Snort - Barnyard2 not working



  • I just upgraded my box in order to get the new SNORT working and that went off without a hitch.  However, Barnyard2 does not work anymore.

    I receive the errors:

    barnyard2[29422]: WARNING: Unable to open waldo file '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo' (No such file or directory)
    barnyard2[29422]: ERROR: Unable to open directory '' (No such file or directory)
    barnyard2[29422]: ERROR: Unable to find the next spool file!

    Any ideas?  It worked prior to the upgrade



  • Do this in the terminal

    touch /usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo
    chown snort:snort /usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo



  • I did that and now it throws the error:

    barnyard2[46672]: WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'

    Then the other two errors…  I did check the directory and the file is there, 0 bytes, but it's there.  Do I need to put anything in that file?



  • I saw the bug for barnyard, wasn't sure how to get around it.

    I did check the running processes and barnyard2 is not running.

    I do already have 30008 records in my data file, so would I need to put anything in the waldo file?



  • @jaysonr:

    I did that and now it throws the error:

    barnyard2[46672]: WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'

    Then the other two errors…  I did check the directory and the file is there, 0 bytes, but it's there.  Do I need to put anything in that file?

    Same result here, latest snort 2.8.5.3 pkg v. 1.21 under pfSense 1.2.3-RELEASE



  • I've got a solution on how to get Barnyard2 write and use the waldo file again. When Snort is running just log into the ssh shell and start Barnyard2 with the following command:

    /usr/local/bin/barnyard2 -f snort_{id}_{iface}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{id}_{iface}/barnyard2.conf -w /usr/local/etc/snort/snort_{id}_{iface}/barnyard2.waldo -d /var/log/snort
    

    Remember to fill the {id} and {iface} fields correctly. If everything goes well, there will read "Waiting for new data…". Now stop Barnyard using Ctrl+c and restart Snort normally from the web interface.



  • That worked great!  Thank you!  ;D



  • Perfect! Thanks again!

    -LiGHT



  • Tonight I installed the latest version of Snort 2.8.5.3 pkg v. 1.22 package on pfSense1.2.3-RELEASE and it looks like Barnyard2 wont start. I followed the workarounds which worked on the prior version but on the current version it fails. As you can see below it throws an error about not being able to open the waldo file. Any help would be great.

    Thanks Again!

    
    # pwd
    /usr/local/etc/snort/snort_42641_fxp0
    
    # ls -al barnyard2.waldo
    -rw-rw----  1 snort  snort  0 Apr 24 20:57 barnyard2.waldo
    
    # /usr/local/bin/barnyard2 -f snort_42641_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_42641_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_42641_fxp0/barnyard2.waldo -d /var/log/snort
    Running in Continuous mode
    
            --== Initializing Barnyard2 ==--
    Initializing Input Plugins!
    Initializing Output Plugins!
    Parsing config file "/usr/local/etc/snort/snort_42641_fxp0/barnyard2.conf"
    Log directory = /var/log/snort
    database: compiled support for (mysql)
    database: configured to use mysql
    database: schema version = 107
    database:           host = 10.7.7.5
    database:           user = snort
    database:  database name = snort
    database:    sensor name = resistance.quantum.local:42641_fxp0
    database:      sensor id = 17
    database:  data encoding = hex
    database:   detail level = full
    database:     ignore_bpf = no
    database: using the "log" facility
    
            --== Initialization Complete ==--
    
      ______   -*> Barnyard2 <*-
     / ,,_  \  Version 2.1.8 (Build 251)
     |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
     + '''' +  (C) Copyright 2008-2010 SecurixLive.
    
               Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
               (C) Copyright 1998-2007 Sourcefire Inc., et al.
    
               Built Date for Barnyard2 on Pfsense 1.2.3 is March 8 2010.
         ___   Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
     ___/ f \
    / p \___/  Sense
    \___/   \
        \___/  Built with Mysql SSL support.
    
    WARNING: Unable to open waldo file '/usr/local/etc/snort/snort_42641_fxp0/barnyard2.waldo' (Permission denied)
    Opened spool file '/var/log/snort/snort_42641_fxp0.u2.1272156291'
    Waiting for new data
    
    


  • I was beginning to suspect the parent folder permissions were to blame, your suggestion worked. James do you take paypal donations?

    -LiGHT



  • Humm… so off the command line everything works fine. However, when I launch the given snort instance from the web gui I find that it re-sets the permissions on the given folder ( snort_42641_fxp0) which causes Barnyard2 to fail.

    Before:

    
    # pwd
    /usr/local/etc/snort/snort_42641_fxp0
    # ls -al
    total 4610
    drwxr-xr-x  3 snort  snort      512 Apr 25 17:30 .
    drwxrwx---  8 snort  snort     1024 Apr 25 00:03 ..
    -rwxr-xr-x  1 snort  snort     2086 Apr 25 17:37 barnyard2.conf
    -rwxr-xr-x  1 snort  snort     2056 Apr 25 17:39 barnyard2.waldo
    -rwxr-xr-x  1 snort  snort     3547 Apr 24 18:55 classification.config
    -rwxr-xr-x  1 snort  snort    12103 Apr 24 18:55 gen-msg.map
    -rwxr-xr-x  1 snort  snort     2060 Apr 24 18:55 generators
    -rwxr-xr-x  1 snort  snort      359 Apr 24 18:55 oinkmaster_42641_fxp0.conf
    -rwxr-xr-x  1 snort  snort      608 Apr 24 18:55 reference.config
    drwxr-xr-x  2 snort  snort     3584 Apr 24 18:55 rules
    -rwxr-xr-x  1 snort  snort        5 Apr 24 18:55 sid
    -rwxr-xr-x  1 snort  snort  4572178 Apr 24 18:55 sid-msg.map
    -rwxr-xr-x  1 snort  snort    14284 Apr 25 17:37 snort.conf
    -rwxr-xr-x  1 snort  snort     3384 Apr 24 21:05 threshold.conf
    -rwxr-xr-x  1 snort  snort    53841 Apr 24 18:55 unicode.map
    
    

    After a Snort restart:

    
    # ls -al
    total 4610
    drw-rw----  3 snort  snort      512 Apr 25 17:30 .
    drwxrwx---  8 snort  snort     1024 Apr 25 00:03 ..
    -rw-rw----  1 snort  snort     2086 Apr 25 17:44 barnyard2.conf
    -rw-rw----  1 snort  snort     2056 Apr 25 17:39 barnyard2.waldo
    -rw-rw----  1 snort  snort     3547 Apr 24 18:55 classification.config
    -rw-rw----  1 snort  snort    12103 Apr 24 18:55 gen-msg.map
    -rw-rw----  1 snort  snort     2060 Apr 24 18:55 generators
    -rw-rw----  1 snort  snort      359 Apr 24 18:55 oinkmaster_42641_fxp0.conf
    -rw-rw----  1 snort  snort      608 Apr 24 18:55 reference.config
    drw-rw----  2 snort  snort     3584 Apr 24 18:55 rules
    -rw-rw----  1 snort  snort        5 Apr 24 18:55 sid
    -rw-rw----  1 snort  snort  4572178 Apr 24 18:55 sid-msg.map
    -rw-rw----  1 snort  snort    14284 Apr 25 17:44 snort.conf
    -rw-rw----  1 snort  snort     3384 Apr 24 21:05 threshold.conf
    -rw-rw----  1 snort  snort    53841 Apr 24 18:55 unicode.map
    
    


  • I was able to get Barnyard2 running but i had to create the .waldo file described above. I then had to start barnyard2…

    
    # /usr/local/bin/barnyard2 -f snort_46218_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_46218_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo -d /var/log/snort
    
    WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo'
    
    

    This did not help matters, and restarting snort would not bring barnyard2 into an operational state. On a hunch I started snort, then stated barnyard2 manually. At this time I ran a port scan (Shields Up) to initiate a snort alert, this caused barnyard2 to write the barnyard2.waldo file. Once this was done, I was able to restart snort and barnyard2 was started as well.

    LiGHTENUP



  • @lightenup:

    I was able to get Barnyard2 running but i had to create the .waldo file described above. I then had to start barnyard2…

    
    # /usr/local/bin/barnyard2 -f snort_46218_fxp0.u2 -u snort -g snort -c /usr/local/etc/snort/snort_46218_fxp0/barnyard2.conf -w /usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo -d /var/log/snort
    
    WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_46218_fxp0/barnyard2.waldo'
    
    

    This did not help matters, and restarting snort would not bring barnyard2 into an operational state. On a hunch I started snort, then stated barnyard2 manually. At this time I ran a port scan (Shields Up) to initiate a snort alert, this caused barnyard2 to write the barnyard2.waldo file. Once this was done, I was able to restart snort and barnyard2 was started as well.

    LiGHTENUP

    Im working on it…



  • James,

    After reading my last post it might have come off a bit accusatory, that was not my intent at all. Thanks for all your work, I was just posting the work around I found in an effort to help others out there.


Log in to reply