June 7th, 2005 08:22 PM
Barnyard and Snort help
I am at a loss here. I've searched seemingly every internet forum for answers, looked at every FAQ imaginable, but still cannot find an answer...please help, I'm pulling out my hair!
I am trying to setup a snort box with barnyard, but cannot get barnyard to run. Part of my problem stems from a fundamental misunderstanding of what exactly barnyard is doing. I'm trying to log traffic in binary mode in order to um...well I don't even know why I'm doing this anymore (my mind hurts). Here is the error I'm running into when I try to run barnyard.
WARNING /etc/barnyard/barnyard.conf(126) => Unknown output plugin "alert_acid_db" referenced, ignoring!Fatal Error, Quitting..
What is it I'm trying to do, you ask? Well that's a good question and I'm not sure even *I* know what I'm trying to do anymore LOL.
I want to be able to see all traffic (I've already got this worked out) and with that traffic, I want to be able to see a list of originating/destination IP's....more specifically a list of the most used destination and originating ports/IP's. I also want to take advantage of Snort's alerting capabilities and have installed ACID to analyze alerts.
Well, I have MYSQL set up to log all this stuff, but, again, my mind is numb and I seemingly can't get anything to show up on the ACID page.
I hope that the above is somewhat coherent....like I said, my mind is numb, I'm going on little sleep, and I'm pulling my hair out because I really want to get this working. HELP PLEASE
Blankety Blank Blank Blank!
June 7th, 2005 08:43 PM
Its been a while since I setup a barnyard, but I did a quick google and found
This shows the necessary settings in the barnyard.conf and snort.conf files and the command lines needed to start it.
edit: found another good looking guide at http://www.giac.org/certified_profes.../gsec/4334.php
June 7th, 2005 08:44 PM
I've never used Barnyard but I would check the Snort.conf file and the Barnyard.conf, (or it's equivalent), and look for the output plugins section, (section 3 in Snort.conf), and look for an output statement "alert_acid_db".
I've never seen that in Snort so I would suggest it's a barnyard error. All you need to do is comment it out with a "#" if barnyard commenting is the same as Snort. What this will do is prevent you from sending any output of Barnyard to an ACID/MySQL database, (I think). This probably won't cause other issues since it doesn't work with it in place it probably won't bother if it isn't there.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
June 8th, 2005 12:03 AM
miracle, how si that line formatted in your barnyard.conf?
It should look like this:
output log_acid_db: mysql, database your_snort_db_name, server localhost, user your_db_user, password your_password, detail full
You can also use output alert_acid_db:
June 8th, 2005 06:05 PM
The barnyard.conf file is configured correctly as far as I can tell. However, I do not see a log_acid_db table in the snort database, which I am assuming is the problem?
I guess the bigger issue is this: I am trying to use barnyard because when I try to log packets directly into the SQL databse, I am getting about 2% of packets dropped. Is this normal? This box isn't that beefy...it's like a P3 with 192MB RAM....will boosting the RAM or proc. speed help?
From what I understood, barnyard worked alongside snort by having snort log packets into a binary and barnyard doing the database processing. This was supposed to help with the overhead generated by snort. Am I correct in my thinking here?
Blankety Blank Blank Blank!
June 8th, 2005 06:56 PM
Its my understanding that there is no performance boost if both pieces are running on the same box. You're still using the same amount of total processing.