON01 barnyard2[3612]: Daemon initialized, signaled parent pid: 3611 Nov 24 19:10:31 IPCMON01 barnyard2[3612]: PID path stat checked out ok, PID path set to /var/run/ Nov 24 19:10:31 IPCMON01 barnyard2[3612]: Writing PID "3612" to file "/var/run//barnyard2_eth0.pid" Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: compiled support for (mysql) Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: configured to use mysql Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: schema version = 107 Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: host = localhost Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: user = barnyard2 Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: database name = snorby Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: sensor name = localhost:eth0 Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: sensor id = 1 Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: sensor cid = 5195493 Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: data encoding = hex Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: detail level = full Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: ignore_bpf = no Nov 24 19:11:47 IPCMON01 barnyard2[3612]: database: using the "log" facility Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Nov 24 19:11:47 IPCMON01 barnyard2[3612]: --== Initialization Complete ==-- Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Barnyard2 initialization completed successfully (pid=3612) Nov 24 19:11:47 IPCMON01 barnyard2[3612]: WARNING: Unable to open waldo file '/var/log/snort0/barnyard2.waldo' (No such file or directory) Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Opened spool file '/var/log/snort0/snort.log.1447922162' Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Closing spool file '/var/log/snort0/snort.log.1447922162'. Read 0 records Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Opened spool file '/var/log/snort0/snort.log.1447922576' Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Closing spool file '/var/log/snort0/snort.log.1447922576'. Read 0 records Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Opened spool file '/var/log/snort0/snort.log.1447924266' Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Closing spool file '/var/log/snort0/snort.log.1447924266'. Read 0 records Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Opened spool file '/var/log/snort0/snort.log.1448015170' Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Closing spool file '/var/log/snort0/snort.log.1448015170'. Read 0 records Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Opened spool file '/var/log/snort0/snort.log.1448358329' Nov 24 19:11:47 IPCMON01 barnyard2[3612]: Waiting for new data

Snort archive folder : (/var/log/snort0/eth0/archive) -rw------- 1 snort snort 17082 Nov 19 16:40 snort.log.1447922162 -rw------- 1 snort snort 31297 Nov 19 16:54 snort.log.1447922576 -rw------- 1 snort snort 14239 Nov 19 17:33 snort.log.1447924266 -rw------- 1 snort snort 5710 Nov 19 20:57 snort.log.1447932058 -rw------- 1 snort snort 17082 Nov 20 20:45 snort.log.1448015170

Snort log folder : (/var/log/snort0) drwxr-xr-x 3 root root 4096 Nov 19 12:06 eth0 -rw-r--r-- 1 root root 2056 Nov 24 19:11 barnyard2.waldo drwx------ 3 snort snort 4096 Nov 24 19:11 . drwxr-xr-x. 18 root root 4096 Nov 24 19:42 .. -rw-r--r-- 1 root root 73334 Nov 24 19:43 alert -rw------- 1 snort snort 19925 Nov 24 19:43 snort.log.1448358329

From the above file information. Snort can detected attack but the barnyard2 seem do nothing

Process information : snort 3310 1 0 17:45 ? 00:00:08 /usr/local/bin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort0 root 3612 1 1 19:10 ? 00:01:16 barnyard2 -D -c /etc/snort/barnyard_0.conf -d /var/log/snort0 -w /var/log/snort0/barnyard2.waldo -l /var/log/snort0 -a /var/log/snort0/eth0/archive -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid

Regards, Wilson

purefan commented 8 years ago

Possibly related to this issue (see my comment there)