Snort - Barnyard2 not working

jaysonr

I did that and now it throws the error:

barnyard2[46672]: WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'

Then the other two errors…  I did check the directory and the file is there, 0 bytes, but it's there.  Do I need to put anything in that file?

jaysonr

I saw the bug for barnyard, wasn't sure how to get around it.

I did check the running processes and barnyard2 is not running.

I do already have 30008 records in my data file, so would I need to put anything in the waldo file?

lightenup

@jaysonr:

I did that and now it throws the error:

barnyard2[46672]: WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'

Then the other two errors…  I did check the directory and the file is there, 0 bytes, but it's there.  Do I need to put anything in that file?

Same result here, latest snort 2.8.5.3 pkg v. 1.21 under pfSense 1.2.3-RELEASE

Jare

I've got a solution on how to get Barnyard2 write and use the waldo file again. When Snort is running just log into the ssh shell and start Barnyard2 with the following command:

/usr/local/bin/barnyard2 -f snort_{id}_{iface}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{id}_{iface}/barnyard2.conf -w /usr/local/etc/snort/snort_{id}_{iface}/barnyard2.waldo -d /var/log/snort

Remember to fill the {id} and {iface} fields correctly. If everything goes well, there will read "Waiting for new data…". Now stop Barnyard using Ctrl+c and restart Snort normally from the web interface.

jaysonr

That worked great!  Thank you!  ;D

lightenup

Perfect! Thanks again!

-LiGHT

lightenup

Tonight I installed the latest version of Snort 2.8.5.3 pkg v. 1.22 package on pfSense1.2.3-RELEASE and it looks like Barnyard2 wont start. I followed the workarounds which worked on the prior version but on the current version it fails. As you can see below it throws an error about not being able to open the waldo file. Any help would be great.

Thanks Again!

# pwd
/usr/local/etc/snort/snort_42641_fxp0

# ls -al barnyard2.waldo
-rw-rw----  1 snort  snort  0 Apr 24 20:57 barnyard2.waldo

# /usr/local/bin/barnyard2 -f snort_42641_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_42641_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_42641_fxp0/barnyard2.waldo -d /var/log/snort
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/usr/local/etc/snort/snort_42641_fxp0/barnyard2.conf"
Log directory = /var/log/snort
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = 10.7.7.5
database:           user = snort
database:  database name = snort
database:    sensor name = resistance.quantum.local:42641_fxp0
database:      sensor id = 17
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.8 (Build 251)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

           Built Date for Barnyard2 on Pfsense 1.2.3 is March 8 2010.
     ___   Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
 ___/ f \
/ p \___/  Sense
\___/   \
    \___/  Built with Mysql SSL support.

WARNING: Unable to open waldo file '/usr/local/etc/snort/snort_42641_fxp0/barnyard2.waldo' (Permission denied)
Opened spool file '/var/log/snort/snort_42641_fxp0.u2.1272156291'
Waiting for new data

lightenup

I was beginning to suspect the parent folder permissions were to blame, your suggestion worked. James do you take paypal donations?

-LiGHT

lightenup

Humm… so off the command line everything works fine. However, when I launch the given snort instance from the web gui I find that it re-sets the permissions on the given folder ( snort_42641_fxp0) which causes Barnyard2 to fail.

Before:

# pwd
/usr/local/etc/snort/snort_42641_fxp0
# ls -al
total 4610
drwxr-xr-x  3 snort  snort      512 Apr 25 17:30 .
drwxrwx---  8 snort  snort     1024 Apr 25 00:03 ..
-rwxr-xr-x  1 snort  snort     2086 Apr 25 17:37 barnyard2.conf
-rwxr-xr-x  1 snort  snort     2056 Apr 25 17:39 barnyard2.waldo
-rwxr-xr-x  1 snort  snort     3547 Apr 24 18:55 classification.config
-rwxr-xr-x  1 snort  snort    12103 Apr 24 18:55 gen-msg.map
-rwxr-xr-x  1 snort  snort     2060 Apr 24 18:55 generators
-rwxr-xr-x  1 snort  snort      359 Apr 24 18:55 oinkmaster_42641_fxp0.conf
-rwxr-xr-x  1 snort  snort      608 Apr 24 18:55 reference.config
drwxr-xr-x  2 snort  snort     3584 Apr 24 18:55 rules
-rwxr-xr-x  1 snort  snort        5 Apr 24 18:55 sid
-rwxr-xr-x  1 snort  snort  4572178 Apr 24 18:55 sid-msg.map
-rwxr-xr-x  1 snort  snort    14284 Apr 25 17:37 snort.conf
-rwxr-xr-x  1 snort  snort     3384 Apr 24 21:05 threshold.conf
-rwxr-xr-x  1 snort  snort    53841 Apr 24 18:55 unicode.map

After a Snort restart:

# ls -al
total 4610
drw-rw----  3 snort  snort      512 Apr 25 17:30 .
drwxrwx---  8 snort  snort     1024 Apr 25 00:03 ..
-rw-rw----  1 snort  snort     2086 Apr 25 17:44 barnyard2.conf
-rw-rw----  1 snort  snort     2056 Apr 25 17:39 barnyard2.waldo
-rw-rw----  1 snort  snort     3547 Apr 24 18:55 classification.config
-rw-rw----  1 snort  snort    12103 Apr 24 18:55 gen-msg.map
-rw-rw----  1 snort  snort     2060 Apr 24 18:55 generators
-rw-rw----  1 snort  snort      359 Apr 24 18:55 oinkmaster_42641_fxp0.conf
-rw-rw----  1 snort  snort      608 Apr 24 18:55 reference.config
drw-rw----  2 snort  snort     3584 Apr 24 18:55 rules
-rw-rw----  1 snort  snort        5 Apr 24 18:55 sid
-rw-rw----  1 snort  snort  4572178 Apr 24 18:55 sid-msg.map
-rw-rw----  1 snort  snort    14284 Apr 25 17:44 snort.conf
-rw-rw----  1 snort  snort     3384 Apr 24 21:05 threshold.conf
-rw-rw----  1 snort  snort    53841 Apr 24 18:55 unicode.map

lightenup

I was able to get Barnyard2 running but i had to create the .waldo file described above. I then had to start barnyard2…

# /usr/local/bin/barnyard2 -f snort_46218_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_46218_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo -d /var/log/snort

WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo'

This did not help matters, and restarting snort would not bring barnyard2 into an operational state. On a hunch I started snort, then stated barnyard2 manually. At this time I ran a port scan (Shields Up) to initiate a snort alert, this caused barnyard2 to write the barnyard2.waldo file. Once this was done, I was able to restart snort and barnyard2 was started as well.

LiGHTENUP

jamesdean

@lightenup:

I was able to get Barnyard2 running but i had to create the .waldo file described above. I then had to start barnyard2…

# /usr/local/bin/barnyard2 -f snort_46218_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_46218_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo -d /var/log/snort

WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo'

This did not help matters, and restarting snort would not bring barnyard2 into an operational state. On a hunch I started snort, then stated barnyard2 manually. At this time I ran a port scan (Shields Up) to initiate a snort alert, this caused barnyard2 to write the barnyard2.waldo file. Once this was done, I was able to restart snort and barnyard2 was started as well.

LiGHTENUP

Im working on it…

lightenup

James,

After reading my last post it might have come off a bit accusatory, that was not my intent at all. Thanks for all your work, I was just posting the work around I found in an effort to help others out there.