Well you have to generate event for barnyard2 to process them.

The first step would be to check that snort is actually generating event
and writing to unified2 file.

Everytime snort start it or reach unified2 configured limit it will create
a new unified2 file, but if the processed unified2 files do not contain any
event,
barnyard2 can't produce output since its processing empty input.

On Mon, Apr 8, 2013 at 12:54 PM, LorenzoLolli [email protected]:

Greetings,

I'm setting up a fresh installation with snort, barnyard2 and snorby.
Actually I've snort up & running with unified log, and barnyard2 seems to
read them, but it does not produce any output. This is my configuration:

barnyard2.conf
#this is for debugging purpose
output alert_fast: /var/log/snort/alert_barnyard2,stdout
this is the output tu mysql, for snorby

output database: log, mysql, user=snorby password=password dbname=snorby
host=localhost

and I run barnyard this way:
barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w
/var/log/snort/snort.log

Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard.conf"
Log directory = /var/log/barnyard2
No arguments to alert_syslog preprocessor!
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snorby
database: database name = snorby
database: sensor name = provincia-ids:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

--== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.9 (Build 263)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php

'''' + (C) Copyright 2008-2010 SecurixLive.

  Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
  (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/var/log/snort/snort.log':
spool directory = /var/log/snort
spool filebase = snort.log
time_stamp = 1365436206
record_idx = 131269
Opened spool file '/var/log/snort/snort.log.1365436206'
Waiting for new data

I cannot figure out what is wrong here, can you help me please?

Best regards,
Lorenzo

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/78
.

from barnyard2.

Hello Binf, thank you for your help. Actually the unified log is growing so it seems that snort it is working correctly. BTW, I've done some portscan to create something for snort to report.
Stopping barnyarnd I get:

C===============================================================================
Record Totals:
Records: 2614314
Events: 0 (0.000%)

Packets: 2614314 (100.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 2614314 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 2614314 (100.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 5658 (0.216%)
UDP: 0 (0.000%)
ICMP: 2608656 (99.784%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)

Total: 2614314

So it seems that there is traffic, and some of it should generate report on snorby. There is any other way I can check it?

Best regards,
Lorenzo

from barnyard2.

Please use the barnyard2-users google group.

Github is not as indexed as the mailing list and im sure you could find
your answer by looking at people who have encountered similar issue on the
mailing list.

if not.

Post your snort command line to the mailing list.

You can also use u2spewfoo to see of your actually generating a unified2
file.

etc...

On Tue, Apr 9, 2013 at 3:06 AM, LorenzoLolli [email protected]:

Hello Binf, thank you for your help. Actually the unified log is growing
so it seems that snort it is working correctly. BTW, I've done some
portscan to create something for snort to report.
Stopping barnyarnd I get:

C===============================================================================
Record Totals:
Records: 2614314
Events: 0 (0.000%)
Packets: 2614314 (100.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 2614314 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 2614314 (100.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 5658 (0.216%)
UDP: 0 (0.000%)
ICMP: 2608656 (99.784%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 2614314

So it seems that there is traffic, and some of it should generate report
on snorby. There is any other way I can check it?

Best regards,
Lorenzo

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/78#issuecomment-16097472
.

from barnyard2.

Ok Binf, I will ask to barnyard2-users google group.

Best regards,
Lorenzo

from barnyard2.