ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...
1,064 views
Skip to first unread message
lucho budi
Jun 14, 2013, 8:30:55 AM6/14/13
to barnyar...@googlegroups.com
Hello all, I'm having this issue and don´t know how to progress.
This is the output from barnyard2 Version 2.1.12 (Build 321) DEBUG:
BARNYARD2_DEBUG=0x80000000 sudo barnyard2 -l /var/log/snort/eth0 -d /var/log/snort/eth0 -c /opt/snort/barnyard2.eth0.conf -u snort -g snort -vvv -C /opt/snort/etc/classification.config
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
Parsing config file "/opt/snort/barnyard2.eth0.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/snort/eth0
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ConvertClassificationCache()], No classification was found in the classification file,
make sure that you have valid records in your database (sig_class) table, else this might result in complete signature logging.
Node unique name is: XXXXXXXX:eth0
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';]
[ClassificationPullDataStore()]: No Classification found in database ...
[ClassificationCacheSynchronize()]: Make sure that your (config classification_config argument in your barnyard2 configuration file) or --classification or -C argument point
to a file containing at least some valid classification or that that your database sig_class table contain data
[CacheSynchronize()], ClassificationCacheSynchronize() call failed.
ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...
Fatal Error, Quitting..
And my configuration file:
config interface:eth0
input unified2
output database: alert, mysql, user=L0500004 dbname=snort password=XXXXXX host=localhost
And my classification.config is not empty!!!
What can I do???
This is the output from barnyard2 Version 2.1.12 (Build 321) DEBUG:
BARNYARD2_DEBUG=0x80000000 sudo barnyard2 -l /var/log/snort/eth0 -d /var/log/snort/eth0 -c /opt/snort/barnyard2.eth0.conf -u snort -g snort -vvv -C /opt/snort/etc/classification.config
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
Parsing config file "/opt/snort/barnyard2.eth0.conf"
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/snort/eth0
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ConvertClassificationCache()], No classification was found in the classification file,
make sure that you have valid records in your database (sig_class) table, else this might result in complete signature logging.
Node unique name is: XXXXXXXX:eth0
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';]
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';]
[ClassificationPullDataStore()]: No Classification found in database ...
[ClassificationCacheSynchronize()]: Make sure that your (config classification_config argument in your barnyard2 configuration file) or --classification or -C argument point
to a file containing at least some valid classification or that that your database sig_class table contain data
[CacheSynchronize()], ClassificationCacheSynchronize() call failed.
ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...
Fatal Error, Quitting..
And my configuration file:
config interface:eth0
input unified2
output database: alert, mysql, user=L0500004 dbname=snort password=XXXXXX host=localhost
And my classification.config is not empty!!!
What can I do???
beenph
Jun 14, 2013, 11:13:43 AM6/14/13
to barnyar...@googlegroups.com
On Fri, Jun 14, 2013 at 8:30 AM, lucho budi <memoj...@gmail.com> wrote:
> Hello all, I'm having this issue and don´t know how to progress.
>
> This is the output from barnyard2 Version 2.1.12 (Build 321) DEBUG:
>
> BARNYARD2_DEBUG=0x80000000 sudo barnyard2 -l /var/log/snort/eth0 -d
> /var/log/snort/eth0 -c /opt/snort/barnyard2.eth0.conf -u snort -g snort
> -vvv -C /opt/snort/etc/classification.config
>
> --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
> Parsing config file "/opt/snort/barnyard2.eth0.conf"
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /var/log/snort/eth0
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
> [ConvertClassificationCache()], No classification was found in the
> classification file,
> make sure that you have valid records in your database (sig_class)
> table, else this might result in complete signature logging.
Seem's that your classification.config file is empty?
> Hello all, I'm having this issue and don´t know how to progress.
>
> This is the output from barnyard2 Version 2.1.12 (Build 321) DEBUG:
>
> BARNYARD2_DEBUG=0x80000000 sudo barnyard2 -l /var/log/snort/eth0 -d
> /var/log/snort/eth0 -c /opt/snort/barnyard2.eth0.conf -u snort -g snort
> -vvv -C /opt/snort/etc/classification.config
>
> --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
> Parsing config file "/opt/snort/barnyard2.eth0.conf"
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /var/log/snort/eth0
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
> [ConvertClassificationCache()], No classification was found in the
> classification file,
> make sure that you have valid records in your database (sig_class)
> table, else this might result in complete signature logging.
Whats the content of /opt/snort/etc/classification.config?
> [ClassificationCacheSynchronize()]: Make sure that your (config
> classification_config argument in your barnyard2 configuration file) or
> --classification or -C argument point
> to a file containing at least some valid classification or that
> that your database sig_class table contain data
>
> [CacheSynchronize()], ClassificationCacheSynchronize() call failed.
> ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...
> Fatal Error, Quitting..
>
>
> And my classification.config is not empty!!!
>
-elz
lucho budi
Jun 17, 2013, 2:26:47 AM6/17/13
to barnyar...@googlegroups.com
Here you are:
cat /opt/snort/etc/classification.config
# $Id: classification.config,v 1.4 2010-04-15 19:53:02 mwatchinski Exp $
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable Code was Detected,1
config classification: string-detect,A Suspicious String was Detected,3
config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
config classification: system-call-detect,A System Call was Detected,2
config classification: tcp-connection,A TCP Connection was Detected,4
config classification: trojan-activity,A Network Trojan was Detected, 1
config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
config classification: sdf,Sensitive Data was Transmitted Across the Network,2
Thanks!!
cat /opt/snort/etc/classification.config
# $Id: classification.config,v 1.4 2010-04-15 19:53:02 mwatchinski Exp $
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable Code was Detected,1
config classification: string-detect,A Suspicious String was Detected,3
config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
config classification: system-call-detect,A System Call was Detected,2
config classification: tcp-connection,A TCP Connection was Detected,4
config classification: trojan-activity,A Network Trojan was Detected, 1
config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
config classification: sdf,Sensitive Data was Transmitted Across the Network,2
Thanks!!
beenph
Jun 17, 2013, 2:37:45 AM6/17/13
to barnyar...@googlegroups.com
Hi Lucho,
On Mon, Jun 17, 2013 at 2:26 AM, lucho budi <memoj...@gmail.com> wrote:
> Here you are:
>
> cat /opt/snort/etc/classification.config
>
What are the permissions of the classification path and file?
Also can you try current release 2-1.13?
https://github.com/firnsy/barnyard2/archive/master.tar.gz
On Mon, Jun 17, 2013 at 2:26 AM, lucho budi <memoj...@gmail.com> wrote:
> Here you are:
>
> cat /opt/snort/etc/classification.config
>
Also can you try current release 2-1.13?
https://github.com/firnsy/barnyard2/archive/master.tar.gz
lucho budi
Jun 17, 2013, 3:18:46 AM6/17/13
to barnyar...@googlegroups.com
ls -la /opt/snort/etc/classification.config
-rw-r--r--. 1 snort snort 3621 May 4 19:47 /opt/snort/etc/classification.config
Will try later the latest release.
Regards.
El viernes, 14 de junio de 2013 14:30:55 UTC+2, lucho budi escribió:
-rw-r--r--. 1 snort snort 3621 May 4 19:47 /opt/snort/etc/classification.config
Will try later the latest release.
Regards.
El viernes, 14 de junio de 2013 14:30:55 UTC+2, lucho budi escribió:
lucho budi
Jun 17, 2013, 6:16:46 AM6/17/13
to barnyar...@googlegroups.com
With latest release can't finish "make" command.
>sudo make
make all-recursive
make[1]: Entering directory `/home/user1/barnyard2-master/barnyard2-master'
Making all in src
make[2]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src'
Making all in sfutil
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src/sfutil'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src/sfutil'
Making all in output-plugins
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src/output-plugins'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src/output-plugins'
Making all in input-plugins
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src/input-plugins'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src/input-plugins'
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src'
gcc -DHAVE_CONFIG_H -I. -I.. -Isfutil -DDEBUG -I/usr/include/mysql -DENABLE_MYSQL -g -O0 -fno-strict-aliasing -Wall -c map.c
map.c: In function âReadClassificationFileâ:
map.c:480: error: âfileâ undeclared (first use in this function)
map.c:480: error: (Each undeclared identifier is reported only once
map.c:480: error: for each function it appears in.)
make[3]: *** [map.o] Error 1
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master'
make: *** [all] Error 2
Regards.
>sudo make
make all-recursive
make[1]: Entering directory `/home/user1/barnyard2-master/barnyard2-master'
Making all in src
make[2]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src'
Making all in sfutil
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src/sfutil'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src/sfutil'
Making all in output-plugins
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src/output-plugins'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src/output-plugins'
Making all in input-plugins
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src/input-plugins'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src/input-plugins'
make[3]: Entering directory `/home/user1/barnyard2-master/barnyard2-master/src'
gcc -DHAVE_CONFIG_H -I. -I.. -Isfutil -DDEBUG -I/usr/include/mysql -DENABLE_MYSQL -g -O0 -fno-strict-aliasing -Wall -c map.c
map.c: In function âReadClassificationFileâ:
map.c:480: error: âfileâ undeclared (first use in this function)
map.c:480: error: (Each undeclared identifier is reported only once
map.c:480: error: for each function it appears in.)
make[3]: *** [map.o] Error 1
make[3]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/user1/barnyard2-master/barnyard2-master'
make: *** [all] Error 2
Regards.
lucho budi
Jun 17, 2013, 6:18:57 AM6/17/13
to barnyar...@googlegroups.com
I'm calling ./configure with this options.
>sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ --enable-debug
>sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ --enable-debug
beenph
Jun 17, 2013, 10:35:53 AM6/17/13
to barnyar...@googlegroups.com
Or you can change line 480 of map.c to look like this:
DEBUG_WRAP(DebugMessage(DEBUG_MAPS, "map: opening file %s\n",
bc->class_file););
instead of
DEBUG_WRAP(DebugMessage(DEBUG_MAPS, "map: opening file %s\n", file););
-elz
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "barnyard2-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to barnyard2-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
lucho budi
Jun 19, 2013, 6:29:11 AM6/19/13
to barnyar...@googlegroups.com
I've tried this two solutions, and again I'm receiving the first problem.
>BARNYARD2_DEBUG=0x80000000 sudo barnyard2 -l /var/log/snort/eth0 -d /var/log/snort/eth0 -c /opt/snort/barnyard2.eth0.conf -u snort -g snort
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
Parsing config file "/opt/snort/barnyard2.eth0.conf"
Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
Parsing config file "/opt/snort/barnyard2.eth0.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/snort/eth0
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ConvertClassificationCache()], No classification was found in the classification file,
make sure that you have valid records in your database (sig_class) table, else this might result in complete signature logging.
[ClassificationPullDataStore()]: No Classification found in database ...
[ClassificationCacheSynchronize()]: Make sure that your (config classification_config argument in your barnyard2 configuration file) or --classification or -C argument point to a file containing at least some valid classification or that that your database sig_class table contain data
[CacheSynchronize()], ClassificationCacheSynchronize() call failed.
ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...
Fatal Error, Quitting..
[ClassificationCacheSynchronize()]: Make sure that your (config classification_config argument in your barnyard2 configuration file) or --classification or -C argument point to a file containing at least some valid classification or that that your database sig_class table contain data
[CacheSynchronize()], ClassificationCacheSynchronize() call failed.
ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ...
Fatal Error, Quitting..
Barnyard2 exiting
database: Closing connection to database "snort"
===============================================================================
Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
Suppressed: 0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0
===============================================================================
database: Closing connection to database "snort"
===============================================================================
Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
Suppressed: 0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0
===============================================================================
Regards.
beenph
Jun 19, 2013, 11:07:07 AM6/19/13
to barnyar...@googlegroups.com
On Wed, Jun 19, 2013 at 6:29 AM, lucho budi <memoj...@gmail.com> wrote:
> I've tried this two solutions, and again I'm receiving the first problem.
>
>
>>BARNYARD2_DEBUG=0x80000000 sudo barnyard2 -l /var/log/snort/eth0 -d
>> /var/log/snort/eth0 -c /opt/snort/barnyard2.eth0.conf -u snort -g snort
>
Did you forget to add the classification file path as an argument when
> I've tried this two solutions, and again I'm receiving the first problem.
>
>
>>BARNYARD2_DEBUG=0x80000000 sudo barnyard2 -l /var/log/snort/eth0 -d
>> /var/log/snort/eth0 -c /opt/snort/barnyard2.eth0.conf -u snort -g snort
>
testing the last time?
-C /opt/snort/etc/classification.config ?
Note that you can also add the classification file to the configuration file.
config classification_config /opt/snort/etc/classification.config
-elz
lucho budi
Jun 20, 2013, 6:44:43 AM6/20/13
to barnyar...@googlegroups.com
oops!!! but now I have tried with the -C option and get the same result.
Why it's telling me this???DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
I will try to see what are the querys done to the database.
thanks for your efforts!!!
--
---
You received this message because you are subscribed to a topic in the Google Groups "barnyard2-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/barnyard2-users/lH7VSzvqvVA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to barnyard2-use...@googlegroups.com.
lucho budi
Jun 20, 2013, 7:59:22 AM6/20/13
to barnyar...@googlegroups.com
this is the mysqld.log when i start barnyard2:
/usr/libexec/mysqld, Version: 5.1.61 (Source distribution). started with:
Tcp port: 3306 Unix socket: /var/lib/mysql/mysql.sock
Time Id Command Argument
130620 13:53:04 10 Connect LES051900004@localhost on snort
10 Query set autocommit=0
10 Query SELECT vseq FROM `schema`
10 Query SELECT sid FROM sensor WHERE hostname = 'LES051900004:eth0' AND interface = 'eth0' AND detail = 1 AND encoding = 0 AND filter IS NULL
10 Query SELECT last_cid FROM sensor WHERE sid = 1
10 Query SELECT MAX(cid) FROM data WHERE sid='1'
10 Query SELECT MAX(cid) FROM event WHERE sid='1'
10 Query SELECT MAX(cid) FROM icmphdr WHERE sid='1'
10 Query SELECT MAX(cid) FROM iphdr WHERE sid='1'
10 Query SELECT MAX(cid) FROM opt WHERE sid='1'
10 Query SELECT MAX(cid) FROM tcphdr WHERE sid='1'
10 Query SELECT MAX(cid) FROM udphdr WHERE sid='1'
10 Query BEGIN
10 Query UPDATE sensor SET last_cid = 8 WHERE sid = 1
10 Query COMMIT
10 Query SELECT last_cid FROM sensor WHERE sid = 1
10 Query SELECT sig_class_id, sig_class_name FROM sig_class ORDER BY sig_class_id ASC
10 Query BEGIN
10 Query UPDATE sensor SET last_cid = 7 WHERE sid = 1
10 Query COMMIT
10 Quit
/usr/libexec/mysqld, Version: 5.1.61 (Source distribution). started with:
Tcp port: 3306 Unix socket: /var/lib/mysql/mysql.sock
Time Id Command Argument
130620 13:53:04 10 Connect LES051900004@localhost on snort
10 Query set autocommit=0
10 Query SELECT vseq FROM `schema`
10 Query SELECT sid FROM sensor WHERE hostname = 'LES051900004:eth0' AND interface = 'eth0' AND detail = 1 AND encoding = 0 AND filter IS NULL
10 Query SELECT last_cid FROM sensor WHERE sid = 1
10 Query SELECT MAX(cid) FROM data WHERE sid='1'
10 Query SELECT MAX(cid) FROM event WHERE sid='1'
10 Query SELECT MAX(cid) FROM icmphdr WHERE sid='1'
10 Query SELECT MAX(cid) FROM iphdr WHERE sid='1'
10 Query SELECT MAX(cid) FROM opt WHERE sid='1'
10 Query SELECT MAX(cid) FROM tcphdr WHERE sid='1'
10 Query SELECT MAX(cid) FROM udphdr WHERE sid='1'
10 Query BEGIN
10 Query UPDATE sensor SET last_cid = 8 WHERE sid = 1
10 Query COMMIT
10 Query SELECT last_cid FROM sensor WHERE sid = 1
10 Query SELECT sig_class_id, sig_class_name FROM sig_class ORDER BY sig_class_id ASC
10 Query BEGIN
10 Query UPDATE sensor SET last_cid = 7 WHERE sid = 1
10 Query COMMIT
10 Quit
I suposed barnyard2 must fill table sig_class first, isn't it?
lucho budi
Jun 24, 2013, 5:54:06 AM6/24/13
to barnyar...@googlegroups.com
Eric, I have seen that my errors disapear when adding the config directives in the barnyard2 conf file.
config classification_file: /opt/snort/etc/classification.config
config reference_file: /opt/snort/etc/reference.config
config gen_file: /opt/snort/etc/gen-msg.map
config sid_file: /opt/snort/etc/sid-msg.map
I think something is not working well when giving barnyard2 those parameters in command line.
Thanks for your help, i will try this on my other snorts.
Regards.
config classification_file: /opt/snort/etc/classification.config
config reference_file: /opt/snort/etc/reference.config
config gen_file: /opt/snort/etc/gen-msg.map
config sid_file: /opt/snort/etc/sid-msg.map
I think something is not working well when giving barnyard2 those parameters in command line.
Thanks for your help, i will try this on my other snorts.
Regards.
Reply all
Reply to author
Forward
0 new messages