Barnyard2 / snort merged.log file misconfig

5 posts in this topic

Hello WinIDS community,

Went through the  Installing a slave client logging events to a remote MySQL Database tutorial. My remote WinIDS is running on server 2008 R2 and I have verified connectivity to Ubuntu server MySQL running 5.7.16 listening on port 3306. My hope is to use Snorby frontend running on the ubuntu 16.04 to read the mysql after Barnyard2 dumps the pcaps from snort into the DB.

I run the snort validation cmd: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\snort\log -i1 -T

Output says it can't find the whitelist / blacklist entries Reputation Preprocessor disabled.

312 out of 1024 flowbits in use. 

Snort successfully validated the configuration!

Snort Exiting.

Snort is running as a service (delayed auto-start)

Next applied the Reg file "auto-remote-barnyard2.reg" no files have been installed to the c:\IDS\Snort\log directory

Run as administrator - "c:\IDS\activators\by2-test.bat"

Warning invalid reference spec 'url,'. Ignored x9

INFO database: Defaulting Reconnect sleep time to 5 second..... (3 mins later)

Unable to open waldo file C:\IDS\Snort\log\barnyard.waldo (no such file or directory)

Waiting for new spool file.......(& waiting & waiting....)

Process terminated by user because he screwed up somewhere.

I'm assuming I have been careful about keeping the path reference changes adjusted for the modder.vbs and the Reg file 

my SQL DB has a slightly different config: grant all on snorby.* to 'snorby'@''IDENTIFIED BY '**************';

MySQL config has bind-address set to Master IDS server IP. Both master and slave have 1 NIC each.

Based on a configuration I saw from a linux tutorial for running Snort I disabled the TCP Large Receive Offload on the Remote NIC.

I really hope this doesn't matter, but they are EC2 instances on Amazon AWS.

Not sure what to try next except throw away the VMs and start again.

Any thoughts to help get me in the right direction would be awesome. Thanks & take care.



Share this post

Link to post
Share on other sites

Down to the waiting is normal. If there would have been a misconfiguration of the database authentication a fatal error would have been thrown and Barnyard would crash.

No Waldo file is normal on a fresh install, and will be created after Snort detects the first event.

It appears the problem is that Snort is not detecting any events.

Make SURE Snort is running, Check in Task manager.

Make SURE you have the correct HOME_NET applied in the snort.conf.  

Make SURE Snort is attached to the correct interface

Make SURE Snort is plugged into a HUB, TAP, or managed switch allowing Snort to see ALL the traffic.

To test the rules and create events you can do this:

Install Notepad ++

I'm assuming Snort has been setup per the tutorial.

Copy the rules folder to your desktop

Rename your original rules folder to rules-org

Go into the desktop/rules folder and MOVE the deleted.rules to the desktop

Go into the desktop/rules folder, select ALL the files, right-click one of the files and select 'Edit with Notepad ++', and this will load ALL the files into Notpad ++ for editing.

Once all the files are loaded into Notepad ++ preform a Find, select the Replace tab, in the Find what dialog box type '# alert' (less the outside quote), in the Replace with dialog box type 'alert' (less the outside quotes), left-click the Replace all in Opened Documents button allowing the changes to all the .rules files.

Once the replace has happened left-click the X in the upper right. A requestor will ask to save each of the files before closing, so make sure you select Yes for all files.

Move the deleted.rules back to the desktop/rules folder.

Copy the desktop/rules folder back to the snort folder.

Snort will need to be cycled in order for Snort to activate the rules. Open a command window and navigate to the snort/bin folder and type 'net stop snort && net start snort' (less the outside quotes).

If Snort is on the correct network and monitoring the correct interface it shouldn't take very long to start seeing traffic in the barnyard2 terminal window. If you are not seeing any, try rebooting.

Make SURE you deactivate the new rules folder by renaming it to rules.all and the snort/rules.org folder back to rules. A reboot or snort recycle will be needed or in a few hours there will be millions of useless events in the database.

Share this post

Link to post
Share on other sites

Thank you for the steps you provided and your quick response to this issue. I'll be sure to work through these steps, however, I think I may found a flaw in my setup. I'm hoping you can confirm. In the setup I have mentioned, the MySQL database, snort, has been created and permissions have been assigned correctly to the remote sensor, but I have not applied a schema or run tables as per your MySQL server install tutorials - of course your tutorials are windows based and I'm working on a linux ubuntu 16.04 system. Can this explain the behaviour?

Thanks in advance


Share this post

Link to post
Share on other sites

I'm not sure I understand. It appears the connection has been made to the remote database. I'm assuming since Barnyard2 is setting at 'Waiting for data' because there have been no events sent to the remote database, that needs to happen next, and then finally verifying in Snorby the event has been logged.

You will need to include the database schema on the remote sensor, and I believe the only schema needed is \barnyard2\schemas\create_mysql'. Snorby should give you the correct procedure. The only thing that matters between the two platforms are:

  1. Database name
  2. Connection
  3. Authentication

As long as those match and the database has been setup per Snorby, all should be good.

If you don't have the schema setup on the remote sensor, as soon as Snort detects an event, Snort will log the event, and then Barnyard2 will crash trying to shuttle the event to the remote database.

Share this post

Link to post
Share on other sites

I was able to wget the latest barnyard2 tar.gz from github on my ubuntu box from there I made the necessary mysql database schema updates. After that I went back to remote snort/barnyard2 instance and everything worked like a charm. One recommendation - add a pause line to the end of the by2-test.bat so the cmd window doesn't disappear when it finally runs successfully. Thanks a bunch. now I hope the process I've created to get snorby up and running doesn't break the WinIDS config.

Thanks again and have a great holiday!


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now