Re: [Snort-users] Snort Install successful - Need a proper database
2 views
Skip to first unread message
beenph
Nov 21, 2012, 1:34:03 PM11/21/12
to wkit...@windstream.net, snort...@lists.sourceforge.net, barnyar...@googlegroups.com
On Wed, Nov 21, 2012 at 1:20 PM, waldo kitty <wkit...@windstream.net> wrote:
> On 11/21/2012 12:18, k vijay sai prashanth wrote:
>> All resolved now. Each time I start barnyard2 the events count is incremented.
>> So barnyard2 is feeding the events from snort to the mysql database. Thanks Ron.
>> Appreciate the advise. Sadly I am not sure which of the steps rectified the issue.
>>
>> The following are the changes I made which caused the installation to be successful:
>>
>> 1. output alert_fast to output alert_fast: stdout.
>> 2. change is barnyard.conf
>> 3. Did a make clean on the barnyard2 installation and then did the ./configure
>> --with-mysql.
>> 4. changed the variables config hostname from thor to localhost.
>
> ahhh... if thor is the name of the host the machine that the database and
> barnyard2 live on, then i would say that the problem was your mysql is/was not
> configured to look for connections on all interfaces... by default, mysql allows
> only connections from localhost but this is easily changed :)
Barnyard2 hostname is simply a configuration that will allow your barnyard2
process to have a specific sid (sensor_id) in the database.
If you have multiple instance of barnyard2 on the same system you can
use the same
hostname but you have to define different interfaces else they will
use the same sid and you could
have cid collision (which is bad).
If you have sensor on two different system then you should use
different hostname to avoid the same type of colision
especialy if you have the same interface defined in barnyard2.conf ex: eth0.
>
> FWIW: your barnyard log file should have shown the attempts to connect to mysql
> on thor as failing if this was the problem...
>
>> 5. And make sure when you run barnyard2 using the below command the snort
>> process must already be running.
>
> BY2 should be able to come up and execute while noticing that mysql is not
> available yet... it should then notice when mysql does become available... but
> for simplicity, on boot up i would start snort and mysql before starting BY2...
> maybe even looking for the PIDs of those tasks before starting BY2... both have
> to be running before BY2 can perform any /meaningful/ task(s)... ;)
>
If the database server is not UP, and barnyard is configured to output
to the database it will not start.
But if snort is not running there is no problems to run barnyard2.
If you know your database is not running and you want to run barnyard2
with an other
set of output plugins, just comment the database output.
And if your trying to setup some kind of "ON BOOT" system where you
boot multiple services you might want
to let your DBMS boot up before starting other services or use a
supervision program like DJB daemontools
(http://cr.yp.to/daemontools.html)
-elz
> On 11/21/2012 12:18, k vijay sai prashanth wrote:
>> All resolved now. Each time I start barnyard2 the events count is incremented.
>> So barnyard2 is feeding the events from snort to the mysql database. Thanks Ron.
>> Appreciate the advise. Sadly I am not sure which of the steps rectified the issue.
>>
>> The following are the changes I made which caused the installation to be successful:
>>
>> 1. output alert_fast to output alert_fast: stdout.
>> 2. change is barnyard.conf
>> 3. Did a make clean on the barnyard2 installation and then did the ./configure
>> --with-mysql.
>> 4. changed the variables config hostname from thor to localhost.
>
> ahhh... if thor is the name of the host the machine that the database and
> barnyard2 live on, then i would say that the problem was your mysql is/was not
> configured to look for connections on all interfaces... by default, mysql allows
> only connections from localhost but this is easily changed :)
Barnyard2 hostname is simply a configuration that will allow your barnyard2
process to have a specific sid (sensor_id) in the database.
If you have multiple instance of barnyard2 on the same system you can
use the same
hostname but you have to define different interfaces else they will
use the same sid and you could
have cid collision (which is bad).
If you have sensor on two different system then you should use
different hostname to avoid the same type of colision
especialy if you have the same interface defined in barnyard2.conf ex: eth0.
>
> FWIW: your barnyard log file should have shown the attempts to connect to mysql
> on thor as failing if this was the problem...
>
>> 5. And make sure when you run barnyard2 using the below command the snort
>> process must already be running.
>
> BY2 should be able to come up and execute while noticing that mysql is not
> available yet... it should then notice when mysql does become available... but
> for simplicity, on boot up i would start snort and mysql before starting BY2...
> maybe even looking for the PIDs of those tasks before starting BY2... both have
> to be running before BY2 can perform any /meaningful/ task(s)... ;)
>
If the database server is not UP, and barnyard is configured to output
to the database it will not start.
But if snort is not running there is no problems to run barnyard2.
If you know your database is not running and you want to run barnyard2
with an other
set of output plugins, just comment the database output.
And if your trying to setup some kind of "ON BOOT" system where you
boot multiple services you might want
to let your DBMS boot up before starting other services or use a
supervision program like DJB daemontools
(http://cr.yp.to/daemontools.html)
-elz
Reply all
Reply to author
Forward
0 new messages