IT Team

Hi Morpheus

Just wanted to say a big thank you for your time and effort.

Thanks

Gary

Hi, It seems to be working fine now, I am receiving events in barnyard.

Can you tell me how i can delete all data that has been collected so far that is stored in the snort sql DB. Want to start with a clean DB so i can monitor new events.

Thanks Gary

So just after i posted the above message i got an event in barnyard, but im not sure what it means. See pic

Hi Morpheus

So i reconfigured my mirror port today just to be sure and i think its working fine. (See screen shot) Lots of received packets.

Can you please help me in turning all the rules on and seeing if i get data in barnyard2

Thanks

Gary

HI

Deleted everything in the log folder. 

Home_net is set as such : 

# Setup the network addresses you are protecting
ipvar HOME_NET any
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

I’m trying to check the config on our Cisco 3750 but I’m sure port mirroring is working ok.

Rebooted snort server and it just sits there waiting for new data.

*** Seeing as it logs traffic when using the test rule does that mean it is capturing data fine, So this tells me that one of the other rules is blocking the data capture ??  

black_list.rules, deleted.rules, experimental.rules, local.rules, white_list.rules, winids.rules

Thanks, Gary

Hi Morpheus

So i spoke to soon, Yesterday i removed the test.rules and restarted snort and barnyard2 both was running and collecting data. Today i went to check on new events and there was none, so logged onto the server and its stopped logging. Same issue as before (Waiting for new data).

So i am guessing that there is an issue with the rule set i am using. Can you take a look at my rules ? or do you think it might be something else.

Thanks

Gary  

Hi Morpheus

Manually triggering the events worked, Snort is now collection data.

Thanks for your help 

Hi Morpheus

Any update on my issue with not collection data.

Thanks Gary

Hi All

So my Barnyard2 cmd is just sitting at a waiting for new data prompt and has been like this all weekend, there is no data being passed to winids console either. Seems to me that barnyard is not receiving any traffic.  

If i run the test commands : d:\winids\snort\bin\snort -v -i1 or i2 both display's traffic and (warning: no preprocessors configured for policy 0).

If i run d:\winids\activators\by2-test config file successfully loads. 

Running 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T completes in about 30 mins no erros

Running d:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T (snort validated the config file successfully)

All services are running and started

Does anyone have any ideas what i am missing ?

Thanks

Gary