[Oisf-users] Suri-GUI
Will Metcalf
william.metcalf at gmail.com
Mon Jul 12 14:47:55 UTC 2010
You need to point barnyard at unified2 logs instead of unified1 logs. So if
you are using the default config you need to change your barnyard cli to
be..
* barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f *
unified2.alert
Regards,
Will
On Mon, Jul 12, 2010 at 9:31 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> Thank youuu
> there's progress [?]
>
> but still a Fatal Error,
>
>
> --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/suricata/barnyard2.conf"
> Log directory = /var/log/barnyard2
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database: host = localhost
> database: user = root
> database: database name = snort
> database: sensor name = localhost:eth0
> database: sensor id = 1
> database: data encoding = hex
> database: detail level = full
> database: ignore_bpf = no
> database: using the "alert" facility
>
> --== Initialization Complete ==--
>
> ______ -*> Barnyard2 <*-
> / ,,_ \ Version 2.1.8 (Build 251)
> |o" )~| By the SecurixLive.com Team:
> http://www.securixlive.com/about.php
> + '''' + (C) Copyright 2008-2010 SecurixLive.
>
> Snort by Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> (C) Copyright 1998-2007 Sourcefire Inc., et al.
>
> Opened spool file '/var/log/suricata//unified.log.1275900067'
> ERROR: Unknown record type read: 2148576734
> Fatal Error, Quitting..
>
> this is the command that I set
>
> *# barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f
> unified.log*
>
>
>
>
>
>> Selon "Anas.B" <a.bouhsaina at gmail.com>:
>>
>> > Yes, I have just reapeted the operation.
>> >
>> > That's what i did
>> > *
>> > and
>> >
>> > root at ubuntu:/usr/local/barnyard2-1.8# make*
>> > I had like these errors :
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8/etc'
>> > make[2]: Nothing to be done for `all'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8/etc'
>> > Making all in doc
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8/doc'
>> > make[2]: Nothing to be done for `all'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8/doc'
>> > Making all in rpm
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8/rpm'
>> > make[2]: Nothing to be done for `all'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8/rpm'
>> > Making all in schemas
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8/schemas'
>> > make[2]: Nothing to be done for `all'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8/schemas'
>> > Making all in m4
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8/m4'
>> > make[2]: Nothing to be done for `all'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8/m4'
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8'
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8'
>> > make[1]: Leaving directory `/usr/local/barnyard2-1.8'
>> >
>> >
>> > and *#make install*
>> >
>> > I had like these errors :
>> >
>> > Making install in schemas
>> > make[1]: Entering directory `/usr/local/barnyard2-1.8/schemas'
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8/schemas'
>> > make[2]: Nothing to be done for `install-exec-am'.
>> > make[2]: Nothing to be done for `install-data-am'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8/schemas'
>> > make[1]: Leaving directory `/usr/local/barnyard2-1.8/schemas'
>> > Making install in m4
>> > make[1]: Entering directory `/usr/local/barnyard2-1.8/m4'
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8/m4'
>> > make[2]: Nothing to be done for `install-exec-am'.
>> > make[2]: Nothing to be done for `install-data-am'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8/m4'
>> > make[1]: Leaving directory `/usr/local/barnyard2-1.8/m4'
>> > make[1]: Entering directory `/usr/local/barnyard2-1.8'
>> > make[2]: Entering directory `/usr/local/barnyard2-1.8'
>> > make[2]: Nothing to be done for `install-exec-am'.
>> > make[2]: Nothing to be done for `install-data-am'.
>> > make[2]: Leaving directory `/usr/local/barnyard2-1.8'
>> > make[1]: Leaving directory `/usr/local/barnyard2-1.8'
>> >
>> >
>> >
>> >
>> > 2010/7/12 Brant Wells <bwells at tfc.edu>
>> >
>> > > Did you compile Barnyard2 yourself?
>> > >
>> > > You should make sure to...
>> > >
>> > > ./configure --with-mysql
>> > >
>> > > when you build Barnyard 2... and make sure that reference.config,
>> > > gen-msg.map and sid-msg.map have all been copied into /etc/suricata!
>> > >
>> > > Let me know what happens!
>> > > ~Brant
>> > >
>> > >
>> > > On Mon, Jul 12, 2010 at 6:11 AM, Anas.B <a.bouhsaina at gmail.com>
>> wrote:
>> > >
>> > >> I have just the database's name as "snort".
>> > >>
>> > >> still this error :
>> > >>
>> > >> --== Initializing Barnyard2 ==--
>> > >> Initializing Input Plugins!
>> > >> Initializing Output Plugins!
>> > >> Parsing config file "/etc/suricata/barnyard2.conf"
>> > >> ERROR: Unable to open Reference file '/etc/suricata/reference.config'
>> (No
>> > >> such file or directory)
>> > >> ERROR: Unable to open Generator file "/etc/suricata/gen-msg.map": No
>> such
>> > >> file or directory
>> > >> ERROR: Unable to open SID file '/etc/suricata/sid-msg.map' (No such
>> file
>> > >> or directory)
>> > >>
>> > >> Log directory = /var/log/barnyard2
>> > >> database: 'mysql' support is not compiled into this build of snort
>> > >>
>> > >> ERROR: If this build of snort was obtained as a binary distribution
>> (e.g.,
>> > >> rpm,
>> > >> or Windows), then check for alternate builds that contains the
>> necessary
>> > >> 'mysql' support.
>> > >>
>> > >> If this build of snort was compiled by you, then re-run the
>> > >> the ./configure script using the '--with-mysql' switch.
>> > >> For non-standard installations of a database, the '--with-mysql=DIR'
>> > >> syntax may need to be used to specify the base directory of the DB
>> > >> install.
>> > >>
>> > >> See the database documentation for cursory details
>> (doc/README.database).
>> > >> and the URL to the most recent database plugin documentation.
>> > >> Fatal Error, Quitting..
>> > >>
>> > >>
>> > >> we don't have these files in Suricata :
>> > >> '/etc/suricata/reference.config' (No such file or directory)
>> > >> ERROR: Unable to open Generator file "/etc/suricata/gen-msg.map": No
>> such
>> > >> file or directory
>> > >> ERROR: Unable to open SID file '/etc/suricata/sid-msg.map'
>> > >> !!!
>> > >>
>> > >>
>> > >>
>> > >>>>
>> > >>>> Selon "Anas.B" <a.bouhsaina at gmail.com>:
>> > >>>>
>> > >>>> > *Help me, please !*
>> > >>>>
>> > >>>> >
>> > >>>> > 2010/7/9 Anas.B <a.bouhsaina at gmail.com>
>> > >>>> >
>> > >>>> > > Hello,
>> > >>>> > > Back :)
>> > >>>> > >
>> > >>>> > > Compiling Barnyard, I had this Error :
>> > >>>> > >
>> > >>>> > > --== Initializing Barnyard2 ==--
>> > >>>> > > Initializing Input Plugins!
>> > >>>> > > Initializing Output Plugins!
>> > >>>> > > Parsing config file "/etc/suricata/barnyard2.conf"
>> > >>>> > > ERROR: Unable to open Reference file
>> > >>>> '/etc/suricata/reference.config' (No
>> > >>>> > > such file or directory)
>> > >>>> > > ERROR: Unable to open Generator file "/etc/snort/gen-msg.map":
>> No
>> > >>>> such file
>> > >>>> > > or directory
>> > >>>> > > ERROR: Unable to open SID file '/etc/snort/sid-msg.map' (No
>> such
>> > >>>> file or
>> > >>>> > > directory)
>> > >>>> > > Log directory = /var/log/barnyard2
>> > >>>> > > database: 'mysql' support is not compiled into this build of
>> snort
>> > >>>> > >
>> > >>>> > > ERROR: If this build of snort was obtained as a binary
>> distribution
>> > >>>> (e.g.,
>> > >>>> > > rpm,
>> > >>>> > > or Windows), then check for alternate builds that contains the
>> > >>>> necessary
>> > >>>> > > 'mysql' support.
>> > >>>> > >
>> > >>>> > > If this build of snort was compiled by you, then re-run the
>> > >>>> > > the ./configure script using the '--with-mysql' switch.
>> > >>>> > > For non-standard installations of a database, the
>> '--with-mysql=DIR'
>> > >>>> > > syntax may need to be used to specify the base directory of the
>> DB
>> > >>>> install.
>> > >>>> > >
>> > >>>> > > See the database documentation for cursory details
>> > >>>> (doc/README.database).
>> > >>>> > > and the URL to the most recent database plugin documentation.
>> > >>>> > > Fatal Error, Quitting..
>> > >>>> > >
>> > >>>> > >
>> > >>>> > > Remind that in barnyard.conf we have :
>> > >>>> > > # set the appropriate paths to the file(s) your Snort process
>> is
>> > >>>> using.
>> > >>>> > > #
>> > >>>> > > *config reference_file: /etc/suricata/reference.config*
>> > >>>> > > config classification_file: /etc/suricata/classification.config
>> > >>>> > > *config gen_file: /etc/snort/gen-msg.map
>> > >>>> > > config sid_file: /etc/snort/sid-msg.map*
>> > >>>> > >
>> > >>>> > > We don't have these files in suricata ! so how should i react
>> !!!??
>> > >>>> > >
>> > >>>> > > best regards!
>> > >>>> > > A..
>> > >>>> > >
>> > >>>> > >
>> > >>>> > >
>> > >>>> > >
>> > >>>> > > 2010/7/8 Anas.B <a.bouhsaina at gmail.com>
>> > >>>> > >
>> > >>>> > > Ah, I had a doubt about it,
>> > >>>> > >>
>> > >>>> > >> Thank you, I will retry and tell u, results :)
>> > >>>> > >>
>> > >>>> > >>
>> > >>>> > >> Cheers.
>> > >>>> > >>
>> > >>>> > >> Anas
>> > >>>> > >>
>> > >>>> > >> 2010/7/8 Brant Wells <bwells at tfc.edu>
>> > >>>> > >>
>> > >>>> > >> The Barnyard download should have come with an example file in
>> the
>> > >>>> > >>> download.... Inside of the download's folder, there is a
>> > >>>> barnyard.conf
>> > >>>> > file
>> > >>>> > >>> in ./etc -- I usually copy this to
>> /etc/suricata/barnyard.conf
>> > >>>> and then
>> > >>>> > >>> modify as needed.
>> > >>>> > >>>
>> > >>>> > >>> See Yas!
>> > >>>> > >>> ~Brant
>> > >>>> > >>>
>> > >>>> > >>>
>> > >>>> > >>> On Thu, Jul 8, 2010 at 9:57 AM, Anas.B <
>> a.bouhsaina at gmail.com>
>> > >>>> wrote:
>> > >>>> > >>>
>> > >>>> > >>>> Hi Will,
>> > >>>> > >>>>
>> > >>>> > >>>> I've dowlnloaded barnyard-0.2.0, but i didn't find
>> > >>>> "barnyard2.conf"
>> > >>>> > >>>>
>> > >>>> > >>>> in Suricata.yaml,
>> > >>>> > >>>> we have already :
>> > >>>> > >>>>
>> > >>>> > >>>>
>> > >>>> > >>>> - unified-log:
>> > >>>> > >>>> enabled: yes
>> > >>>> > >>>> filename: unified.log
>> > >>>> > >>>>
>> > >>>> > >>>> # Limit in MB.
>> > >>>> > >>>> #limit: 32
>> > >>>> > >>>>
>> > >>>> > >>>>
>> > >>>> > >>>> - unified-alert:
>> > >>>> > >>>> enabled: yes
>> > >>>> > >>>> filename: unified.alert
>> > >>>> > >>>>
>> > >>>> > >>>> # Limit in MB.
>> > >>>> > >>>> #limit: 32
>> > >>>> > >>>>
>> > >>>> > >>>> - unified2-alert:
>> > >>>> > >>>> enabled: yes
>> > >>>> > >>>>
>> > >>>> > >>>>
>> > >>>> > >>>> filename: unified2.alert
>> > >>>> > >>>>
>> > >>>> > >>>> but how could we link between Suricata log folder and
>> barnyard. ?
>> > >>>> > >>>> help me please.
>> > >>>> > >>>>
>> > >>>> > >>>> Regards.
>> > >>>> > >>>>
>> > >>>> > >>>> Anas
>> > >>>> > >>>>
>> > >>>> > >>>>
>> > >>>> > >>>> 2010/7/8 Will Metcalf <william.metcalf at gmail.com>
>> > >>>> > >>>>
>> > >>>> > >>>> unified1 logs are disabled by default have you enabled them
>> in
>> > >>>> your
>> > >>>> > >>>>> suricata.yaml file? Also you need to change the -f
>> snort.log to
>> > >>>> be -f
>> > >>>> > >>>>> unified.log. As as an fyi you should look at
>> unified2/barnyard2
>> > >>>> if you
>> > >>>> > >>>>> are doing a fresh install.
>> > >>>> > >>>>>
>> > >>>> > >>>>> - unified-log:
>> > >>>> > >>>>> enabled: yes
>> > >>>> > >>>>> filename: unified.log
>> > >>>> > >>>>>
>> > >>>> > >>>>> - unified-alert:
>> > >>>> > >>>>> enabled: yes
>> > >>>> > >>>>> filename: unified.alert
>> > >>>> > >>>>>
>> > >>>> > >>>>> Regards,
>> > >>>> > >>>>>
>> > >>>> > >>>>> Will
>> > >>>> > >>>>> On Thu, Jul 8, 2010 at 6:36 AM, Anas.B <
>> a.bouhsaina at gmail.com>
>> > >>>> wrote:
>> > >>>> > >>>>> > Hello everyone,
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > I've installed mysql, created the database, with snort
>> shemas
>> > >>>> > >>>>> (tables),,
>> > >>>> > >>>>> > also Barnyard,
>> > >>>> > >>>>> >
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > in barnyard.conf :
>> > >>>> > >>>>> > I've replaced these lines :
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > config hostname: debian
>> > >>>> > >>>>> > config interface: eth0
>> > >>>> > >>>>> > output log_acid_db: mysql, database snort, server
>> localhost,
>> > >>>> user
>> > >>>> > >>>>> root,
>> > >>>> > >>>>> > password mysnortpassword, detail full
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > But to launch Barnyard
>> > >>>> > >>>>> > I changed the command (snort) from this :
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > # /usr/local/bin/barnyard
>> > >>>> > >>>>> > -c /etc/snort/barnyard.conf
>> > >>>> > >>>>> > -g /etc/snort/gen-msg.map
>> > >>>> > >>>>> > -s /etc/snort/sid-msg.map
>> > >>>> > >>>>> > -d /var/log/snort
>> > >>>> > >>>>> > -f snort.log
>> > >>>> > >>>>> > -w /etc/snort/barnyard.waldo &
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > to this
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > # /usr/local/bin/barnyard -c /etc/suricata/barnyard.conf
>> -d
>> > >>>> > >>>>> > /var/log/suricata &
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > But it dosen't work :s
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > Can u help me,
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > Regards.
>> > >>>> > >>>>> > Anas
>> > >>>> > >>>>> >
>> > >>>> > >>>>> > _______________________________________________
>> > >>>> > >>>>> > Oisf-users mailing list
>> > >>>> > >>>>> > Oisf-users at openinfosecfoundation.org
>> > >>>> > >>>>> >
>> > >>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > >>>> > >>>>> >
>> > >>>> > >>>>> >
>> > >>>> > >>>>>
>> > >>>> > >>>>
>> > >>>> > >>>>
>> > >>>> > >>>> _______________________________________________
>> > >>>> > >>>> Oisf-users mailing list
>> > >>>> > >>>> Oisf-users at openinfosecfoundation.org
>> > >>>> > >>>>
>> > >>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > >>>> > >>>>
>> > >>>> > >>>>
>> > >>>> > >>>
>> > >>>> > >>
>> > >>>> > >
>> > >>>> >
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> Oisf-users mailing list
>> > >> Oisf-users at openinfosecfoundation.org
>> > >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > >>
>> > >>
>> > >
>> >
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100712/4fd52df3/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 330.gif
Type: image/gif
Size: 96 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100712/4fd52df3/attachment-0002.gif>
More information about the Oisf-users
mailing list