Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Third Party Tools » Barnyard and Acid

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Barnyard and Acid


Posted by MaoHi on March 07, 2005 22:39:55

hi,

i have a 2-tier snort set up with snort and barnyard running on one
box, and mysql/acid running on another.

i have snort configured with the following options:

snort.conf:

output log_unified: filename snort.unified.log, limit 128


and barnyard.conf configured as follows:

config hostname: localhost
config interface: eth0
output alert_acid_db: mysql, database snort, server ids.domain.com , user
snort, password snort
output log_acid_db: mysql, database snort, server ids.domain.com , user
snort, password snort , detail full

i run snort like:

/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D

and barnyard like:

/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -p
/etc/snort/classification.config -f snort.unified.log -g
/etc/snort/rules/gen-msg.map -s etc/snort/rules/sid-msg.map
-w /usr/local/snortlogs/barnyard.waldo

data appears in the db in almost all tables but nothing is showing
up in ACID : all acid_* tables are empty. The sensor table isn't empty :
there is one value (inserted by barnyard, not by me) which is :

sid hostname interface filter detail encoding last_cid
---------------------------------------------------------------------------
1 sensor eth0 NULL 1 0 0


anybody know why acid doesn't insert something in acid_* tables?

Thanks,

MaoHi

Posted by MaoHi on March 07, 2005 23:54:16

Actually data appears in the db in almost all tables EXCEPT all acid_*
tables(acid_ag,etc..) *hdr tables (iphdr, etc..) and the data table which
are empty.

anybody know why acid doesn't insert something in acid_* tables, and why i
have nothing in hdr* tables and the data table?

Thanks in advance,

MaoHi

Posted by tag on March 17, 2005 12:37:23

I ran into the same problem with snort 2.3.2 and barnyard 0.2.0.

first - I believe you only need to use one output method with barnyard (output log_acid_db). Second you need to specify the base filename that barnyard should process here is an excerpt from one of my shell scripts that starts snort . . .

($INT is the interface name, ie - eth1, eth2 etc)

/usr/local/bin/barnyard -c /etc/snort/$INT.barnyard.conf -d /var/log/snort/$INT \
-s /etc/snort/rules/sid-msg.map -g /etc/snort/rules/gen-msg.map \
-p /etc/snort/rules/classification.config -f snort-unified.log \
-n -X /var/log/snort/$INT-barnyard.pid

Posted by tag on March 17, 2005 12:42:36

Oops just realized you did have the base filename in there . . .

I honestly don't know why I ran into the same problem, and your config looks pretty close to mine. But after playing around for a while it just started working. Good luck!

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.