Hi,
I'm new to Barnyard, just installed it today. I've had Snort running
for close to a year now with it logging to syslog and mysql. With the
installation of Barnyard today, I was hoping to have that do the logging
for me. But I've run into a small snag.
For more background info, I'm running FreeBSD 4.11 along with Snort
2.3.0 and Barnyard 0.2.0
When I run Barnyard in single file batch process mode it works fine, I
get the data sent to my syslog server and the mysql database.
barnyard -c /usr/local/etc/barnyard.conf -o
/var/log/snort/snort.alert.1120071651
However when I try to run it in continual-processing mode...I
immediately get a Segmentation Fault and a barnyard core dump.
barnyard -w /usr/local/etc/barn.waldo -c
/usr/local/etc/barnyard.conf -f /var/log/snort/snort.alert
I did a quick search through the archives and noticed someone else had
a similar problem, but they were including the timestamp on their
"snort.alert" file when they tried to run in continual-processing mode.
There was one replier that said to get rid of the timestamp, as it
wasn't needed for continual-processing mode. As you can see from the
above examples of what I used to start barnyard....I haven't included
the timestamp yet I still get a core dump in continual-processing mode.
I have all other logging commented out in my snort.conf file, and the
following is my entry for unified logging.
#
output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
#
The following is a snippet from my barnyard.conf file.
#
config sid-msg-map: /usr/local/share/snort/bleeding-sid-msg.map
#config sid-msg-map: /usr/local/etc/sid-msg.map
config gen-msg-map: /usr/local/etc/gen-msg.map
config class-file: /usr/local/share/snort/classification.config
# use localtime instead of UTC (*not* recommended because of
timewarps)
config localtime
# set the hostname (currently only used for the acid db output plugin)
config hostname: localhost
# set the interface name (currently only used for the acid db output
plugin)
config interface: xl1
# set the filter (currently only used for the acid db output plugin)
#config filter: not port 22
output alert_fast: /var/log/snort/alerts.out
output log_dump
output alert_syslog: LOG_LOCAL3 | LOG_ALERT | LOG_PID
output alert_acid_db: mysql, database snort, server localhost, user
snortusername, password snortpassword, detail full
#
I don't understand the problem I'm having as it works fine in batch
file mode. I have tried continual-processing mode with and without the
waldo file and that makes no difference at all. I really need the live
logging, so batch processing is not a good option for me. If I can't
get barnyard working properly in continual-processing mode I will have
to go back to having Snort do all the logging for me.
If anyone can point out what I'm doing wrong it'd be appreciated.
Thanks,
Scott
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
|
