Sign in to follow this  
Followers 0
trinity

Waiting for New Data after configuring PulledPork Setup

2 posts in this topic

Hi,

   Please help!! After following the pulledpork configuration steps, I have not been able to get any data into the database. In my Barnyard window it just says "Waiting for New Data". I have gone through several suggestions as to why this is the case but no resolution. I have added in the test.rules to the snort.conf files and have seen data coming in. I have also installed wireshark on the box and have verified that the monitor port is seeing the data. My network administrator have verified that the mirrored port is setup correctly. I just cannot get it to be written to the database. Any help is greatly appreciated. Thank you.

Share this post


Link to post
Share on other sites

The "Waiting for new data." is normal for Barnyard2.

I'm assuming that events were being logged prior to installing PulledPork. I'm also assuming that you allowed the PulledPork process to complete, which could take from 30-60 minutes. If you are unsure; delete ALL the files in the pulledporktemp folder and try the process again.

Note: The rules are monitored, and there is a 15 minute delay between rules downloads. If the rule downloads starts, and then exits 30 seconds later (for whatever reason), there is a 15 minute wait.

Make SURE Snort and Barnyard2 are running processes.

When the Windows Intrusion Detection System (WinIDS) was initially setup, there were more active rules being run, so you may not see the level of activity afer PulledPork gets installed.

When PulledPork is setup there are three levels of monitoring. The 'Security' level is the highest level, and will trigger more events than the other two levels of monitoring. PulledPork activates a basic set of rules based on what the developer has deemed as a sufficient place to start monitoring, based on the level of monitoring selected.

You can change this rule monitoring level at any time in the pulledpork.conf, but you will need to run pulledpork after making the change. PulledPork has a lot of configuration options. Reading the documentation, and joining the PulledPork users group is a must.

The events that were seen while the test rules were activated, should have been displayed in the open Barnyard2 terminal window, and were they?

They should also be visible in the Windows Intrusion Detection (WinIDS) security console, and were they?

Note: It's possible there are no events being triggered based on improper configuration, even though the Windows Intrusion Detection System (WinIDS) is operating properly.

  • HOME_NET set incorrectly
  • Windows Intrusion Detection System plugged into a switch that is not mirroring
  • Selecting the wrong monitoring interface

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0