Hi all

I have barnyard2 not updating mysql database issue can some one help
to identify what i am doing wrong

I am running snort 2.9.2.1 installed from Source and Barnyard2-1.9 on
Fedora 16 and also tried on Ubuntu 11.10

in snort.conf i tried output as

output unified2: filename snort.u2, limit 128 and also
output unified2: filename snort.log, limit 128

in Barnyard.conf i have

input unified2
output database: log, mysql, user=snort password=snort dbname=snort
host=localhost

i am starting snort as

snort -c /etc/snort/snort.conf -i eth0 (it is thowing alerts and i
could see statistics when i stop snort)

i am starting barnyard2 as
 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -
w /etc/snort/barnyard2.waldo also tried
 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
-w /etc/snort/barnyard2.waldo

getting below error
=========================================================================== =====
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = localhost:em1
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

WARNING: Ignoring corrupt/truncated waldofile '/etc/snort/
barnyard2.waldo'
Opened spool file '/var/log/snort/snort.log.1330754342'
Closing spool file '/var/log/snort/snort.log.1330754342'. Read 0
records
Opened spool file '/var/log/snort/snort.log.1330754559'
Closing spool file '/var/log/snort/snort.log.1330754559'. Read 0
records
Opened spool file '/var/log/snort/snort.log.1330755051'
Closing spool file '/var/log/snort/snort.log.1330755051'. Read 0
records
Opened spool file '/var/log/snort/snort.log.1330756107'
Closing spool file '/var/log/snort/snort.log.1330756107'. Read 0
records
Opened spool file '/var/log/snort/snort.log.1330756794'
Closing spool file '/var/log/snort/snort.log.1330756794'. Read 0
records
=========================================================================== ======

Are you sure you have data in the unified2 file you are reading.

If barnyard2 is seeing 0 record.
<SNIP>

</SNIP>

And on multiple file, mabey your files are empty.......

Is it possible?

-elz

thanks for your reply

no i am seeing some data in it but Barnyard is not showing any count
of records earlier and updating mysql database.

but now

I got interesting stuff, now i am trying with ubuntu 10 .04 and
barnyard2-v2-1.10-beta2.tar.gz

same probelm but when is enable these two lines snort.conf i am seeing
barnyard2 counting records but not updating mysql

snort.conf
========
output alert_unified2: filename snort.alert, limit 128
output log_unified2: filename snort.unified2, limit 128

barnyard2 shows as it sees records output
========================================================================
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
Last event seen for sid 1 was 0
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = localhost:eth0
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.10-beta2 (Build 266)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2011 Ian Firns <fir...@securixlive.com>

Using waldo file '/etc/snort/bylog.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.log
    time_stamp      = 1330783073
    record_idx      = 120
Opened spool file '/var/log/snort/snort.log.1330783073'
Waiting for new data
^C========================================================================= ======
Record Totals:
   Records:          120
    Events:            0 (0.000%)
   Packets:          120 (100.000%)
   Unknown:            0 (0.000%)
=========================================================================== ====
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 120        (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 120        (100.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 120        (100.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 120
=========================================================================== ====

On Mar 3, 9:52 pm, beenph <bee...@gmail.com> wrote:

You should use
output unified2: filename xxxxx(filename prefix you want),limit
xxx(size limit you want)

My guess could be that you migth have wrong checksum somewhere.

Try run snort with -k none and see if you can process the unified2 file.

-elz

I had that same warning.h the past several times I compiled  snort and
barnyard on fedora
On Mar 3, 2012 9:20 AM, "beenph" <bee...@gmail.com> wrote:

Hi Been,

i tried running snort including -k none, it doesnt help

when i have the following line in snort.conf barnyard2 doesnt shows
records

output unified2: filename snort.u2, limit 128 (or)
output unified2: filename snort.log, limit 128

but if i have these lines in snort.conf  i seeing records counts when
i stop barnyards in statistics output

output alert_unified2: filename snort.alert, limit 128
output log_unified2: filename snort.unified2, limit 128

i am not sure what i am doing wrong which causes barnyard2 to output
to Mysql

thanks

On Mar 3, 10:20 pm, beenph <bee...@gmail.com> wrote:

Again you should use unified2 output with barnyard2 since the
"spooler" is not designed for the 3 mode available
in snort thus alert_unified2,log_unified2 and unified2.

1: Now make sure you are logging in a clean directory
2: make sure for testing purpose your running snort with -k none
3: enable syslog output plugin in barnyard2 at the same time as your
db output and watch your local syslog for information.

Also if you have time subscribe to barnyard2-users google group, since
snort ml is generaly used for snort only issue :)

Cheers, and hopefully seeing you on barnyard2-users

-elz

Thanks Elz,

i have joined Barnyard2 groups, i am checking currently with options
you have mentioned will update shortly.

On Mar 3, 11:38 pm, beenph <bee...@gmail.com> wrote:

Hi all,

Snort Version : 2.9.2.1 (Installed from source) Barnyard2 Version :
2-1.10-beta2 (firnsy-barnyard2-v2-1.10-beta2.tar.gz) tried also Barnyard2
version 2-1.9

I had same probelm barnyard2 not updating mysql database, when tried with
Fedora 16, now checking with Ubuntu 10.04 also not working

earlier i has installed barnyard2 and snort in Fedora 14 and it was working
fine without any issues

config settings now
===================

in /etc/snort/snort.conf
--------------------------------------------------------------------------
output unified2: filename snort.u2, limit 128
--------------------------------------------------------------------------

in /etc/snort/barnyard2.conf
--------------------------------------------------------------------------- --------------------------------------------------
input unified2
output alert_fast: stdout (default)
output database: log, mysql, user=snort password=snort dbname=snort
host=localhost
output alert_syslog: LOG_AUTH LOG_INFO
--------------------------------------------------------------------------- ------------------------------------------------------
running
 #snort -u snort -g snort -c /etc/snort/snort.conf -k none

 #barnyard2 -c /etc/snort/barnyard2.conf -u snort -g snort -d
/var/log/snort -f snort.u2 -w /etc/snort/bylog.waldo

and /var/log/snort directory i see snort.log.1330794042 file getting
created and when issue more snort.log.1330794042 i could see some letters
filled but
not in readable format, sure it is not blank file and verified mysql using
command below no events updated
-----------------------------------------------
mysql> select * from event;
Empty set (0.00 sec)
------------------------------------------------

each time i stop snort and start snort again new snort.log file is getting
created similar to snort.log.1330794042 in /var/log/snort

snort is actually showing alerts are there
==============================================
Action Stats:
     Alerts:         2570 (116.184%)
     Logged:         2570 (116.184%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:         2212 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
============================================
Barnyard2 output

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.10-beta2 (Build 266)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2011 Ian Firns <fir...@securixlive.com>

Using waldo file '/etc/snort/bylog.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.log
    time_stamp      = 1330794612
    record_idx      = 0
Opened spool file '/var/log/snort/snort.log.1330794612'
Waiting for new data
===========================================
Record Totals:
   Records:            0
    Events:            0 (0.000%)
   Packets:            0 (0.000%)
   Unknown:            0 (0.000%)

Thanks looking into this issue
SR