Using Barnyard2 Functionnality to suricata



  • Hello,

    I am looking to send the suricata log to snorby. To do so I need to activate barnyard functionnality.
    I went to Suricata: Interface LAN - Barnyard2 Settings

    I did let the default option checks and add my mysql informations. and enabled Barnyard2.

    Then I did restart suricata service. (after restarting only the interface didn't work) .

    The logo with the red cross is always here close to barnyard in the interfaces information.
    I click on it still don't want to start.

    Here are the logs from the system logs:

    Apr 17 13:19:37	barnyard2[82555]: Suppressed: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ===============================================================================
    Apr 17 13:19:37	barnyard2[82555]: Packet breakdown by protocol (includes rebuilt packets):
    Apr 17 13:19:37	barnyard2[82555]: ETH: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ETHdisc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: VLAN: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPV6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP6 EXT: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP6opts: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP6disc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP4disc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: TCP 6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: UDP 6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMP6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMP-IP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: TCP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: UDP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: TCPdisc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: UDPdisc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMPdis: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: FRAG: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: FRAG 6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ARP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: EAPOL: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ETHLOOP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPX: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv4/IPv4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv4/IPv6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv6/IPv4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv6/IPv6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE ETH: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE VLAN: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IPv4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IPv6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IP6 E: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE PPTP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE ARP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IPX: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE LOOP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: MPLS: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: OTHER: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: DISCARD: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: InvChkSum: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: S5 G 1: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: S5 G 2: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: Total: 0
    Apr 17 13:19:37	barnyard2[82555]: ===============================================================================
    

    can you help me with it ?

    EDIT: Apparently Barnyard2 don't even go to the database login



  • @Azgarech:

    Hello,

    I am looking to send the suricata log to snorby. To do so I need to activate barnyard functionnality.
    I went to Suricata: Interface LAN - Barnyard2 Settings

    I did let the default option checks and add my mysql informations. and enabled Barnyard2.

    Then I did restart suricata service. (after restarting only the interface didn't work) .

    The logo with the red cross is always here close to barnyard in the interfaces information.
    I click on it still don't want to start.

    Here are the logs from the system logs:

    Apr 17 13:19:37	barnyard2[82555]: Suppressed: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ===============================================================================
    Apr 17 13:19:37	barnyard2[82555]: Packet breakdown by protocol (includes rebuilt packets):
    Apr 17 13:19:37	barnyard2[82555]: ETH: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ETHdisc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: VLAN: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPV6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP6 EXT: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP6opts: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP6disc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IP4disc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: TCP 6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: UDP 6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMP6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMP-IP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: TCP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: UDP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: TCPdisc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: UDPdisc: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ICMPdis: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: FRAG: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: FRAG 6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ARP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: EAPOL: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: ETHLOOP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPX: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv4/IPv4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv4/IPv6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv6/IPv4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: IPv6/IPv6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE ETH: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE VLAN: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IPv4: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IPv6: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IP6 E: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE PPTP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE ARP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE IPX: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: GRE LOOP: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: MPLS: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: OTHER: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: DISCARD: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: InvChkSum: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: S5 G 1: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: S5 G 2: 0 (0.000%)
    Apr 17 13:19:37	barnyard2[82555]: Total: 0
    Apr 17 13:19:37	barnyard2[82555]: ===============================================================================
    

    can you help me with it ?

    EDIT: Apparently Barnyard2 don't even go to the database login

    You may need to enable the viewing of more log entries.  The snippet you posted is Barnyard2 shutting down.  If you display more log entries, you may seen the error thrown by Barnyard2.  My guess is that database login is failing or it is not finding the specified host.  Many users, including me, are using the Barnyard2 feature to feed Snorby and it works.

    Bill


Log in to reply