Snort + Banyard2 quick question (Waiting for new data)
-
Hello. Today I decided to install Snorby to get a better overview over snort.
So i have connected barnyard to a dedicated mysql server for now.
but when i start snort and barnyard2 then the last thing in the log file will be "waiting for new data" and for the next couple of hours it will still wait!
and I can see there is activity in snort and a couple of host have been blocked. can this be true or is all working fine here?Log file :
Oct 16 19:04:15 barnyard2[18488]: Waiting for new data Oct 16 19:04:15 barnyard2[18488]: Opened spool file '/var/log/snort/snort_em131689/snort_31689_em1.u2.1445014922' Oct 16 19:04:15 barnyard2[18488]: Closing spool file '/var/log/snort/snort_em131689/snort_31689_em1.u2.1445004064'. Read 10 records Oct 16 19:04:15 barnyard2[18488]: Opened spool file '/var/log/snort/snort_em131689/snort_31689_em1.u2.1445004064' Oct 16 19:04:15 barnyard2[18488]: Using waldo file '/var/log/snort/snort_em131689/barnyard2/31689_em1.waldo': spool directory = /var/log/snort/snort_em131689 spool filebase = snort_31689_em1.u2 time_stamp = 1445004064 record_idx = 10 Oct 16 19:04:15 barnyard2[18488]: Barnyard2 initialization completed successfully (pid=18488) Oct 16 19:04:15 barnyard2[18488]: --== Initialization Complete ==-- Oct 16 19:04:15 barnyard2[18488]: Oct 16 19:04:15 barnyard2[18488]: database: using the "log" facility Oct 16 19:04:15 barnyard2[18488]: database: ignore_bpf = no Oct 16 19:04:15 barnyard2[18488]: database: detail level = full Oct 16 19:04:15 barnyard2[18488]: database: data encoding = hex Oct 16 19:04:15 barnyard2[18488]: database: sensor cid = 21 Oct 16 19:04:15 barnyard2[18488]: database: sensor id = 1 Oct 16 19:04:15 barnyard2[18488]: database: sensor name = pfSense.home:em1 Oct 16 19:04:15 barnyard2[18488]: database: database name = snort Oct 16 19:04:15 barnyard2[18488]: database: user = snort Oct 16 19:04:15 barnyard2[18488]: database: host = 10.0.2.4 Oct 16 19:04:15 barnyard2[18488]: database: schema version = 107 Oct 16 19:04:15 barnyard2[18488]: database: configured to use mysql Oct 16 19:04:15 barnyard2[18488]: database: compiled support for (mysql) Oct 16 19:01:37 php-fpm[87162]: /snort/snort_interfaces.php: [Snort] Snort START for DMZ(em1)... Oct 16 19:01:35 php-fpm[87162]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for ... Oct 16 19:01:34 php-fpm[87162]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: ... Oct 16 19:01:23 php-fpm[87162]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: ... Oct 16 19:01:21 php-fpm[87162]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for DMZ... Oct 16 19:01:20 php-fpm[87162]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: DMZ... Oct 16 19:01:09 php-fpm[87162]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: DMZ ... Oct 16 19:01:09 php-fpm[87162]: /snort/snort_interfaces.php: Toggle (snort starting) for DMZ(em1)... Oct 16 19:00:26 snort[19170]: Oct 16 19:00:26 snort[19170]: Using ZLIB version: 1.2.8 Oct 16 19:00:26 snort[19170]: Using PCRE version: 8.37 2015-04-28 Oct 16 19:00:26 snort[19170]: Using libpcap version 1.7.3 Oct 16 19:00:26 snort[19170]: Copyright (C) 1998-2013 Sourcefire, Inc., et al. Oct 16 19:00:26 snort[19170]: Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Oct 16 19:00:26 snort[19170]: '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Oct 16 19:00:26 snort[19170]: o" )~ Version 2.9.7.5 GRE (Build 262) Oct 16 19:00:26 snort[19170]: ,,_ -*> Snort! <*- Oct 16 19:00:26 snort[19170]: Oct 16 19:00:26 SnortStartup[18869]: Snort START for VPN(9871_)... Oct 16 19:00:26 barnyard2[18488]: Writing PID "18488" to file "/var/run/barnyard2_em131689.pid" Oct 16 19:00:26 barnyard2[18488]: PID path stat checked out ok, PID path set to /var/run Oct 16 19:00:26 barnyard2[83887]: Daemon parent exiting Oct 16 19:00:26 barnyard2[18488]: Daemon initialized, signaled parent pid: 83887 Oct 16 19:00:26 barnyard2[83887]: Initializing daemon mode Oct 16 19:00:26 barnyard2[83887]: INFO database: Defaulting Reconnect sleep time to 5 second Oct 16 19:00:26 barnyard2[83887]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 Oct 16 19:00:26 barnyard2[83887]: Log directory = /var/log/snort/snort_em131689 Oct 16 19:00:26 barnyard2[83887]: Barnyard2 spooler: Event cache size set to [8192] Oct 16 19:00:21 barnyard2[83887]: ---------------------------- +[ Signature Suppress list ]+ Oct 16 19:00:21 barnyard2[83887]: +[No entry in Signature Suppress List]+ Oct 16 19:00:21 barnyard2[83887]: +[ Signature Suppress list ]+ ---------------------------- Oct 16 19:00:21 barnyard2[83887]: Found pid path directive (/var/run) Oct 16 19:00:21 barnyard2[83887]: Parsing config file "/usr/pbi/snort-amd64/etc/snort/snort_31689_em1/barnyard2.conf" Oct 16 19:00:21 barnyard2[83887]: Initializing Output Plugins! Oct 16 19:00:21 barnyard2[83887]: Initializing Input Plugins! Oct 16 19:00:21 barnyard2[83887]: --== Initializing Barnyard2 ==-- Oct 16 19:00:21 barnyard2[83887]: Oct 16 19:00:21 barnyard2[83887]: Running in Continuous mode Oct 16 19:00:21 barnyard2[83887]: Found pid path directive (/var/run) Oct 16 19:00:20 SnortStartup[83606]: Barnyard2 START for DMZ(31689_em1)... Oct 16 19:00:16 barnyard2[36044]: Closing spool file '/var/log/snort/snort_em131689/snort_31689_em1.u2.1445004064'. Read 10 records Oct 16 19:00:16 barnyard2[36044]: =============================================================================== Oct 16 19:00:16 barnyard2[36044]: Total: 5 Oct 16 19:00:16 barnyard2[36044]: S5 G 2: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: S5 G 1: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: InvChkSum: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: DISCARD: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: OTHER: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: MPLS: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE LOOP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE IPX: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE ARP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE PPTP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE IP6 E: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE IPv6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE IPv4: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE VLAN: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE ETH: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: GRE: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IPv6/IPv6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IPv6/IPv4: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IPv4/IPv6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IPv4/IPv4: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IPX: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: ETHLOOP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: EAPOL: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: ARP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: FRAG 6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: FRAG: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: ICMPdis: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: UDPdisc: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: TCPdisc: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: ICMP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: UDP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: TCP: 5 (100.000%) Oct 16 19:00:16 barnyard2[36044]: ICMP-IP: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: ICMP6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: UDP 6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: TCP 6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IP4disc: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IP4: 5 (100.000%) Oct 16 19:00:16 barnyard2[36044]: IP6disc: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IP6opts: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IP6 EXT: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: IPV6: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: VLAN: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: ETHdisc: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: ETH: 5 (100.000%) Oct 16 19:00:16 barnyard2[36044]: Packet breakdown by protocol (includes rebuilt packets): Oct 16 19:00:16 barnyard2[36044]: =============================================================================== Oct 16 19:00:16 barnyard2[36044]: Suppressed: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: Unknown: 0 (0.000%) Oct 16 19:00:16 barnyard2[36044]: Packets: 5 (50.000%) Oct 16 19:00:16 barnyard2[36044]: Events: 5 (50.000%) Oct 16 19:00:16 barnyard2[36044]: Records: 10 Oct 16 19:00:16 barnyard2[36044]: Record Totals: Oct 16 19:00:16 barnyard2[36044]: =============================================================================== Oct 16 19:00:16 barnyard2[36044]: database: Closing connection to database "snort" Oct 16 19:00:16 barnyard2[36044]: Barnyard2 exiting Oct 16 19:00:16 barnyard2[36044]: *** Caught Term-Signal Oct 16 19:00:16 SnortStartup[78450]: Barnyard2 STOP for DMZ(31689_em1)... Oct 16 19:00:13 snort[69224]: *** Caught Term-Signal Oct 16 19:00:12 SnortStartup[76429]: Snort STOP for DMZ(31689_em1)...
-
Have you checked in the MySQL database to see if the alerts are actually there? It appears Barnyard2 sees an existing U2 logfile upon startup, so it reads it and puts those records in the database (there appear to be 10 records in that file). Then it opens a new U2 logfile and should be reading records as they come in.
Snorby can be a pain to get working (as in refreshing and displaying the data). There are some jobs that have to be running on the MySQL side with Snorby, otherwise your events get into the database but never show up in Snorby itself.
Bill
-
I have imported this scheme into mysql https://github.com/firnsy/barnyard2/tree/master/schemas
and after i connected barnyard2 to the db then the size grow from 0-7,8 but after that the db remained at 7.8 mb.I haven't installed Snorby yet because i wanted to make sure the db was 100% working.