Hello.

Is it possible to change current timestamp representation from MM/DD/YY (which is a bit confusing) to YY/MM/DD or YYYY/MM/DD? The proposed ones can be lixicographically compared without permutations.

diff -uNr barnyard2-1.8.orig/src/util.c barnyard2-1.8/src/util.c
--- barnyard2-1.8.orig/src/util.c<->2010-03-03 14:02:11.000000000 +0300
+++ barnyard2-1.8/src/util.c<-->2011-11-02 10:38:44.160415128 +0400
@@ -213,8 +213,8 @@
if(BcOutputIncludeYear())
{
(void) SnortSnprintf(timebuf, TIMEBUF_SIZE,

•                    "%02d/%02d/%02d-%02d:%02d:%02d.%06u ",
  

•                    lt->tm_mon + 1, lt->tm_mday, lt->tm_year - 100,
  

•                    "%04d/%02d/%02d-%02d:%02d:%02d.%06u ",
  

•                    lt->tm_year + 1900, lt->tm_mon + 1, lt->tm_mday,
                   s / 3600, (s % 3600) / 60, s % 60,
                   (u_int) tvp->tv_usec);
  

  }

Noticed these when compiling latest git:

spo_alert_unixsock.c: In function ‘AlertUnixSockCleanExit’:
spo_alert_unixsock.c:385: warning: implicit declaration of function ‘free’
spo_alert_unixsock.c:385: warning: incompatible implicit declaration of built-in function ‘free’
spo_alert_unixsock.c:390: warning: incompatible implicit declaration of built-in function ‘free’
spo_alert_unixsock.c: In function ‘AlertUnixSockRestart’:
spo_alert_unixsock.c:403: warning: incompatible implicit declaration of built-in function ‘free’
spo_alert_unixsock.c:408: warning: incompatible implicit declaration of built-in function ‘free’

On Solaris the sockaddr struct requires <sys/socket.h>

cc -xtarget=ultra -m64 -xcode=pic32 -DHAVE_CONFIG_H -I. -I.. -Isfutil  -I/usr/local/include -DBSD_COMP -D_REENTRANT -I/usr/local/include -DSUP_IP6 -DMPLS -I/usr/local/mysql/include -DENABLE_MYSQL -DMYSQL_SSL_SUPPORT -I/usr/local/include -DENABLE_ODBC -I/usr/local/include -DENABLE_POSTGRESQL -I/usr/local/include/tcl8.6 -DENABLE_TCL  -g -mcpu=v9 -c mstring.c
cc: Warning: Option -mcpu=v9 passed to ld, if ld is invoked, ignored otherwise
"/usr/include/net/route.h", line 65: incomplete struct/union/enum sockaddr: ro_dst
"/usr/include/sys/socket_impl.h", line 51: (struct) tag redeclared: sockaddr
cc: acomp failed for mstring.c
gmake[3]: *** [mstring.o] Error 2
gmake[3]: Leaving directory `/var/tmp/barnyard2-1.13/src'

This diff adds it

--- barnyard2-1.13/src/mstring.c.orig   Mon Aug 12 13:52:05 2013
+++ barnyard2-1.13/src/mstring.c        Mon Aug 12 13:52:23 2013
@@ -49,6 +49,7 @@
 #include <string.h>
 #include <ctype.h>
 #include <sys/types.h>
+#include <sys/socket.h>

 #include "mstring.h"
 #include "debug.h"

Hello.

I just ran into a weird behaviour of the odlaw.pl tool from barnyard2/tools.

Since this morning (at least), all our servers that report snort/barnyard2 status based on a shell script which uses odlaw.pl started complaining that b2 was following a non-existant file. After checking the reason, on all servers, when running odlaw.pl -r <b2_waldo_file>, Perl would complain like this:

# ./odlaw.pl -r /var/log/snort/barnyard2.waldo 
waldo: /var/log/snort/barnyard2.waldo
{
 directory = /var/log/snort
 filebase = snort.log
Use of uninitialized value in concatenation (.) or string at ./odlaw.pl line 101.
 timestamp = 
Use of uninitialized value in concatenation (.) or string at ./odlaw.pl line 102.
 record = 
}
[!] Read waldo data is incomplete or corrupted.

After some digging, i found out the reason was the fact that the timestamp logged in the waldo file (1326104643) in hex contains 0x0A, which perl when reading the waldo file with treated as newline and did not feed all the file data in the unpack function. As such, the unpack function got less then expected and returned bad data (undef) for timestamp and record fields.

Hexdump on the waldo file showed the following:

# hexdump barnyard2.waldo 
0000000 762f 7261 6c2f 676f 732f 6f6e 7472 0000
0000010 0000 0000 0000 0000 0000 0000 0000 0000
*
0000400 6e73 726f 2e74 6f6c 0067 0000 0000 0000
0000410 0000 0000 0000 0000 0000 0000 0000 0000
*
0000800 c043 4f0a 0014 0000                    
0000808

The quick and dirty solution was to unset the native system's line terminator by inserting this line at line 70:
local $/ = undef;

This way without any line terminator character defined, Perl "slurped" all the file and fed it into the unpack function and odlaw.pl worked again.

Since this condition only rarely happens (but it's not impossible), i just wanted to let you guys know about it in case you might want to patch it.

The patch would be the following:

--- odlaw.pl    2011-11-17 19:48:44.000000000 +0200
+++ odlaw.pl   2012-01-09 13:30:50.000000000 +0200
@@ -67,7 +67,6 @@ sub waldo_read
     # read the data
     if ( open (FD, "<$file") )
     {
+        local $/ = undef;
         my $waldo_raw = <FD>;
         # unpack
         @values{@fields} = unpack("Z[".MAX_FILEPATH_BUF."] Z[".MAX_FILEPATH_BUF."] L L", $waldo_raw);

Thank you for your time.

Hello,

I notice that in ./src/spooler.c, line 729 comments "call output plugins with a "LOG" format (Packet information only)". However, the output type in line 733 is "OUTPUT_TYPE__SPECIAL". I'm wondering is it a typo or it is designed to be so?

Thanks in advance.

And there we go:

gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -DSUP_IP6 -DGRE -I/usr/include/mysql -DENABLE_MYSQL -I/usr/local/include/tcl8.5 -DENABLE_TCL -g -O2 -fno-strict-aliasing -Wall -c spo_syslog_full.c
spo_syslog_full.c: In function âSyslog_FormatIPHeaderAlertâ:
spo_syslog_full.c:499:9: error: incompatible type for argument 1 of âsfip_to_strâ
../sfutil/sf_ip.h:426:7: note: expected âconst struct sfip_t â but argument is of type âconst struct in_addrâ
spo_syslog_full.c:502:2: error: incompatible type for argument 1 of âsfip_to_strâ
../sfutil/sf_ip.h:426:7: note: expected âconst struct sfip_t *â but argument is of type âconst struct in_addrâ
spo_syslog_full.c: In function âNetSendâ:
spo_syslog_full.c:1821:9: warning: format not a string literal and no format arguments
make[3]: ** [spo_syslog_full.o] Error 1
make[3]: Leaving directory /home/jlay/firnsy-barnyard2-2f5d496/src/output-plugins' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory/home/jlay/firnsy-barnyard2-2f5d496/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/jlay/firnsy-barnyard2-2f5d496'
make: *** [all] Error 2

Hello,

Barnyard2 is configured to log to a remote site via VPN but at one point that connection failed with the following logged:

Apr 18 11:16:34 fw92 barnyard2[2652]: database: mysql_error: Can't connect to MySQL server on 'xxx.xxx.xxx.xxx' (110)
Apr 18 11:16:34 fw92 barnyard2[2652]: database: Failed to logon to database 'xxxxx'

at that point the barnyard2 process died. Would it be possible for it to try and re-establish the connection on a perhaps a sliding timeline ?

Thank you for a brilliant tool.

Hello
I have setup snort 2.9.4 with barnyard2-1.11 and aanval(for frontend) everything working fine in case of IPv4. but when i try snort on IPv6 it logs the alert but does not include source, destination, Hdr Len, TTL, Checksum detail on aanval fronend(infact aanval detect only that version is IPv6). It also does not shows the type of attack whether it is TCP/UDP/ICMP.

Please help

Greetings,

I'm setting up a fresh installation with snort, barnyard2 and snorby. Actually I've snort up & running with unified log, and barnyard2 seems to read them, but it does not produce any output. This is my configuration:

barnyard2.conf

this is for debugging purpose

output alert_fast: /var/log/snort/alert_barnyard2,stdout

this is the output tu mysql, for snorby

output database: log, mysql, user=snorby password=password dbname=snorby host=localhost

and I run barnyard this way:

barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w /var/log/snort/snort.log

Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
Log directory = /var/log/barnyard2
No arguments to alert_syslog preprocessor!
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snorby
database: database name = snorby
database: sensor name = provincia-ids:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.9 (Build 263)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php

• '''' + (C) Copyright 2008-2010 SecurixLive.

     Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
     (C) Copyright 1998-2007 Sourcefire Inc., et al.
  

Using waldo file '/var/log/snort/snort.log':
spool directory = /var/log/snort
spool filebase = snort.log
time_stamp = 1365436206
record_idx = 131269
Opened spool file '/var/log/snort/snort.log.1365436206'
Waiting for new data

I cannot figure out what is wrong here, can you help me please?

Best regards,
Lorenzo

For the archives.

When using the Sun Studio 12.3 compiler on Solaris:

• We remove the -mcpu=v9
• We fix the Unified2IDSEvent6_legacy issue
• We include <sys/socket.h> in mstring.c

The other dependent software can be found on the Solaris Package Archive
http://www.ibiblio.org/pub/packages/solaris/sparc/

cd /var/tmp
rm -rf barnyard2-1.9
gunzip -c /usr/local/src/security/barnyard2-1.9.tar.gz | tar -xvf -
cd barnyard2-1.9
/bin/perl -pe 's%-mcpu=v9%%g'  -i configure
/bin/perl -pe 's%Unified2IDSEvent6_legacy%Unified2IDSEventIPv6%g'  -i src/output-plugins/spo_platypus.c
/bin/perl -pe "s%^#include <sys/types.h>%#include <sys/types.h>\n#include <sys/socket.h>%" -i src/mstring.c
./configure --prefix=/usr/local \
    --enable-ipv6 \
    --enable-mpls \
    --with-libpcap-includes=/usr/local/include \
    --with-libpcap-libraries=/usr/local/lib \
    --with-libprelude-prefix=/usr/local \
    --with-tcl=/usr/local/lib \
    --with-mysql=/usr/local/mysql \
    --with-mysql-includes=/usr/local/mysql/include \
    --with-mysql-libraries=/usr/local/mysql/lib \
    --with-odbc \
    --with-postgresql=/usr/local \
    --with-pgsql-includes=/usr/local/include
gmake
gmake install

I sometimes have occasion to rebuild my database from historical unified2 logs. It would be nice if I could tell barnyard2 to ignore particular SIDs which are present in the u2 logs but which I no longer wish to see as historical alerts from the database.

I think it would be possible to rewrite the u2 logs such that they simply do not contain alerts for these SIDs, but it would be more convenient if by2 could just ignore them for me.

I may try to submit a patch for this, although my C is terrible so I wouldn't expect it would be very good quality. :-)

Greetings, please forgive me if this is not the appropriate place to start this thread.

I've updated barnyard2 from Version 2.1.9 (Build 263) to Version 2.1.10 (Build 310) and now if I encounter the following error when attempting to start barnyard2 with my existing parameters.

barnyard2 -c /usr/local/etc/barnyard2.conf -d /data/snort -f snort.log -l /var/log/barnyard2 -w /data/snort/barnyard.waldo
...
barnyard2: FATAL ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...

Unfortunately there is no more details in the error, and nothing is logged.

If I look at my mysql server transaction log, it looks like the error occurs just after a SELECT is attempted on a database table with no data (this is a new snort database with the same schema that I have always used). Is this table required to be populated before barnyard2 will start successfully?

SELECT sig_class_id, sig_class_name FROM sig_class ORDER BY sig_class_id ASC

The strndup function is not in a lot of older Unix O.S's.

strndup():
    Since glibc 2.10: 
    POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700 
    Before glibc 2.10: 
    _GNU_SOURCE 

so we get these errors on Solaris <= 10.

libtool: link: cc -g -o barnyard2 barnyard2.o debug.o decode.o log.o log_text.o map.o mstring.o parser.o plugbase.o spooler.o strlcatu.o strlcpyu.o twofish.o util.o  -L/usr/local/lib -L/usr/local/mysql/lib output-plugins/libspo.a input-plugins/libspi.a sfutil/libsfutil.a -lmysqlclient -lpcap -lrt /usr/local/lib/libodbc.so /usr/local/lib/libltdl.so /usr/local/lib/libiconv.so -lthread -lpq -ldl -lz -lsocket -lnsl -lpthread -lsunmath -lm -ltcl8.6 -mt -R/usr/local/lib -R/usr/local/lib -R/usr/local/mysql/lib
Undefined                       first referenced
 symbol                             in file
strndup                             barnyard2.o
ld: fatal: Symbol referencing errors. No output written to barnyard2
gmake[3]: *** [barnyard2] Error 2
gmake[3]: Leaving directory `/var/tmp/barnyard2-1.13/src'

This diff adds it. Should check for it in configure. The '__sun' check works for Solaris.

--- barnyard2-1.13.orig/src/util.c      Mon May 27 14:04:34 2013
+++ barnyard2-1.13/src/util.c   Wed Aug 14 13:58:50 2013
@@ -507,7 +507,7 @@
     }
     else
     {
-        vfprintf(stderr, format, ap);
+        if (ap) { vfprintf(stderr, format, ap); }
     }

     va_end(ap);
@@ -2755,3 +2755,24 @@

     return 0;
 }
+
+#if defined(__sun)
+/* Written by Kaveh R. Ghazi <[email protected]> */
+char *
+strndup (const char *s, size_t n)
+{
+  char *result;
+  size_t len = strlen (s);
+
+  if (n < len)
+    len = n;
+
+  result = (char *) malloc (len + 1);
+  if (!result)
+    return 0;
+
+  memcpy (result, s, len);
+  result[len] = '\0';
+  return(result);
+}
+#endif

Barnyard2 1.8 (and I believe 1.9-beta1 based on its datestamp, although I haven't tested) crash with snort 2.9.x due to the introduction of new unified2 record-types:

http://blog.nielshorn.net/2010/11/barnyard2-unknown-record-type-read-110/

I believe that commit d023f5d fixed this issue, but isn't yet available in a stable-release. Consider pushing a release to make this fix generally available as it is a significant bug.

As a workaround, barnyard2 users can disable enable_xff and inspect_gzip in the http_inspect preprocessor, but that results in a trivial evasion of inspection of http traffic by using gzipping it during transport.

I can see alert in directory /var/log/snort/alert.

09/08-19:32:20.120500 [] [1:10000002:0] Test WWW [] [Priority: 0] {TCP} 173.194.112.72:80 -> 192.168.163.156:47431
09/08-19:32:20.120511 [] [1:10000002:0] Test WWW [] [Priority: 0] {TCP} 192.168.163.156:47431 -> 173.194.112.72:80
09/08-19:32:20.120561 [] [1:10000002:0] Test WWW [] [Priority: 0] {TCP} 173.194.112.72:80 -> 192.168.163.156:47431
09/08-19:32:20.120568 [] [1:10000002:0] Test WWW [] [Priority: 0] {TCP} 173.194.112.72:80 -> 192.168.163.156:47431
09/08-19:32:20.120572 [] [1:10000002:0] Test WWW [] [Priority: 0] {TCP} 192.168.163.156:47431 -> 173.194.112.72:80
09/08-19:32:20.120606 [] [1:10000002:0] Test WWW [] [Priority: 0] {TCP} 173.194.112.72:80 -> 192.168.163.156:47431
09/08-19:32:20.159739 [] [1:10000002:0] Test WWW [] [Priority: 0] {TCP} 192.168.163.156:47431 -> 173.194.112.72:80

But when i was start barnyard it was not working.

[root@localhost snort]# /usr/local/bin/barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config &
[1] 6919
[root@localhost snort]# Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
ERROR: The sid map file was included two times command line (-S) [/etc/snort/sid-msg.map] and in the configuration file (config sid_map) [/etc/snort/sid-msg.map].
It only need to be defined once.
Fatal Error, Quitting..

Barnyard2 exiting

Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)

Suppressed: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)

Total: 0

ALSO

[root@localhost snort]# /usr/local/bin/barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort/-f snort.log -w /var/log/snort/barnyard.waldo
Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"

+[ Signature Suppress list ]+

+[No entry in Signature Suppress List]+

+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/snort
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = localhost:eth0
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.13 (Build 327)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2013 Ian Firns [email protected]

Using waldo file '/var/log/snort/barnyard.waldo':
spool directory = /var/log/snort
spool filebase = snort.log
time_stamp = 1378639601
record_idx = 0
Opened spool file '/var/log/snort/snort.log.1378639601'
Waiting for new data

MY Database

mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from event;
Empty set (0.00 sec)

The test for PQping creates a program that tests the version of the Postgres API, but this program never appears to run, and successful compilation is used to turn this flag on or off. Result being that it is always detected as enabled.

To reproduce, try --enable-postgresql on CentOS 6.

Instead, test for PQping by attempting to link with it.

At least on Linux,

looking at strace(1) output on the barnyard2 process, we see it sleep one second, and then read the snort unified2 output, and then sleep one second again in a loop. barnyard2 works like "tail -f" has traditionally been working.

That means there can be a delay of up to one second between an alert being generated by snort and it being processed by barnyard2.

It would be better for it to work like "inotail -f", that is to be told by the system as soon as there's new data to be read.

Most Unix-like operating systems at least have a mechanism for that.

On Linux, it's called "inotify" (formerly dnotify). An alternative is to use the more portable "fam" or "gamin" daemons (that typically use inotify underneath on Linux).

This way, barnyard2 would process alerts as soon as they are generated by snort.

configure and build with postgresql is OK as long tcl is not specified
tested with src from securixlive and current git version

./configure --with-postgresql=/usr/local
[...]
checking for postgresql... yes
checking for PQexec in -lpq... yes
configure: creating ./config.status
config.status: creating Makefile
[...]

./configure --with-postgresql=/usr/local --with-tcl=/usr/local/lib/tcl8.4
checking for postgresql... yes
checking for PQexec in -lpq... no

ERROR! libpq (postgresql) not found!

./configure --with-tcl=/usr/local/lib/tcl8.4
[...]
checking for the tcl version number... 8.4, patchlevel .19
configure: creating ./config.status
config.status: creating Makefile
[...]

./configure --with-mysql --with-tcl=/usr/local/lib/tcl8.4
[...]
checking for mysql... yes
checking for compress in -lz... no
checking for mysql default client reconnect... yes
configure: creating ./config.status
config.status: creating Makefile
[...]

Hello
Below is output of snort log using unified2.

(IPv6 Event)
sensor id: 0 event id: 7 event second: 1369738500 event microsecond: 659058
sig id: 1000008 gen id: 1 revision: 1 classification: 9
priority: 1 ip source: X:X:X:X::X ip destination: X:X:X:X::X
src port: 21 dest port: 38469 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 7 event second: 1369738500
packet second: 1369738500 packet microsecond: 659058
linktype: 1 packet_length: 108
[ 0] 08 00 27 F5 8B BF 0A 00 27 00 00 00 86 DD 60 00 ..'.....'.....`.
[ 16] 00 00 00 36 06 FE 20 01 0D B8 00 00 F1 02 00 00 ...6.. .........
[ 32] 00 00 00 00 00 02 20 01 0D B8 00 00 F1 01 00 00 ...... .........
[ 48] 00 00 00 00 00 02 00 15 96 45 74 80 B9 1E 05 AD .........Et.....
[ 64] E7 62 80 18 06 F9 20 5A 00 00 01 01 08 0A 00 20 .b.... Z.......
[ 80] FE CD 00 21 B4 80 35 33 30 20 4C 6F 67 69 6E 20 ...!..530 Login
[ 96] 69 6E 63 6F 72 72 65 63 74 2E 0D 0A incorrect...

I do not have any clue about event second and event microsecond. Can any one explain what these two representing. Is it combination of year, month, day, hour,second or anything else. Please help to understand both.

I'm using Barnyard2.1.11 (Build 319) with Suricata ET rules.
I've been getting below error.

Output from Barnyard2:

04/03-23:11:35.136144  [**] [1:2100368:7] GPL ICMP_INFO PING BSDtype [**] [Classification: Misc activity] [Priority: 3] {ICMP} ***.***.***.*** -> ***.***.***.***
ERROR: [dbProcessEventInformation()]: Failed, stoping processing
Fatal Error, Quitting..

Output from u2spewfoo:

(Event)
        sensor id: 0    event id: 8493  event second: 1364998295        event microsecond: 136144
        sig id: 2100368 gen id: 1       revision: 7      classification: 29
        priority: 3     ip source: ***.***.***.***       ip destination: ***.***.***.***
        src port: 8     dest port: 0    protocol: 1     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 8493  event second: 1364998295
        packet second: 1364998295       packet microsecond: 136144
        linktype: 1     packet_length: 142
[    0] 00 00 5E 00 01 0A 00 A0 DE 66 25 46 81 00 03 F6  ..^......f%F....
[   16] 08 00 4F 00 00 7C 00 00 40 00 31 01 BA 3B CC 5D  ..O..|[email protected]..;.]
[   32] 82 88 6F 57 6D 0D 01 07 27 28 CC 5D 82 88 CC 5D  ..oWm...'(.]...]
[   48] CC E4 CC 5D C0 F5 40 CA 6F 02 81 FA 04 CA 81 FA  ...][email protected].......
[   64] C1 D9 6F 57 03 22 7C D3 22 FB CB B5 63 EC 08 00  ..oW."|."...c...
[   80] 50 F9 55 42 00 01 97 38 5C 51 73 36 00 00 08 09  P.UB...8\Qs6....
[   96] 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19  ................
[  112] 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29  ...... !"#$%&'()
[  128] 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37        *+,-./01234567

I've confirmed same error 2.1.12 (Build 321).

Could you help?

Neither LOG_AUTHPRIV or LOG_FTP are defined in Solaris. Suricata has/had the same problem in util-syslog.c

--- barnyard2-1.13/src/output-plugins/spo_syslog_full.c.orig    Mon Aug 12 13:43:14 2013
+++ barnyard2-1.13/src/output-plugins/spo_syslog_full.c Mon Aug 12 13:44:26 2013
@@ -66,6 +66,13 @@
 static int NetConnect(OpSyslog_Data *data);
 static int NetTestSocket(OpSyslog_Data *op_data);

+#if !defined(LOG_AUTHPRIV)
+#  define LOG_AUTHPRIV LOG_AUTH
+#endif
+#if !defined(LOG_FTP)
+#  define LOG_FTP LOG_DAEMON
+#endif
+
 //CHECKME: -elz Need to investigate
 //static int Syslog_FormatReference(OpSyslog_Data *data, ReferenceNode *refer);

On https://github.com/firnsy/barnyard2/blob/master/src/decode.c#L4328 SafeMemCpy is called with a length of (pkt - p->pkt). But this function is called on line 2427 with pkt=p->pkt asset on line 2416.
I'm not sure how to fix this, it might seems logical to copy whole packet but it will not be coherent with SafeMemCpy call on line 4315 (where by the way does not seems correct since the start parameter should be pseudopacket_buf + SPARC_TWIDDLE the end should be pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN if understand well how SafeMemCpy works.

It somehow critical since a attacker can make barnyards crash if he makes a program write an event in a unifed2 file flowing through this part of code. For example suricata can write such an event.

Hi

I am using the latest build of barnyard Version 2.1.11 (Build 317), When I used the batch mode to process the unified2 logs of snort I can see that barnyard2 process it very well, However when I try to process the same via continous mode it fails to recognize the new unified2 log file which snort creates.

Hello All
I setup IPv6 in my Ubuntu 12.04 on eth0 using command

"ifconfig eth0 inet6 add 2001:db8:fedc:cdef::1/64"

but when i try to ping eth0 itself using

"ping6 2001:db8:fedc:cdef::1/64"

it always gives

PING 2001:db8:fedc:abcd:0:0:0:2(2001:db8:fedc:abcd::2) 56 data bytes
From ::1 icmp_seq=1 Destination unreachable: Address unreachable
From ::1 icmp_seq=2 Destination unreachable: Address unreachable
From ::1 icmp_seq=3 Destination unreachable: Address unreachable

I thing that it automatically pinging from ::1 to 2001:db8:fedc:abcd::2.

Please help how to solve this.

Snort adds new record-types with some regularity, historically these new types have crashed barnyard2 until support has been written in:

http://blog.nielshorn.net/2010/10/barnyard2-solving-the-unknown-record-type-errors/
http://blog.nielshorn.net/2010/11/barnyard2-unknown-record-type-read-110/

While fixes were eventually introduced, the breakage period is difficult for end-users. If barnyard2 encounters a U2 packet of unknown type, it should make a best-effort attempt to determine it's length and skip to the next record rather than immediately and catastrophically fail.

Hi,

I have setup snort 2.9.4 , barnyard2-1.11 on a ubuntu 11.10 box, all seems ok, however the events generated by snort are not written to the mysql database.

---- below the setup in snort.conf

output unified2: filename snort.log, limit 128

----- below the barnyard2 config

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/community-sid-msg.map
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

---- below the barnyard startup command

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

---- below the stdout from above barnyard job ----------------------

Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='2';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='2';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = sumit-laptop:NULL
database: sensor id = 2
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 317)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns [email protected]

Using waldo file '/var/log/snort/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = snort.log
time_stamp = 1359316800
record_idx = 0
Opened spool file '/var/log/snort/snort.log.1359316800'
Waiting for new data

database: Closing connection to database "snort"

Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)

Unknown: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0

Problem: I am running snort on ppp0 interface using command
snort -c /etc/snort/snort.conf -i ppp0 -A console
snort logs all alert into directory /var/log/snort. when i run barnyard it reads 0 records from all logs files that are generated by snort(snort log files are full of alerts).
In short barnyard2 reading files but thinks there is no content in the file.

-------------------Sample log file..............(partial part of snort log file)

\D4ò\A1�\00�\00\00\00\00\00\00\00\00\00\EA�\00\00q\00\00\00O\87�Q\FB\A9
\00\C4�\00\00\C4�\00\00\00\00�\00\00\00\00\00\00\00\00\00\00\00�\00E\00�\B4\EE�@\00-�D\92S\A7\E6\B0u\E0e[\00P\B2�\B1gw\B1\FE�\F8�\80�\00;-\97\00\00���
\B2晭\00=�\CFHTTP/1.1 200 OK
Date: Sun, 27 Jan 2013 20:00:14 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

Please guys help as soon as possible.

Hi I am a newbie on barnyard. I want barnyard to write log to a file like snort-alert log.

In snort.con I got the line

output alert_unified2: filename snort.u2, limit 128

And in barnyard2.conf file I got (just the relevant parts)

config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map

config logdir: /var/log/snort
config hostname: saturn
config interface: eth1
config alert_with_interface_name
config alert_on_each_packet_in_stream
config show_year
config verbose
config archivedir: /var/log/snort/archive
config process_new_records_only
Input unified2
output alert_fast : snort-alert.log

I run the snort with command
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort/ -p -N -D

and barnyard2 with command

/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -w /var/log/snort/bylog.waldo -f snort.u2

after running barnyard command in debug mode where debug level is 10 I got the output
barnyard2.c:558: Parsing command line...
barnyard2.c:627: Processing cmd line switch: c
barnyard2.c:627: Processing cmd line switch: d
barnyard2.c:627: Processing cmd line switch: w
barnyard2.c:627: Processing cmd line switch: f
barnyard2.c:1513: Config file = /usr/local/snort/etc/barnyard2.conf, config dir = /usr/local/snort/etc/
Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
spi_unified2.c:97: Input plugin: Unified2 is setup...
Initializing Output Plugins!
spo_alert_cef.c:105: Output plugin: Alert-CEF is setup...
spo_alert_syslog.c:106: Output plugin: Alert-Syslog is setup...
spo_log_tcpdump.c:139: Output plugin: Log-Tcpdump is setup...
spo_database.c:292: database(debug): database plugin is registered...
spo_alert_fast.c:117: Output plugin: AlertFast is setup...
spo_alert_full.c:110: Output plugin: AlertFull is setup...
DEBUG => Alert_FWsam Output plugin is plugged in...
spo_alert_unixsock.c:107: Output plugin: AlertUnixSock is setup...
spo_alert_csv.c:121: Output plugin: alert_csv is setup...
spo_alert_test.c:128: Output plugin: AlertTest is setup...
Parsing config file "/usr/local/snort/etc/barnyard2.conf"
INFO: Alerting on each packet associated with an event: is now enabled by default.
use: command line argument --disable-alert-on-each-packet-in-stream or
configure file argument disable-alert-on-each-packet-in-stream to disable the feature
parser.c:2147: Enabled year in timestamp
parser.c:2195: Verbose Flag active
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/snort
spi_unified2.c:105: Linking UnifiedLog functions to call lists...
spo_alert_cef.c:123: Output: Alert-CEF Initialized
WARNING => Unrecognized syslog facility/priority: host=localhost
spo_alert_cef.c:133: Linking CEF alert function to call list...
spo_alert_fast.c:136: Output: AlertFast Initialized
spo_alert_fast.c:400: alert_fast: '/var/log/snort/snort-alert.log' 0 134217728
log.c:517: Opening alert file: /var/log/snort/snort-alert.log

spo_alert_fast.c:141: Linking AlertFast functions to call lists...

Keyword | Input @

unified2 : init() = 0x43edfe
unified2 : - readRecordHeader() = 0x43ee71

unified2 : - readRecord() = 0x43f030

Keyword | Output @

alert_cef : 0x4268ca
alert_syslog : 0x42ce57
log_tcpdump : 0x42f9f3
database : 0x436420
alert_fast : 0x4286c6
alert_full : 0x4292d2
alert_fwsam : 0x429a89
alert_unixsock: 0x42e3f3
alert_csv : 0x4273a5
log_null : 0x42f8d7
log_ascii : 0x42ec6b
alert_test : 0x42dc63
sguil : 0x43077c
alert_syslog_full: 0x43193a

log_syslog_full: 0x43191b

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 317) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns [email protected]

Using waldo file '/var/log/snort/bylog.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1359534001
record_idx = 5346
Opened spool file '/var/log/snort/snort.u2.1359534001'
Waiting for new data

and snort is running I got a test rule for snort and I trigger the alert the snort.u2 file gets larger as the alerts are generated after I hit ctrl+c the barnyard stops working :)

and I got
^C===============================================================================
Record Totals:
Records: 6528
Events: 6528 (100.000%)
Packets: 0 (0.000%)

Unknown: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
IPv4/IPv4: 0 (0.000%)
IPv4/IPv6: 0 (0.000%)
IPv6/IPv4: 0 (0.000%)
IPv6/IPv6: 0 (0.000%)
GRE: 0 (0.000%)
GRE ETH: 0 (0.000%)
GRE VLAN: 0 (0.000%)
GRE IPv4: 0 (0.000%)
GRE IPv6: 0 (0.000%)
GRE IP6 E: 0 (0.000%)
GRE PPTP: 0 (0.000%)
GRE ARP: 0 (0.000%)
GRE IPX: 0 (0.000%)
GRE LOOP: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)

Total: 0

However there is nothing in /var/log/snort/snort-alert.log file its empty at all.

If delete the the snort-alert.log file barnyard creates the new one.

What may be the problem?

Thanks

I have some Snort instances where the unified2 log files contain some events without any Packet information.
When the barnyard2 database plugin processes these events it will insert the event, but will not insert any ip information.

This will result in an alert entry without any source or destination address. This is for example the SQL queries for the event:

81 Query     BEGIN
81 Query     SELECT sig_id   FROM signature  WHERE sig_name = 'ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt '    AND sig_rev = 6    AND sig_sid = 2009714    AND sig_gid = 1
81 Query     INSERT INTO event (sid,cid,signature,timestamp) VALUES (86, 62261, 31658, '2012-01-18 15:02:20')
81 Query     COMMIT

Notice that it misses an insert into tcphdr.

This is the event outputted with u2spewfoo:

(Event)
        sensor id: 0    event id: 33946 event second: 1326895340        event microsecond: 303126
        sig id: 2009714 gen id: 1       revision: 6      classification: 28
        priority: 3     ip source: x.x.x.x ip destination: 10.x.x.x
        src port: 62400 dest port: 80   protocol: 6     impact_flag: 0  blocked: 0

Notice that it does not have a Packet but does contain src/dst ip and port information.

Is this the intended behavior of barnyard2?

I was come to know that Barnyard2 2-1.11 db schema does not support IPv6. Now i want to know that, does db schema currently in uses with Barnyard2 2-1.13-BETA support IPV6? Is it capable to handle to alert generated by snort in IPv6 network?

Perhaps I'm being stupid but cloning the current repo doesnt include a configure file? Although the autogen.sh tells me to run ./configure?

Maybe someone could point me in the right direction, or, if this is a bug, put it back in?

Thanks

Matt

Hi,

I have setup snort, barnyard & snorby on a ubuntu 12.4 box, all seems ok, however the events generated by snort are not written to the mysql database.

---- below the setup in snort.conf

output alert_unified2: filename alert, limit 128

----- below the barnyard2 config

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/community-sid-msg.map
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, user=snorby password=snorby dbname=snorby host=localhost

---- below the barnyard startup command in /etc/init.d/barnyard2

barnyard2 -d /var/log/snort -f alert > /var/log/barnyard2/start.log 2>&1

---- below the stdout from above barnyard job ---------------------------------------------------

Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2.conf"
Log directory = /var/log/barnyard2/
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snorby
database: database name = snorby
database: sensor name = gozo:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.9 (Build 263)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php

• '''' + (C) Copyright 2008-2010 SecurixLive.

     Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
     (C) Copyright 1998-2007 Sourcefire Inc., et al.
  

Using waldo file '/var/log/barnyard2/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = alert
time_stamp = 1340435023
record_idx = 83
Opened spool file '/var/log/snort/alert.1340435023'

Waiting for new data

Record Totals:
Records: 320
Events: 320 (100.000%)

Packets: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)

Total: 0

Kind Regards, Herbert

binf-barnyard2-0974b1d

I an on RHE 5.5.

I compile BY2 on one box and then copied the binary to my sensor (also on 5.5) - I have done this for testing before with out problems. This time however the new by2 dies:

Feb 8 13:11:48 mon263549 barnyard2: Initializing daemon mode
Feb 8 13:11:48 mon263549 barnyard2: Daemon initialized, signaled parent pid: 24114
Feb 8 13:11:48 mon263549 barnyard2: PID path stat checked out ok, PID path set to /home/sensors/run/
Feb 8 13:11:48 mon263549 barnyard2: Daemon parent exiting
Feb 8 13:11:48 mon263549 barnyard2: Writing PID "24115" to file "/home/sensors/run//barnyard2_dmzo.pid"
Feb 8 13:11:48 mon263549 barnyard2: database: Table [data] had a more rescent cid [257705460] using it.
Feb 8 13:11:48 mon263549 barnyard2: Recovering by rolling forward the cid from [257247746] to [257705460]
Feb 8 13:11:48 mon263549 barnyard2: database: Table [event] had a more rescent cid [257705462] using it.
Feb 8 13:11:48 mon263549 barnyard2: Recovering by rolling forward the cid from [257705460] to [257705462]
Feb 8 13:12:02 mon263549 barnyard2: FATAL ERROR: ERROR database: [ReferencePopulateDatabase()], Failed a call to snort_escape_string_STATIC() for string : [www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FDogrobot.A], Exiting.

I'm guessing it is a library issue -- is there something else I should be copying?

Cheers, Russell

Hello.
I encountered that base64_STATIC() (and also base64()) functions not correctly creating BASE64 digest.

When string is long additional '\n' inserted into output by:

if(cols == 72)
{
    *output = '\n'; output++;
    cols = 0;
}

condition.

For example when I use syslog_full output plugin at my /var/messages I see:

Jun 21 14:39:06 localhost | [SNORTIDS[LOG]: [test-sn01] ] || 2013-06-21 14:38:59.792+004 0 [1:1999999999:1] Snort Alert [1:1999999999:1] || [Unknown Classification] || 6 192.168.155.99 192.168.155.72 4 20 16 61 46288 2 0 52701 0 || 57929 22 3382172796 3250754374 8 0 24 365 5378 0 || 75 CAAnr4YhCAAnnKmBCABFEAA9tNBAAEAGzd3AqJtjwKibSOJJABbJl9x8wcKTRoAYAW0VAgAA#012AQEICgAeauAANwl0dGVzdDEyMw0K || #012 |

that I can't parse correctly because substring

'#012'

presented in the middle of base64 string.

This is code mistake or Im something misunderstand?

PS: Thx for answers and sorry for my English(.

SIGHUP in Baryard2 v2.1.12 terminates the barynard2 process, shouldn't it be reloading/refreshing the config files instead?
I am using pulledpork to send a SIGHUP to Snort and Barnyard2 after downloading the newest rules and as such Barnyard2 is not running anymore...

Hello.

I'm seing some weird behaviour on some barnyard2-1.9 installs on different servers. There are 2 cases:

1. servers with one LAN NIC only. Some barnyards keep updating the waldo file as they process the events and work flawlessly, other barnyards have a "stuck" waldo file which mentions a file they already moved to archive, although the process has a fd opened to the current snort log (which is correct). Restarting the barnyard process does not update the waldo file. Running with the -n switch also has no effect whatsoever.
2. servers with one LAN and one WAN NICs. The barnyard which processes the LAN snort log file works correctly (as the ones mentioned above). The barnyard on the WAN snort log either behaves like the "stuck waldo file" as above, or the waldo file mentions an archived file which no longer exists. Also, the barnyard process for the WAN has a fd opened for the current snort log file.

All the barnyards above which are "stuck" do NOT send any events. Using the -n switch does get mentioned at startup, but no events are being sent and the waldo file is not updated. I've tried the -v switch but nothing more detailed gets logged in syslog. Also, there is no log file whatsoever in the folder specified by -l switch.

All the barnyards are "Version 2.1.9 (Build 263)", source downloaded via "firnsy/barnyard2" -> Tags -> v2-1.9 (aka commit e48ae8a as far as i can tell).

All the barnyards use their own .conf (aka 2 barnyards on the system -> 2 conf files). They are minimaly configured, the only lines in the configs are:
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
config hostname: [SERVER_NAME]
config interface: [INTERFACE_NAME]
config daemon
input unified2
output database: log, mysql, user=[USERNAME] password=[PASSWORD] dbname=snort host=[SQLSRV_IP]

(Fields like [SERVER_NAME] are just masks in this text).

The running processes get the following switches:
/usr/bin/barnyard2 --pid-path /var/run --nolock-pidfile -D -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -f snort.log -l /var/log/barnyard2 -a /var/log/snort/archive

or

/usr/bin/barnyard2 --pid-path /var/run --nolock-pidfile -D -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -n -w /var/log/snort/barnyard2.waldo -f snort.log -l /var/log/barnyard2 -a /var/log/snort/archive

Example on a one LAN NIC server:

ps -ef | grep barnyard2 | grep -v grep

root 3917 1 0 11:29 ? 00:00:00 /usr/bin/barnyard2 --pid-path /var/run --nolock-pidfile -D -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -n -w /var/log/snort/barnyard2.waldo -f snort.log -l /var/log/barnyard2 -a /var/log/snort/archive

ls -lsa /var/log/snort/

total 1508
4 drwxr-xr-x 3 snort snort 4096 Nov 22 06:35 .
4 drwxr-xr-x 18 root root 4096 Nov 21 01:00 ..
4 drwxr-xr-x 2 snort snort 4096 Nov 22 11:29 archive
4 -rw------- 1 root root 2056 Nov 22 06:34 barnyard2.waldo
1492 -rw------- 1 snort snort 1522512 Nov 22 11:29 snort.log.1321936501

ls -lsa /var/log/snort/archive/

total 5736
4 drwxr-xr-x 2 snort snort 4096 Nov 22 11:29 .
4 drwxr-xr-x 3 snort snort 4096 Nov 22 06:35 ..
5728 -rw------- 1 snort snort 5850756 Nov 22 06:34 snort.log.1321850111

fuser /var/log/snort/*

/var/log/snort/barnyard2.waldo: 3917
/var/log/snort/snort.log.1321936501: 3917 10113

fuser /var/log/snort/archive/*

lsof -p 3917 | grep snort

barnyard2 3917 root 0r REG 254,1 2056 17697 /var/log/snort/barnyard2.waldo
barnyard2 3917 root 6r REG 254,1 1603336 16873 /var/log/snort/snort.log.1321936501

./odlaw.pl -r /var/log/snort/barnyard2.waldo

waldo: /var/log/snort/barnyard2.waldo
{
directory = /var/log/snort
filebase = snort.log
timestamp = 1321850111
record = 24674
}

tail -n 200 /var/log/everything/current | grep barnyard2

2011-11-22T11:29:21.144798+02:00 [SERVER_NAME] barnyard2[3847]: Found pid path directive (/var/run)
2011-11-22T11:29:21.144798+02:00 [SERVER_NAME] barnyard2[3847]: Running in Continuous mode
2011-11-22T11:29:21.144798+02:00 [SERVER_NAME] barnyard2[3847]:
2011-11-22T11:29:21.144798+02:00 [SERVER_NAME] barnyard2[3847]: --== Initializing Barnyard2 ==--
2011-11-22T11:29:21.144798+02:00 [SERVER_NAME] barnyard2[3847]: Initializing Input Plugins!
2011-11-22T11:29:21.144798+02:00 [SERVER_NAME] barnyard2[3847]: Initializing Output Plugins!
2011-11-22T11:29:21.144798+02:00 [SERVER_NAME] barnyard2[3847]: Parsing config file "/etc/barnyard2/barnyard2.conf"
2011-11-22T11:29:29.006802+02:00 [SERVER_NAME] barnyard2[3847]: Found pid path directive (/var/run)
2011-11-22T11:29:29.006802+02:00 [SERVER_NAME] barnyard2[3847]: Log directory = /var/log/barnyard2
2011-11-22T11:29:29.006802+02:00 [SERVER_NAME] barnyard2[3847]: Initializing daemon mode
2011-11-22T11:29:29.006802+02:00 [SERVER_NAME] barnyard2[3847]: Daemon parent exiting
2011-11-22T11:29:29.006802+02:00 [SERVER_NAME] barnyard2[3917]: Daemon initialized, signaled parent pid: 3847
2011-11-22T11:29:29.006802+02:00 [SERVER_NAME] barnyard2[3917]: PID path stat checked out ok, PID path set to /var/run
2011-11-22T11:29:29.006802+02:00 [SERVER_NAME] barnyard2[3917]: Writing PID "3917" to file "/var/run/barnyard2_[INTERFACE_NAME].pid"
2011-11-22T11:29:29.086823+02:00 [SERVER_NAME] monit[6181]: 'barnyard2' restart action done
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: compiled support for (mysql)
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: configured to use mysql
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: schema version = 107
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: host = [SERVER_IP]
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: user = [USERNAME]
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: database name = snort
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: sensor name = [SERVER_NAME]:[INTERFACE_NAME]
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: sensor id = 1
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: sensor cid = 3086063
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: data encoding = hex
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: detail level = full
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: ignore_bpf = no
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: database: using the "log" facility
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]:
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: --== Initialization Complete ==--
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: Barnyard2 initialization completed successfully (pid=3917)
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: Using waldo file '/var/log/snort/barnyard2.waldo':#12 spool directory = /var/log/snort#012 spool filebase = snort.log#012 time_stamp = 1321850111#012 record_idx = 24674
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: Processing new records only.
2011-11-22T11:29:29.276871+02:00 [SERVER_NAME] barnyard2[3917]: Opened spool file '/var/log/snort/snort.log.1321936501'
2011-11-22T11:29:29.286874+02:00 [SERVER_NAME] barnyard2[3917]: Skipped 0 old records
2011-11-22T11:29:29.286874+02:00 [SERVER_NAME] barnyard2[3917]: Waiting for new data

On any further barnyard2 restarts, the waldo will remain unchanged, the same data reported in syslog, and no events sent. A tail -f on the snort.log.[TIMESTAMP] does show data being added.

The snort logging is simply set as:

grep unified2 /etc/snort/snort.conf

output unified2: filename snort.log, limit 128

Any idea how can i force barnyard to log debug data in a log so i can figure out what it happening? Has anybody seen this behaviour before?

Thank you for your time.

I'm running barnyard2 Version 2.1.12 (Build 321) on a suricata 1.4.1 sensor to an external database, running ubuntu 12.04 (both machines)

Corresponding config from barnyard2,cof

config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
config event_cache_size: 32768
config logdir: /var/log/barnyard2/
config hostname: webserver
config interface: eth0
config alert_with_interface_name
config dump_payload
config waldo_file: /var/log/suricata/suricata.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, dbname= user= password= host=

syslog is full with errormessages below. I know it's a warning, however I cannot judge if that means I'm missing data

I have been digging around in the docs, to no avail for a proper solution.

Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x4bf5dc0] Event Type 72acket [0x0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x4bf5e50] Event Type 72acket [0x0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not been outputed.

I run barnyard2 but because of some reasons it can not write log in database.

I just wrote simple rule as well fro testing ICMP
alert icmp any any -> 192.168.0.3 any (msg: "ICMP echo" ; itype:8 ; sid:2000000;)

I put barnyard2 output here, command and snort.conf and barnyard2.conf

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth0

sudo barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo

snort.conf and barnyard2.conf are on below link:
https://docs.google.com/document/d/1lj2Y3MtL9KcQJD3SH6kOgppLZqpzGtuEuIxyBM8mYh4/edit

--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/usr/local/snort/etc/barnyard2.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = localhost:eth0
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.12 (Build 321)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2013 Ian Firns [email protected]

Using waldo file '/var/log/snort/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1365767119
record_idx = 42
Opened spool file '/var/log/snort/snort.u2.1365767119'
Waiting for new data
04/12-13:51:08.504621 [] [1:2000000:0] Snort Alert [1:2000000:0] [] [Classification ID: 0] [Priority ID: 0] {ICMP} 192.168.0.4 -> 192.168.0.3
INFO: Current event with event_id [22] Event Second:Microsecond [1365767468:504621] and signature id of [2000000] was logged with a revision of [0]
Make sure you verify your triggering rule body so it include the snort keyword "rev:xxx;" Where xxx is greater than 0

The event has not been logged to the database<<<<<<
04/12-13:51:09.442004 [] [1:2000000:0] Snort Alert [1:2000000:0] [] [Classification ID: 0] [Priority ID: 0] {ICMP} 192.168.0.4 -> 192.168.0.3
INFO: Current event with event_id [23] Event Second:Microsecond [1365767469:442004] and signature id of [2000000] was logged with a revision of [0]
Make sure you verify your triggering rule body so it include the snort keyword "rev:xxx;" Where xxx is greater than 0
The event has not been logged to the database<<<<<<
04/12-13:51:10.445620 [] [1:2000000:0] Snort Alert [1:2000000:0] [] [Classification ID: 0] [Priority ID: 0] {ICMP} 192.168.0.4 -> 192.168.0.3
INFO: Current event with event_id [24] Event Second:Microsecond [1365767470:445620] and signature id of [2000000] was logged with a revision of [0]
Make sure you verify your triggering rule body so it include the snort keyword "rev:xxx;" Where xxx is greater than 0
The event has not been logged to the database<<<<<<

^Cdatabase: Closing connection to database "snort"

Record Totals:
Records: 48
Events: 24 (50.000%)
Packets: 24 (50.000%)

Unknown: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 24 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 24 (100.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 24 (100.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)

Total: 24

Snort log:

    --== Initialization Complete ==--

,,_ -> Snort! <-
o" )~ Version 2.9.4.1 GRE (Build 69)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4

       Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.17  <Build 18>
       Rules Object: specific-threats  Version 1.0  <Build 1>
       Rules Object: chat  Version 1.0  <Build 1>
       Rules Object: multimedia  Version 1.0  <Build 1>
       Rules Object: web-client  Version 1.0  <Build 1>
       Rules Object: bad-traffic  Version 1.0  <Build 1>
       Rules Object: web-iis  Version 1.0  <Build 1>
       Rules Object: smtp  Version 1.0  <Build 1>
       Rules Object: web-activex  Version 1.0  <Build 1>
       Rules Object: dos  Version 1.0  <Build 1>
       Rules Object: web-misc  Version 1.0  <Build 1>
       Rules Object: p2p  Version 1.0  <Build 1>
       Rules Object: imap  Version 1.0  <Build 1>
       Rules Object: nntp  Version 1.0  <Build 1>
       Rules Object: netbios  Version 1.0  <Build 1>
       Rules Object: misc  Version 1.0  <Build 1>
       Rules Object: snmp  Version 1.0  <Build 1>
       Rules Object: exploit  Version 1.0  <Build 1>
       Rules Object: icmp  Version 1.0  <Build 1>
       Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
       Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
       Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
       Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
       Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
       Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
       Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
       Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
       Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
       Preprocessor Object: SF_POP  Version 1.0  <Build 1>
       Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
       Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
       Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
       Preprocessor Object: SF_GTP  Version 1.1  <Build 1>

Commencing packet processing (pid=2825)

^C*** Caught Int-Signal

Run time for packet processing was 361.44864 seconds
Snort processed 138 packets.
Snort ran for 0 days 0 hours 6 minutes 1 seconds
Pkts/min: 23

Pkts/sec: 0

Packet I/O Totals:
Received: 138
Analyzed: 138 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)

Injected: 0

Breakdown by protocol (includes rebuilt packets):
Eth: 138 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 102 ( 73.913%)
Frag: 0 ( 0.000%)
ICMP: 78 ( 56.522%)
UDP: 24 ( 17.391%)
TCP: 0 ( 0.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 36 ( 26.087%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)

Total: 138

Action Stats:
Alerts: 24 ( 17.391%)
Logged: 24 ( 17.391%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 138 (100.000%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)

Ignore: 0 ( 0.000%)

Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0

Frag Nodes Deleted: 0

Stream5 statistics:
Total sessions: 0
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 0
TCP StreamTrackers Deleted: 0
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 0
TCP Segments Released: 0
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 0
TCP Gaps: 0
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
UDP Port Filter
Dropped: 0
Inspected: 24

Tracked: 0

SMTP Preprocessor Statistics
Total sessions : 0

Max concurrent sessions : 0

dcerpc2 Preprocessor Statistics

Total sessions: 0

SIP Preprocessor Statistics

Total sessions: 0

Reputation Preprocessor Statistics

Total Memory Allocated: 0

Can anybody helps me?

Hi

I have done git clone of barnyard2 on my server. the issue is that when i am building rpm binaries on CentOS 6.4 using barnyard2 spec file located inside rpms directory it points to 2-1.9 compresed tarball source file instead of 2-1.12 or 2-1.13 version. Any suggestions please to get 2-1.13 stable version rpm binaries for CentOS 6.4?

Regards,

Kaushal

Hello all,

Like many people, Barnyard2 does not read logs from Snort. But I don't understand why. Some help is welcome.

I use :

Version 2.9.4 GRE (Build 40)
Barnyard2 - version 2-1.13

I test with only one local rule which is :

alert icmp any any -> any any (msg: "test ICMP"; sid: 10000001;)

I tried with rev: 1; but it's not better.

When I run Snort, I can see the ICMP alerts.

#  snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
05/23-09:55:37.102206  [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.121 -> 10.70.0.178
05/23-09:55:37.102224  [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.178 -> 10.70.0.121
05/23-09:55:38.102885  [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.121 -> 10.70.0.178

And Barnyard2 is waiting for new data :

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
[...]
barnyard2: Closing spool file '/var/log/snort/snort.log.1369295582'. Read 0 records
barnyard2: Opened spool file '/var/log/snort/snort.log.1369295736'
barnyard2: Waiting for new data

ls -l /var/log/snort
-rw-------  1 snort snort    384 May 23 09:55 snort.log.1369295736

But my database is empty

    mysql> select * from event;
    Empty set (0.00 sec)

Where

mysql> select * from sensor;
+-----+----------------+-----------+--------+--------+----------+----------+
| sid | hostname       | interface | filter | detail | encoding | last_cid |
+-----+----------------+-----------+--------+--------+----------+----------+
|   1 | localhost:eth0 | eth0      | NULL   |      1 |        0 |        0 |
+-----+----------------+-----------+--------+--------+----------+----------+
1 row in set (0.00 sec)

Below my config :

Snort :

# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128

Barnyard2 :

 output database: alert, mysql, user=snort password=******** dbname=snort host=localhost

Do you see a mistake somewhere?
Thanks in advance.

I recently experienced unexplained transaction errors, ending up with barnyard quitting after the default transaction error threshold, which didn't fit any of the well known issues like duplicate sensors, permission issues, etc.

After debugging to follow the function path I realized that my problem was with my mysql config having a wait_timeout of 300 seconds(default is 28800) and my low event rate. As you would expect, whenever the events would be spaced more than 300 seconds apart there would be a transaction error and then in the next transaction the event would be inserted. Leaving to the default wait_timeout would of course fix it or just setting a more reasoned value would fix it as well, as long as the event rate was higher than that value.

The reason it even matters I guess is that the transaction error threshold never gets reset with a successful transaction now(2-1.11). I understand that it may have caused loops but it is conceivable for there to be transaction errors that over a a period of time kill the process that don't have to be due to the wait_timeout.

Also I think(correct me if I'm wrong) the transaction error threshold only applies to events and not to processing signature information or other db related functions. So in the case of processing a never before seen signature the process will immediately quit as the transaction error occurred during the signature cache update(again correct me if I'm wrong).

This can be pretty confusing and I wonder if this hasn't happened for others before.

Possible solutions:

1. Do nothing and just be aware of it. Monitor with a script through crontab.
2. Check the wait_timeout value that is set and keep track of the time the last event was inserted. If the wait_timeout value is exceeded make sure to do a full reconnect to the database before beginning the next transaction and eliminate (assuming nothing else went wrong) an unnecessary transaction error.
3. Allow transaction errors to be reset with a successful transaction and figure out the loop case that required it to be commented out(if not all db operations allow reconnection this wouldn't help completely)

I suppose there are other ways to deal with it but just putting it out there since a lot of mysql tuning recommendations involve lowering the wait_timeout to prevent too many connections sitting idle in memory.

Also I can understand you won't lose events from barnyard2 quitting, but if you are relying on SnortSam it might help to have less uncertainty.

It would be nice if the schema for postgres supported the native IP types, rather than using INT(8) to store. I think by2 would have to know to use that type as well.

It appears barnyard2 is unable to write to mysql as I have it configured. Snort is running OK on CentOS 6.3 as per a doc on snort.org; I follow directions I found at http://polaris.umuc.edu/~sgantz/Install.html as for the barnyard config, yet I still see this message:
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data
WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event
WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmph
dr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr
WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt W
HERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphd
r WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphd
r WHERE sid='1';]
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = localhost:eth0
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 317)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns [email protected]

WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Waiting for new spool file

and it doesn't appear to be writing to mysql.

Getting a fairly consistent segfault with latest barnyard2 using the database output plugin connected to mysql.

Compile options:
./configure --prefix=/usr --sysconfdir=/etc/barnyard2 --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --enable-mysql-ssl-support --enable-debug

Startup arguments:
-D -c /etc/barnyard2/barnyard.conf -d /var/log/barnyard2 -w /var/log/barnyard2/barnyard2.waldo -l /var/log/barnyard2 -f unified2.alert -i eth1

$ barnyard2 -V

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.11 (Build 318) DEBUG
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2012 Ian Firns <[email protected]>

Output from gdb:

0x000000000043953a in dbProcessEventInformation (data=0x7ffff7f87010, p=0x3a79cc0, event=0x3a78760, event_type=7, i_sig_id=375) at spo_database.c:2001
2001    spo_database.c: No such file or directory.
(gdb) bt full
#0  0x000000000043953a in dbProcessEventInformation (data=0x7ffff7f87010, p=0x3a79cc0, event=0x3a78760, event_type=7, i_sig_id=375) at spo_database.c:2001
        SQLQueryPtr = 0x33e4400 ""
        i = 0
        __FUNCTION__ = "dbProcessEventInformation"
#1  0x000000000043a4bc in Database (p=0x3a79cc0, event=0x3a78760, event_type=7, arg=0x7ffff7f87010) at spo_database.c:2494
        data = 0x7ffff7f87010
        CurrentQuery = 0x0
        sig_id = 375
        itr = 0
        SQLMaxQuery = 0
        __FUNCTION__ = "Database"
        sid = 2200035
        gid = 1
        revision = 1
        event_id = 2473594
        event_second = 1357679520
        event_microsecond = 25801
#2  0x000000000041d9ac in CallOutputPlugins (out_type=OUTPUT_TYPE__SPECIAL, packet=0x3a79cc0, event=0x3a78760, event_type=7) at plugbase.c:573
        idx = 0xb4c540
#3  0x000000000041ebf3 in spoolerProcessRecord (spooler=0x2caa0f0, fire_output=1) at spooler.c:701
        event_id = 2473594
        pkth = {ts = {tv_sec = 1357679520, tv_usec = 25801}, caplen = 136, len = 136}
        type = 2
        ernCache = 0x3a78650
#4  0x000000000041e731 in ProcessContinuous (dirpath=0x6bbacc "/var/log/barnyard2", filebase=0x6bbecc "unified2.alert", record_start=0, timestamp=1357678214) at spooler.c:533
        spooler = 0x2caa0f0
        ret = 0
        pc_ret = 0
        new_file_available = 0
        waiting_logged = 0
        skipped = 0
        extension = 1357678213
        waldo_timestamp = 1357621019
#5  0x000000000041e956 in ProcessContinuousWithWaldo (waldo=0x6bb6c4) at spooler.c:621
No locals.
#6  0x0000000000403d62 in Barnyard2Main (argc=14, argv=0x7fffffffe178) at barnyard2.c:374
No locals.
#7  0x0000000000403b8a in main (argc=14, argv=0x7fffffffe178) at barnyard2.c:285
No locals.

Rule that is causing the problem:

alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length"; decode-event:tcp.invalid_optlen; sid:2200035; rev:1;)

Assistance getting this resolved would be appreciated.

Hello,

Trying to figure out why there was such a delay (varying from a few milliseconds to a few seconds) between a snort alert and the corresponding IP address being blocked by snortsam, I noticed that barnyard2 calls the output plugins in sequence and the alert_fwsam one last in my case (after "Database" and "Sguil" which are potentially slow ones).

Moving the "output" line in barnyard2.conf for alert_fwsam to the top didn't help.

Then, I looked at the code, and noticed that the "alert" type plugins were called first, and then the "log" ones.

If I modify the source code

--- output-plugins/spo_alert_fwsam.c~   2012-05-01 09:51:52.592711406 +0100
+++ output-plugins/spo_alert_fwsam.c    2012-05-01 09:52:05.348792507 +0100
@@ -593,7 +593,7 @@
 #endif

     /* Set the preprocessor function into the function list */
-    AddFuncToOutputList(AlertFWsam, OUTPUT_TYPE__LOG, fwsamlist);
+    AddFuncToOutputList(AlertFWsam, OUTPUT_TYPE__ALERT, fwsamlist);
     AddFuncToCleanExitList(AlertFWsamCleanExitFunc, fwsamlist);
     AddFuncToRestartList(AlertFWsamRestartFunc, fwsamlist);
 }

Then, it still works, and I'm able to have alert_fwsam be called first, which reduces the delay.

The other source of delay seems to be the "tail -f" way that barnyard2 reads the snort unified2 file. I'll raise a feature request issue for that.

The program doesn't work well without the waldo.data.spool_dir and waldo.data.spool_filebase struct values filled in... here's an easy way of doing it in the barnyard2.conf file:

# define the full waldo filepath.
#
config waldo_file: /tmp/barnyard2_waldo

# define the full waldo spool directory.
#
config waldo_spool_dir: /suricata/logs

# define the alert filebase. The '.<number>' is added by barnyard2
# i.e. unified2.alert
#
config waldo_spool_filebase: unified2.alert

Here's the code to support it:

--- barnyard2-1.13.orig/src/parser.c    Mon May 27 14:04:34 2013
+++ barnyard2-1.13/src/parser.c Wed Aug 14 14:47:06 2013
@@ -209,9 +209,7 @@
     { CONFIG_OPT__OBFUSCATE, 0, 1, ConfigObfuscate },
     { CONFIG_OPT__SIGSUPPRESS,0,0,ConfigSigSuppress},
     /* XXX We can configure this on the command line - why not in config file ??? */
-#ifdef NOT_UNTIL_WE_DAEMONIZE_AFTER_READING_CONFFILE
     { CONFIG_OPT__PID_PATH, 1, 1, ConfigPidPath },
-#endif
     { CONFIG_OPT__PROCESS_NEW_RECORDS_ONLY, 0, 1, ConfigProcessNewRecordsOnly },
     { CONFIG_OPT__QUIET, 0, 1, ConfigQuiet },
     { CONFIG_OPT__REFERENCE, 1, 0, ConfigReference },
@@ -225,6 +223,8 @@
     { CONFIG_OPT__UTC, 0, 1, ConfigUtc },
     { CONFIG_OPT__VERBOSE, 0, 1, ConfigVerbose },
     { CONFIG_OPT__WALDO_FILE, 1, 0, ConfigWaldoFile },
+    { CONFIG_OPT__WALDO_SPOOL_DIR, 1, 0, ConfigWaldoSpoolDir },
+    { CONFIG_OPT__WALDO_SPOOL_FILEBASE, 1, 0, ConfigWaldoSpoolFilebase },
 #ifdef MPLS
     { CONFIG_OPT__MAX_MPLS_LABELCHAIN_LEN, 0, 1, ConfigMaxMplsLabelChain },
     { CONFIG_OPT__MPLS_PAYLOAD_TYPE, 0, 1, ConfigMplsPayloadType },
@@ -2219,7 +2219,28 @@
     bc->waldo.state |= WALDO_STATE_ENABLED;
 }

+void ConfigWaldoSpoolDir(Barnyard2Config *bc, char *args)
+{
+    if ((args == NULL) || (bc == NULL) )
+        return;

+    if ( SnortSnprintf(bc->waldo.data.spool_dir, STD_BUF, "%s", args) != SNORT_SNPRINTF_SUCCESS )
+        FatalError("barnyard2: waldo spooldir too long\n");
+
+    bc->waldo.state |= WALDO_STATE_ENABLED;
+}
+
+void ConfigWaldoSpoolFilebase(Barnyard2Config *bc, char *args)
+{
+    if ((args == NULL) || (bc == NULL) )
+        return;
+
+    if ( SnortSnprintf(bc->waldo.data.spool_filebase, STD_BUF, "%s", args) != SNORT_SNPRINTF_SUCCESS )
+        FatalError("barnyard2: waldo spool filebase too long\n");
+
+    bc->waldo.state |= WALDO_STATE_ENABLED;
+}
+
 void DisplaySigSuppress(SigSuppress_list **sHead)
 {
     if(sHead == NULL)
--- barnyard2-1.13.orig/src/parser.h    Mon May 27 14:04:34 2013
+++ barnyard2-1.13/src/parser.h Wed Aug 14 14:44:59 2013
@@ -76,6 +76,8 @@
 #define CONFIG_OPT__UTC                             "utc"
 #define CONFIG_OPT__VERBOSE                         "verbose"
 #define CONFIG_OPT__WALDO_FILE                      "waldo_file"
+#define CONFIG_OPT__WALDO_SPOOL_DIR                 "waldo_spool_dir"
+#define CONFIG_OPT__WALDO_SPOOL_FILEBASE            "waldo_spool_filebase"
 #define CONFIG_OPT__SIGSUPPRESS                     "sig_suppress"
 #ifdef MPLS
 # define CONFIG_OPT__MAX_MPLS_LABELCHAIN_LEN        "max_mpls_labelchain_len"
@@ -147,6 +149,8 @@
 void ConfigUtc(Barnyard2Config *, char *);
 void ConfigVerbose(Barnyard2Config *, char *);
 void ConfigWaldoFile(Barnyard2Config *, char *);
+void ConfigWaldoSpoolDir(Barnyard2Config *, char *);
+void ConfigWaldoSpoolFilebase(Barnyard2Config *, char *);
 void ConfigSetEventCacheSize(Barnyard2Config *, char *);
 #ifdef MPLS
 void ConfigMaxMplsLabelChain(Barnyard2Config *, char *);

I'm running snort + barnyard2 on FreeBSD, in a multi-site, multi-interface setup.
From a high level, there are multiple exit points being monitored (COA, COB, COC, etc.),
and multiple snort processes (one per interface) watching various aspects of the
installation's netorks (QQQ, RRR, SSS, etc). All of the RRR sensors feed into a
single DB for RRR; likewise for QQQ, SSS, etc. We have been working on a transition
from MySQL to PostgreSQL, and thus build barnyard2 with support for BOTH.

I upgraded our FreeBSD sensors to Snort 2.9.3.1 recently, and that pulled in barnyard2-1.10
from the FreeBSD ports tree. For the sites using PostgreSQL, the process died during
the initialization phase. Based on some reading of google groups & other mailing lists,
this appeared to be related to building the metadata cache in barnyard2, and seemed to
be fixed in 1.11 for several people. So, I duct taped the 1.11 code into the ports
framework, got a clean build, and installed the homegrown barnyard2-1.11 on my sensor.

As others have reported on several mailing lists, I noticed the massive spike at
startup as the cache is built (85-100% of one CPU for ~10 minutes). Once I let that
clear, I could see the monitored unified2 files were growing, but no alerts were
showing up in the DB for some sensors (RRR), but things were fine for others (QQQ, SSS).
All of this was observed on a single machine. I decided to take a fresh look in
the morning, since the alerts were not lost, just spooled to disk & needing to be
processed.

Chasing this down in the morning, I found the following:

Nov  8 19:46:57 lacrosse barnyard2[13455]: Daemon initialized, signaled parent pid: 13360
Nov  8 22:25:28 lacrosse barnyard2[13455]:         --== Initialization Complete ==--
Nov  8 22:25:28 lacrosse barnyard2[13455]: Waiting for new data

OVER 2.5 HOURS to complete initialization!

I'd like to help understand and fix whatever is causing this, but a 2 hour startup delay is not a viable situation. We run a large rule set, and update frequently, so this delay has a large impact on our operations.

I've included the things I believe to be critical to this report below; please let me know if there is anything else that I can provide to help.

MrSecure

[user@lacrosse]-~ > grep 13455 /var/log/all.log
Nov 8 19:46:57 lacrosse barnyard2[13455]: Daemon initialized, signaled parent pid: 13360
Nov 8 19:46:57 lacrosse barnyard2[13455]: PID path stat checked out ok, PID path set to /var/log/snort/RRR/
Nov 8 19:46:57 lacrosse barnyard2[13455]: Writing PID "13455" to file "/var/log/snort/RRR//barnyard2_spanRRR.pid"
Nov 8 19:49:48 lacrosse barnyard2[13455]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='4';]
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: compiled support for (postgresql)
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: configured to use mysql
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: schema version = 107
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: host = db1
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: user = snort_RRR
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: database name = SnortRRR
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: sensor name = RRR-COB
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: sensor id = 4
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: sensor cid = 1231
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: data encoding = hex
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: detail level = full
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: ignore_bpf = yes
Nov 8 22:25:28 lacrosse barnyard2[13455]: database: using the "log" facility
Nov 8 22:25:28 lacrosse barnyard2[13455]:
Nov 8 22:25:28 lacrosse barnyard2[13455]: --== Initialization Complete ==--
Nov 8 22:25:28 lacrosse barnyard2[13455]: Barnyard2 initialization completed successfully (pid=13455)
Nov 8 22:25:28 lacrosse barnyard2[13455]: Using waldo file '/var/log/snort/RRR/bylog.waldo': spool directory = /var/log/snort/RRR spool filebase = unified2 time_stamp = 1352412703 record_idx = 0
Nov 8 22:25:28 lacrosse barnyard2[13455]: Opened spool file '/var/log/snort/RRR/unified2.1352412703'
Nov 8 22:25:28 lacrosse barnyard2[13455]: Waiting for new data
[user@lacrosse]-~ > uname -rm
8.1-RELEASE-p7 amd64
[user@lacrosse]-~ > /usr/local/bin/barnyard2 --version

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.11 (Build 315)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2012 Ian Firns [email protected]

[user@lacrosse]-~ > grep -v ^# /usr/local/snort/etc/config-RRR/by2-COB.conf | tr -s "\n"

config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config daemon
config set_gid: snort
config set_uid: snort
input unified2
output database: log, mysql, host=db1 user=snort_RRR password=MOOT dbname=SnortRRR sensor_name=RRR-COB ignore_bpf=1
[user@lacrosse]-~ >
[user@lacrosse]-~ > wc -l /usr/local/snort/etc/sid-msg.map
29487 /usr/local/snort/etc/sid-msg.map
[user@lacrosse]-~ > wc -l /usr/local/snort/etc/gen-msg.map
391 /usr/local/snort/etc/gen-msg.map
[user@lacrosse]-~ > wc -l /usr/local/snort/etc/reference.config
16 /usr/local/snort/etc/reference.config
[user@lacrosse]-~ > wc -l /usr/local/snort/etc/classification.config
67 /usr/local/snort/etc/classification.config
[user@lacrosse]-~ >
[user@lacrosse]-~ > snort --version

,,_ -> Snort! <-
o" )~ Version 2.9.3.1 IPv6 GRE (Build 40) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.2.1
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.3

[user@lacrosse]-~ >

Barnyard2 is now used by other programs that produce unified2 output but the syslog line identifier is always snort. I'm thinking of Sagan particularly, but it's possible that the other programs will one day have need of the utility provided by barnyard2.

It would be good if it were possible to override the default of snort with a user configurable string.

I recently wrote a blog post about integrating Sagan with ELSA
http://infosecmatters.blogspot.co.uk/2013/01/elsa-with-sagan.html

One of the problems I encountered is that I can't separate the parser's for Sagan and Snort in ELSA because the identifier is always snort. If it was user configurable I could have used two different parser's which would be safer and prevent impacting the Snort parser with the Sagan requirements.

Thanks for a great program.
Kind regards,
Andy

I'd like to request Sqlite be added as an output plugin. Sqlite could be used as in smaller HIDS types of roll outs as opposed the more typical central or concentrated Snort/Suricata roll outs.
Thanks!
-rich

I think each output plugin needs to be broken out with it's own --enable/--disable option at ./configuration time. From a bug perspective this would help with IPv6 support. Right now BY2-1.9 will not build if --enable-ipv6 is passed during ./configure because it fails on spo_platypus (I do not even know what that output plugin is)...

spo_platypus.c: In function 'Platypus':
spo_platypus.c:301: error: 'Unified2IDSEvent6_legacy' undeclared (first use in this function)
spo_platypus.c:301: error: (Each undeclared identifier is reported only once
spo_platypus.c:301: error: for each function it appears in.)
spo_platypus.c:301: error: expected expression before ')' token
spo_platypus.c:302: error: expected expression before ')' token
spo_platypus.c:306: error: expected expression before ')' token
spo_platypus.c:308: error: expected expression before ')' token
spo_platypus.c:309: error: expected expression before ')' token
make[3]: *** [spo_platypus.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[3]: Leaving directory /var/tmp/portage/net-analyzer/barnyard2-1.9/work/barnyard2-1.9/src/output-plugins' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory/var/tmp/portage/net-analyzer/barnyard2-1.9/work/barnyard2-1.9/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/net-analyzer/barnyard2-1.9/work/barnyard2-1.9'
make: *** [all] Error 2

I would like to see the ability to specify output plugins during ./configure with maybe a grouping for "core" output plugins:

--enable-core-spo for:

alert_fast
alert_full
alert_syslog
log_ascii
log_tcpdump

And then...

--enable-csv
--enable-aruba (currently exists)
--enable-bro (currently exists)
--enable-sguil
--enable-platypus
--enable-database
--enable-cef
--enable-prelude
--enable-test
--enable-null

Like I said, this would help with the fact that some output plugins support IPv6 and some do not. The same holds true for gre and mpls support. Not every output plugin is going to fully support these extensions.

Hello all,

I install snort and I install barnyard2. I trying to snort and barnyard2 but barnyard2 not write log to mysql.

snort.conf:

unified2

Recommended for most installs

output unified2: filename snort.u2, limit 128

barnyard2.conf:

input unified2
output alert_fast: stdout
output database: log, mysql, user=snort password=test123 dbname=snort host=localhost

ls /var/log/snort/
alert barnyard.waldo

ls /var/log/barnyard2/
empty

tail -f /var/log/snort/alert

[*] [1:10000001:0] ICMP test [**]
[Priority: 0]
05/22-09:55:47.334925 187.10.132.44 -> 10.0.0.10
ICMP TTL:107 TOS:0x20 ID:28583 IpLen:20 DgmLen:56
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
* ORIGINAL DATAGRAM DUMP:
10.0.0.10:58109 -> 187.10.132.44:26329
UDP TTL:111 TOS:0x0 ID:17611 IpLen:20 DgmLen:131
Len: 103 Csum: 0
** END OF DUMP

mysql> select * from sensor;
+-----+------------------------+-----------+--------+--------+----------+----------+
| sid | hostname | interface | filter | detail | encoding | last_cid |
+-----+------------------------+-----------+--------+--------+----------+----------+
| 1 | snort:br0 | br0 | NULL | 1 | 0 | 1 |
+-----+------------------------+-----------+--------+--------+----------+----------+
1 row in set (0.00 sec)

select * from event;
Empty set (0.00 sec)

What is the problem? Please help me.

Regards

Ozgur