Barnyard and Snort help

Printable View

June 7th, 2005, 08:22 PM
miracle

Barnyard and Snort help

I am at a loss here. I've searched seemingly every internet forum for answers, looked at every FAQ imaginable, but still cannot find an answer...please help, I'm pulling out my hair!

I am trying to setup a snort box with barnyard, but cannot get barnyard to run. Part of my problem stems from a fundamental misunderstanding of what exactly barnyard is doing. I'm trying to log traffic in binary mode in order to um...well I don't even know why I'm doing this anymore (my mind hurts). Here is the error I'm running into when I try to run barnyard.

WARNING /etc/barnyard/barnyard.conf(126) => Unknown output plugin "alert_acid_db" referenced, ignoring!Fatal Error, Quitting..

What is it I'm trying to do, you ask? Well that's a good question and I'm not sure even *I* know what I'm trying to do anymore LOL.

I want to be able to see all traffic (I've already got this worked out) and with that traffic, I want to be able to see a list of originating/destination IP's....more specifically a list of the most used destination and originating ports/IP's. I also want to take advantage of Snort's alerting capabilities and have installed ACID to analyze alerts.

Well, I have MYSQL set up to log all this stuff, but, again, my mind is numb and I seemingly can't get anything to show up on the ACID page.

I hope that the above is somewhat coherent....like I said, my mind is numb, I'm going on little sleep, and I'm pulling my hair out because I really want to get this working. HELP PLEASE :)
June 7th, 2005, 08:43 PM
zENGER

Its been a while since I setup a barnyard, but I did a quick google and found

http://www.mcabee.org/lists/snort-us.../msg00311.html

This shows the necessary settings in the barnyard.conf and snort.conf files and the command lines needed to start it.

edit: found another good looking guide at http://www.giac.org/certified_profes.../gsec/4334.php
June 7th, 2005, 08:44 PM
Tiger Shark

I've never used Barnyard but I would check the Snort.conf file and the Barnyard.conf, (or it's equivalent), and look for the output plugins section, (section 3 in Snort.conf), and look for an output statement "alert_acid_db".

I've never seen that in Snort so I would suggest it's a barnyard error. All you need to do is comment it out with a "#" if barnyard commenting is the same as Snort. What this will do is prevent you from sending any output of Barnyard to an ACID/MySQL database, (I think). This probably won't cause other issues since it doesn't work with it in place it probably won't bother if it isn't there.
June 8th, 2005, 12:03 AM
Dr. Psy

miracle, how si that line formatted in your barnyard.conf?

It should look like this:
output log_acid_db: mysql, database your_snort_db_name, server localhost, user your_db_user, password your_password, detail full

You can also use output alert_acid_db:
June 8th, 2005, 06:05 PM
miracle

The barnyard.conf file is configured correctly as far as I can tell. However, I do not see a log_acid_db table in the snort database, which I am assuming is the problem?

I guess the bigger issue is this: I am trying to use barnyard because when I try to log packets directly into the SQL databse, I am getting about 2% of packets dropped. Is this normal? This box isn't that beefy...it's like a P3 with 192MB RAM....will boosting the RAM or proc. speed help?

From what I understood, barnyard worked alongside snort by having snort log packets into a binary and barnyard doing the database processing. This was supposed to help with the overhead generated by snort. Am I correct in my thinking here?
June 8th, 2005, 06:56 PM
zENGER

Its my understanding that there is no performance boost if both pieces are running on the same box. You're still using the same amount of total processing.