search

firnsy / barnyard2

Barnyard2 is a dedicated spooler for Snort's unified2 binary output format.
GNU General Public License v2.0
343 stars 189 forks source link

No logging to MySQL database #207

Closed seanmurphy1661 closed 7 years ago

seanmurphy1661 commented 7 years ago 

Running snort 2.9.9.0 on RPI 3 with raspbian jessie installed. 
Barnyard2 v 2.1.14 installed

Both snort and barnyard2 were compiled from source.

Prior to installing and configuring for BY2, csv based output was working well.
barnyard2.conf listed below
 snort.conf is attached.

Snort command line:
sudo ~/snort-2.9.9.0/src/snort -c ~/snort-2.9.9.0/etc/snort.conf -D

BY2 command line:
sudo /home/pi/barnyard2-install/bin/barnyard2  -v -c/home/pi/barnyard2-install/etc/barnyard2.conf -d /home/pi/snort-2.9.9.0/log

There are two issues:
a) "Warning: can't extract time..." 
database: compiled support for (mysql)**
database: configured to use mysql
database: schema version = 107
database:           host = winterland
database:           user = snortuser
database:  database name = snort
database:    sensor name = periwinkle:eth0
database:      sensor id = 2
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.14 (Build 337) IPv6
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

WARNING: Can't extract timestamp extension from '..'using base ''
WARNING: Can't extract timestamp extension from 'snortu2.1488158233'using base ''
WARNING: Can't extract timestamp extension from 'snortu2.1488142071'using base ''
Waiting for new spool file
WARNING: Can't extract timestamp extension from '..'using base ''
WARNING: Can't extract timestamp extension from 'snortu2.1488158233'using base ''
WARNING: Can't extract timestamp extension from 'snortu2.1488142071'using base ''

and 
b) nothing is logged to database
database: Closing connection to database "snort"
===============================================================================
Record Totals:
   Records:           0
   Events:           0 (0.000%)
   Packets:           0 (0.000%)
   Unknown:           0 (0.000%)
   Suppressed:           0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 0          (0.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 0          (0.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 0         
===============================================================================
#
#  Barnyard2 example configuration file
#

#
# This file contains a sample barnyard2 configuration.
# You can take the following steps to create your own custom configuration:
#
#   1) Configure the variable declarations
#   2) Setup the input plugins
#   3) Setup the output plugins
#

#
# Step 1: configure the variable declarations
#

# in order to keep from having a commandline that uses every letter in the
# alphabet most configuration options are set here.

# use UTC for timestamps
#
#config utc

# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file:      /home/pi/snort-2.9.9.0/etc/reference.config
config classification_file: /home/pi/snort-2.9.9.0/etc/classification.config
config gen_file:            /home/pi/snort-2.9.9.0/etc/gen-msg.map
config sid_file:            /etc/snort/rules/sid-msg.map

# Configure signature suppression at the spooler level see doc/README.sig_suppress
#
#
#config sig_suppress: 1:10

# Set the event cache size to defined max value before recycling of event occur.
#
#
#config event_cache_size: 4096

# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=

# define explicit classifications similar to that of snort.
#
#config classification: shortname, short description, priority

# set the directory for any output logging
#
config logdir: /home/pi/barnyard2-install/log

# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
#   For a snort process as follows:
#     snort -i eth0 -c /etc/snort.conf
#
#   Typical options would be:
#     config hostname:  thor
#     config interface: eth0
#     config alert_with_interface_name
#
config hostname:   periwinkle
config interface:  eth0

# enable printing of the interface name when alerting.
#
#config alert_with_interface_name

# at times snort will alert on a packet within a stream and dump that stream to
# the unified output. barnyard2 can generate output on each packet of that
# stream or the first packet only.
#
#config alert_on_each_packet_in_stream

# enable daemon mode
#
#config daemon

# make barnyard2 process chroot to directory after initialisation.
#
#config chroot: /var/spool/barnyard2

# specifiy the group or GID for barnyard2 to run as after initialisation.
#
#config set_gid: 999

# specifiy the user or UID for barnyard2 to run as after initialisation.
#
#config set_uid: 999

# specify the directory for the barnyard2 PID file.
#
#config pidpath: /var/run/by2.pid

# enable decoding of the data link (or second level headers).
#
#config decode_data_link

# dump the application data
#
#config dump_payload

# dump the application data as chars only
#
#config dump_chars_only

# enable verbose dumping of payload information in log style output plugins.
#
#config dump_payload_verbose

# enable obfuscation of logged IP addresses.
#
#config obfuscate

# enable the year being shown in timestamps
#
#config show_year

# set the umask for all files created by the barnyard2 process (eg. log files).
#
#config umask: 066

# enable verbose logging
#
#config verbose

# quiet down some of the output
#
#config quiet

# define the full waldo filepath.
#
#config waldo_file: /tmp/waldo

# specificy the maximum length of the MPLS label chain
#
#config max_mpls_labelchain_len: 64

# specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
#
#config mpls_payload_type: ipv4

# set the reference network or homenet which is predominantly used by the
# log_ascii plugin.
#
#config reference_net: 192.168.0.0/24

#
# CONTINOUS MODE
#

# set the archive directory for use with continous mode
#
config archivedir: /tmp

# when in operating in continous mode, only process new records and ignore any
# existing unified files
#
#config process_new_records_only

#
# Step 2: setup the input plugins
#

# this is not hard, only unified2 is supported ;)
input unified2

#
# Step 3: setup the output plugins
#

# alert_cef
# ----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host using the open standard
# Common Event Format (CEF).
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host        - specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#   output alert_cef
#   output alert_cef: host=192.168.10.1
#   output alert_cef: host=sysserver.com:1001
#   output alert_cef: LOG_AUTH LOG_INFO
#

# alert_bro
# ----------------------------------------------------------------------------
#
# Purpose: Send alerts to a Bro-IDS instance.
#
# Arguments: hostname:port
#
# Examples:
#   output alert_bro: 127.0.0.1:47757

# alert_fast
# ----------------------------------------------------------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
#
# Arguments: file <file>, stdout
#            arguments should be comma delimited.
#   file - specifiy alert file
#   stdout - no alert file, just print to screen
#
# Examples:
#   output alert_fast
#   output alert_fast: stdout
#
output alert_fast: stdout

# prelude: log to the Prelude Hybrid IDS system
# ----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides logging to the Prelude Hybrid IDS system
#
# Arguments:
#   analyzer_name           - name of the Prelude analyzer (default is snort).
#   analyzer_model          - model of the Prelude analyzer (default is Snort).
#   analyzer_class          - class of the Prelude analyzer (default is NIDS).
#   analyzer_manufacturer   - manufacturer of the Prelude anaylzer (default is http://www.snort.org).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# Examples:
#   output alert_prelude
#   output alert_prelude: analyzer_name=snort
#   output alert_prelude: analyzer_name=sagan analyzer_model=sagan analyzer_class=Log\ Analyzer analyzer_manufacturer=http://sagan.quadrantsec.com

# alert_syslog
# ----------------------------------------------------------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to local syslog
#
#   severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#   facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#   output alert_syslog
#   output alert_syslog: LOG_AUTH LOG_INFO
#

# syslog_full
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data via TCP/UDP or LOCAL ie(syslog())
# Arguments:
#      sensor_name $sensor_name         - unique sensor name
#      server $server                   - server the device will report to
#      local                            - if defined, ignore all remote information and use syslog() to send message.
#      protocol $protocol               - protocol device will report over (tcp/udp)
#      port $port                       - destination port device will report to (default: 514)
#      delimiters $delimiters           - define a character that will delimit message sections ex:  "|", will use | as message section delimiters. (default: |)
#      separators $separators           - define field separator included in each message ex: " " ,  will use space as field separator.             (default: [:space:])
#      operation_mode $operaion_mode    - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
#      log_priority   $log_priority     - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
#      log_facility  $log_facility      - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)
#      payload_encoding                 - (default: hex)  support hex/ascii/base64 for log_syslog_full using operation_mode complete only.

# Usage Examples:
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, local
# output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON

# log_ascii
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides the default packet logging funtionality
#
# Arguments: None.
#
# Examples:
#   output log_ascii
#

# log_tcpdump
# ----------------------------------------------------------------------------
#
# Purpose
#  This output module logs packets in binary tcpdump format
#
# Arguments:
#   The only argument is the output file name.
#
# Examples:
#   output log_tcpdump: tcpdump.log
#

# sguil
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability for the sguil interface
# See doc/README.sguil
#
# Arguments: agent_port <port>, sensor_name <name>
#            arguments should be comma delimited.
#   agent_port  - explicitly set the sguil agent listening port
#                 (default: 7736)
#   sensor_name - explicitly set the sensor name
#                 (default: machine hostname)
#
# Examples:
#   output sguil
#   output sguil: agent_port=7000
#   output sguil: sensor_name=argyle
#   output sguil: agent_port=7000, sensor_name=argyle
#

# database: log to a variety of databases
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
output database: log, mysql, user=snortuser password=<password removed> dbname=snort host=winterland
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#

# alert_fwsam: allow blocking of IP's through remote services
# ----------------------------------------------------------------------------
# output alert_fwsam: <SnortSam Station>:<port>/<key>
#
#  <FW Mgmt Station>:  IP address or host name of the host running SnortSam.
#  <port>:         Port the remote SnortSam service listens on (default 898).
#  <key>:              Key used for authentication (encryption really)
#              of the communication to the remote service.
#
# Examples:
#
# output alert_fwsam: snortsambox/idspassword
# output alert_fwsam: fw1.domain.tld:898/mykey
# output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw
#
>

```[snort.txt](https://github.com/firnsy/barnyard2/files/802511/snort.txt)
seanmurphy1661 commented 7 years ago

required -f snortu2 parameter on command line