Snort - Barnyard2 not working
-
I just upgraded my box in order to get the new SNORT working and that went off without a hitch. However, Barnyard2 does not work anymore.
I receive the errors:
barnyard2[29422]: WARNING: Unable to open waldo file '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo' (No such file or directory)
barnyard2[29422]: ERROR: Unable to open directory '' (No such file or directory)
barnyard2[29422]: ERROR: Unable to find the next spool file!Any ideas? It worked prior to the upgrade
-
Do this in the terminal
touch /usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo
chown snort:snort /usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo -
I did that and now it throws the error:
barnyard2[46672]: WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'
Then the other two errors… I did check the directory and the file is there, 0 bytes, but it's there. Do I need to put anything in that file?
-
I saw the bug for barnyard, wasn't sure how to get around it.
I did check the running processes and barnyard2 is not running.
I do already have 30008 records in my data file, so would I need to put anything in the waldo file?
-
I did that and now it throws the error:
barnyard2[46672]: WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'
Then the other two errors… I did check the directory and the file is there, 0 bytes, but it's there. Do I need to put anything in that file?
Same result here, latest snort 2.8.5.3 pkg v. 1.21 under pfSense 1.2.3-RELEASE
-
I've got a solution on how to get Barnyard2 write and use the waldo file again. When Snort is running just log into the ssh shell and start Barnyard2 with the following command:
/usr/local/bin/barnyard2 -f snort_{id}_{iface}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{id}_{iface}/barnyard2.conf -w /usr/local/etc/snort/snort_{id}_{iface}/barnyard2.waldo -d /var/log/snortRemember to fill the {id} and {iface} fields correctly. If everything goes well, there will read "Waiting for new data…". Now stop Barnyard using Ctrl+c and restart Snort normally from the web interface.
-
That worked great! Thank you! ;D
-
Perfect! Thanks again!
-LiGHT
-
Tonight I installed the latest version of Snort 2.8.5.3 pkg v. 1.22 package on pfSense1.2.3-RELEASE and it looks like Barnyard2 wont start. I followed the workarounds which worked on the prior version but on the current version it fails. As you can see below it throws an error about not being able to open the waldo file. Any help would be great.
Thanks Again!
# pwd /usr/local/etc/snort/snort_42641_fxp0 # ls -al barnyard2.waldo -rw-rw---- 1 snort snort 0 Apr 24 20:57 barnyard2.waldo # /usr/local/bin/barnyard2 -f snort_42641_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_42641_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_42641_fxp0/barnyard2.waldo -d /var/log/snort Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/usr/local/etc/snort/snort_42641_fxp0/barnyard2.conf" Log directory = /var/log/snort database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = 10.7.7.5 database: user = snort database: database name = snort database: sensor name = resistance.quantum.local:42641_fxp0 database: sensor id = 17 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.8 (Build 251) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Built Date for Barnyard2 on Pfsense 1.2.3 is March 8 2010. ___ Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya. ___/ f \ / p \___/ Sense \___/ \ \___/ Built with Mysql SSL support. WARNING: Unable to open waldo file '/usr/local/etc/snort/snort_42641_fxp0/barnyard2.waldo' (Permission denied) Opened spool file '/var/log/snort/snort_42641_fxp0.u2.1272156291' Waiting for new data -
I was beginning to suspect the parent folder permissions were to blame, your suggestion worked. James do you take paypal donations?
-LiGHT
-
Humm… so off the command line everything works fine. However, when I launch the given snort instance from the web gui I find that it re-sets the permissions on the given folder ( snort_42641_fxp0) which causes Barnyard2 to fail.
Before:
# pwd /usr/local/etc/snort/snort_42641_fxp0 # ls -al total 4610 drwxr-xr-x 3 snort snort 512 Apr 25 17:30 . drwxrwx--- 8 snort snort 1024 Apr 25 00:03 .. -rwxr-xr-x 1 snort snort 2086 Apr 25 17:37 barnyard2.conf -rwxr-xr-x 1 snort snort 2056 Apr 25 17:39 barnyard2.waldo -rwxr-xr-x 1 snort snort 3547 Apr 24 18:55 classification.config -rwxr-xr-x 1 snort snort 12103 Apr 24 18:55 gen-msg.map -rwxr-xr-x 1 snort snort 2060 Apr 24 18:55 generators -rwxr-xr-x 1 snort snort 359 Apr 24 18:55 oinkmaster_42641_fxp0.conf -rwxr-xr-x 1 snort snort 608 Apr 24 18:55 reference.config drwxr-xr-x 2 snort snort 3584 Apr 24 18:55 rules -rwxr-xr-x 1 snort snort 5 Apr 24 18:55 sid -rwxr-xr-x 1 snort snort 4572178 Apr 24 18:55 sid-msg.map -rwxr-xr-x 1 snort snort 14284 Apr 25 17:37 snort.conf -rwxr-xr-x 1 snort snort 3384 Apr 24 21:05 threshold.conf -rwxr-xr-x 1 snort snort 53841 Apr 24 18:55 unicode.mapAfter a Snort restart:
# ls -al total 4610 drw-rw---- 3 snort snort 512 Apr 25 17:30 . drwxrwx--- 8 snort snort 1024 Apr 25 00:03 .. -rw-rw---- 1 snort snort 2086 Apr 25 17:44 barnyard2.conf -rw-rw---- 1 snort snort 2056 Apr 25 17:39 barnyard2.waldo -rw-rw---- 1 snort snort 3547 Apr 24 18:55 classification.config -rw-rw---- 1 snort snort 12103 Apr 24 18:55 gen-msg.map -rw-rw---- 1 snort snort 2060 Apr 24 18:55 generators -rw-rw---- 1 snort snort 359 Apr 24 18:55 oinkmaster_42641_fxp0.conf -rw-rw---- 1 snort snort 608 Apr 24 18:55 reference.config drw-rw---- 2 snort snort 3584 Apr 24 18:55 rules -rw-rw---- 1 snort snort 5 Apr 24 18:55 sid -rw-rw---- 1 snort snort 4572178 Apr 24 18:55 sid-msg.map -rw-rw---- 1 snort snort 14284 Apr 25 17:44 snort.conf -rw-rw---- 1 snort snort 3384 Apr 24 21:05 threshold.conf -rw-rw---- 1 snort snort 53841 Apr 24 18:55 unicode.map -
I was able to get Barnyard2 running but i had to create the .waldo file described above. I then had to start barnyard2…
# /usr/local/bin/barnyard2 -f snort_46218_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_46218_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo -d /var/log/snort WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo'This did not help matters, and restarting snort would not bring barnyard2 into an operational state. On a hunch I started snort, then stated barnyard2 manually. At this time I ran a port scan (Shields Up) to initiate a snort alert, this caused barnyard2 to write the barnyard2.waldo file. Once this was done, I was able to restart snort and barnyard2 was started as well.
LiGHTENUP
-
I was able to get Barnyard2 running but i had to create the .waldo file described above. I then had to start barnyard2…
# /usr/local/bin/barnyard2 -f snort_46218_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_46218_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo -d /var/log/snort WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo'This did not help matters, and restarting snort would not bring barnyard2 into an operational state. On a hunch I started snort, then stated barnyard2 manually. At this time I ran a port scan (Shields Up) to initiate a snort alert, this caused barnyard2 to write the barnyard2.waldo file. Once this was done, I was able to restart snort and barnyard2 was started as well.
LiGHTENUP
Im working on it…
-
James,
After reading my last post it might have come off a bit accusatory, that was not my intent at all. Thanks for all your work, I was just posting the work around I found in an effort to help others out there.