Snort - Barnyard2 starts but doesn't log
-
Environment:
pfSense 1.2.3
Snort 2.8.6.1 Pkg v. 1.34I had Snort up using Barnyard2 to log to MySQL. Everything was working fine, however, at some point while enabling some rules (via Categories) Barnyard stopped writing to the MySQL DB. What's odd is that Barnyard appears to start correctly and even says "Waiting for new data…" in the system log. Upon stopping and starting Snort on the interface the log shows an initialization complete for Barnyard as well as it using the Waldo file. However, no new data gets logged on the MySQL side. The last new entry I have in there is from 11:11:31 this morning. New alerts can be seen from the pfSense UI. I've checked that connectivity between pfSense and MySQL is still allowed, everything is good there.
Additionally, when trying to stop Snort on the interface, Barnyard will go down (The Barnyard 'icon' in the UI goes red and the process doesn't exist on the box), but Snort still appears to be running. I click the red X again and Barnyard comes back up. It has to be clicked a third time in order to bring both down. Very strange behavior.
Any help is appreciated.
-
So I've setup a secondary test PFsense box with Snort and Barnyard2. I'm seeing the same type of behavior on this setup. I start Snort initially, alerts are generated and written to MySQL as expected. I then make a change, in this case to the suppression rule and restart Snort on the interface. (yes, there are other alerts coming through, not everything is being suppressed) Upon restarting new alerts aren't logged to MySQL anymore. Over a period of time, 12+ hours we start seeing consistent logging to MySQL again. ??? This is very odd to me. Any thoughts…?
For example right now Snort has 26 alerts listed and Snorby (MySQL) is only showing 17. These should be the same, should they not?
-
At this point this issue seems to be related to the waldo file Barnyard2 is using to serve as a marker in the event that is closes or crashes unexpectedly. From our testing we're seeing that deleting the waldo file allows barnyard2 to start back up and immediately start writing to MySQL as it should. Any time we leave an existing waldo file in place and restart barnyard2 it doesn't write to MySQL as it should. Now, we're well aware that removing the waldo file will cause alerts that happened while barnyard2 was not running to not be logged, but they aren't anyway at this time.
Any thoughts on how/why the waldo file would be causing this?
-
The same problem still exists in Snort 2.8.6.1 Pkg v. 1.35. Although Barnyard2 initialization completes successfully it won't insert new alerts into Mysql database, if there is a waldo file present in the system. Deleting the waldo file solves the problem, but this isn't very convenient.
Another small glitch is that "{$snortdir}/rules" directory is removed every time when a new set of snort.org rules is downloaded. This is a problem when there is no new Emerging threats rule set to download. The Emerging threats rules are removed too, so I can't use them on new Snort interfaces. This also results into unidentified event signatures regarding the Emerging threats rule set. So I'm seeing a lot of "Snort Alert [1:12345:0]" in the Snorby events, when I should be seeing something like "ET SCAN Test".
-
What exactly did you do to make barnyard2 to start logging? I've purged the barnyard2 waldo file but still no logging in mysql. The related schema was imported and permissions were permitted for the snort host. I'm able to connect to port 3306/tcp on the pfSense host.