sessionking33
commented
7 years ago Disregard. I changed the log file to snort-unified and deleted the waldo file and it is now working.
You guys must have been "damn, another database not updating issue??" you have a lot of data on this site to sift through.
I have a build of snorby on a Centos 7 server with snort, barnyard2, and MariaDB on it and all of the logs are clean. Everything looks like it is working. Here is what is in the process table.
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/eth0/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/eth0/archive
/usr/sbin/snort -D -i ens4 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
When I run a snort -vi ens4 -c /etc/snort/snort.conf I see the events I want to capture. There is data in the snort.log. No errors on the waldo file.
Here is what is logged in the message log.
23 autocritas barnyard2[1427]: Running in Continuous mode Mar 16 13:29:23 autocritas barnyard2[1427]: Mar 16 13:29:23 autocritas barnyard2[1427]: --== Initializing Barnyard2 ==-- Mar 16 13:29:23 autocritas barnyard2[1427]: Initializing Input Plugins! Mar 16 13:29:23 autocritas barnyard2[1427]: Initializing Output Plugins! Mar 16 13:29:23 autocritas barnyard2[1427]: Parsing config file "/etc/snort/barnyard2.conf" Mar 16 13:29:23 autocritas barnyard2[1427]: #012#012+[ Signature Suppress list ]+#012---------------------------- Mar 16 13:29:23 autocritas barnyard2[1427]: +[No entry in Signature Suppress List]+ Mar 16 13:29:23 autocritas barnyard2[1427]: ----------------------------#012+[ Signature Suppress list ]+ Mar 16 13:29:42 autocritas barnyard2[1427]: WARNING: invalid Reference spec '2015-0666'. Ignored Mar 16 13:29:44 autocritas barnyard2[1427]: Barnyard2 spooler: Event cache size set to [2048] Mar 16 13:29:44 autocritas barnyard2[1427]: Log directory = /var/log/barnyard2 Mar 16 13:29:44 autocritas barnyard2[1427]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 Mar 16 13:29:44 autocritas barnyard2[1427]: INFO database: Defaulting Reconnect sleep time to 5 second Mar 16 13:29:44 autocritas barnyard2[1427]: Initializing daemon mode Mar 16 13:29:44 autocritas barnyard2[1427]: Daemon initialized, signaled parent pid: 1 Mar 16 13:29:44 autocritas barnyard2[1427]: PID path stat checked out ok, PID path set to /var/run/ Mar 16 13:29:44 autocritas barnyard2[1427]: Writing PID "1427" to file "/var/run//barnyard2_ens4.pid" Mar 16 13:30:18 autocritas barnyard2[1427]: Node unique name is: localhost:ens4 Mar 16 13:30:21 autocritas barnyard2[1427]: [SignatureReferencePullDataStore()]: No Reference found in database ... Mar 16 13:30:21 autocritas barnyard2[1427]: database: compiled support for (mysql) Mar 16 13:30:21 autocritas barnyard2[1427]: database: configured to use mysql Mar 16 13:30:21 autocritas barnyard2[1427]: database: schema version = 107 Mar 16 13:30:21 autocritas barnyard2[1427]: database: host = localhost Mar 16 13:30:21 autocritas barnyard2[1427]: database: user = snorty Mar 16 13:30:21 autocritas barnyard2[1427]: database: database name = snorby Mar 16 13:30:21 autocritas barnyard2[1427]: database: sensor name = localhost:ens4 Mar 16 13:30:21 autocritas barnyard2[1427]: database: sensor id = 3 Mar 16 13:30:21 autocritas barnyard2[1427]: database: sensor cid = 3 Mar 16 13:30:21 autocritas barnyard2[1427]: database: data encoding = hex Mar 16 13:30:21 autocritas barnyard2[1427]: database: detail level = full Mar 16 13:30:21 autocritas barnyard2[1427]: database: ignore_bpf = no Mar 16 13:30:21 autocritas barnyard2[1427]: database: using the "log" facility Mar 16 13:30:21 autocritas barnyard2[1427]: Mar 16 13:30:21 autocritas barnyard2[1427]: --== Initialization Complete ==-- Mar 16 13:30:21 autocritas barnyard2[1427]: Barnyard2 initialization completed successfully (pid=1427) Mar 16 13:30:21 autocritas barnyard2[1427]: Using waldo file '/var/log/snort/eth0/barnyard2.waldo':#012 spool directory = /var/log/snort#012 spool filebase = snort.log#012 time_stamp = 1478897504#012 record_idx = 0 Mar 16 13:30:21 autocritas barnyard2[1427]: Opened spool file '/var/log/snort/snort.log.1478897504' Mar 16 13:30:21 autocritas barnyard2[1427]: Waiting for new data
I ran the mysql -h to set set the host to 127.0.0.1 and have granted all permissions on the database to the user several times. I see the sensors in the snorby database, that is making it in.
I have already plowed through the other posts on this site, but, could not find anything that fixed it. Snort and Barnyard2 are running in Daemon mode.
I just can't help but think it is something simple? Do I need to activate some filters? Is there something else I need to do with the non eth0 network adapter? It looks like Snort is listening on that and barnyard2 is set for that interface too. Is there something I need to do with my MariaDB build? I have recompiled barnyard2 once already.