Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    MySQL and Barnyard with snort.

    I am trying to install Snort using the "Snort on Debian 6.0.6 by Jason Weir", which can be found in the docs site of the Snort site. I don't have the appropriate permissions to post links or images due to my low post count.

    I am using Oracle Virtual Box 4.1.18 as the virtual platform and the distro I'm using is the "debian 6.0.5 netinstal". I realise the guide is for a later version of my distro, however I don't believe this to be the issue due to everything else working as it should.

    I have snort working, as it can capture packets and print them to the screen. Also when I use BASE I can see that it is capturing packets correctly and writing them to the database. However when I attempt to do this part of the guide...

    "Now start snort and barnyard with these commands:
    # /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &

    # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo /etc/snort/

    /etc/snort/ -C /etc/snort/classification.config &

    Again ping the management IP address from another machine

    This command shows that barnyard is correctly inserting events into the database:
    # mysql -uroot -p -D snort -e "select count(*) fromevent" # enter password again "

    The only result I see is a table "fromevents" with the figure one, this is the same results regardless of how many attempts were carried out.

    From BASE it is clear to see that the log is being written into somewhere. The value of the "total number of alerts" increments after each time I attempt this.

    I have a suspicion it is to do with the name of the table but can't see any issue. I had a look at the "/etc/snort/barnyard2.conf" file but the database name is the same. I currently have the following line at the bottom of the file "output database: log, mysql, user=snort password=secret dbname=snort host=localhost"

    Not really sure what else I can do to attempt to rectify this issue, I am not even sure what the implications of this issue are. Please help.


  2. #2

    can you post the link by just substituting hxxp for http in the beginning of the link?

    is the below part of the commands you wrote a typo?

    # mysql -uroot -p -D snort -e "select count(*) fromevent" # enter password again "
    b/c there should be a space in b/t from and event, i think, e.g.:

    mysql -u root -p -D snort -e "select count(*) from event"
    if that doesn't work, just try getting into the MySQL shell, e.g.:
    mysql -u root -p
    then list databases:
    you should see the db named "snort", I guess.

    then you change to the snort table:

    and list tables:
    tell us what you can and can't do from above, and show output where necessary.

    NOTE: in the above mysql commands, the case is insensitive, it is just there to clarify that they are mysql commands and not shell commands. you do need to punctuate commands with a semi-colon (usually).

  3. #3
    Thanks for your time mate.

    Link to the guide...

    Screenshot of 'use snort;' > 'show tables'

    This bit is a typo in the guide, (# mysql -uroot -p -D snort -e "select count(*) fromevent" # enter password again ") when executing I put the space in.

    This is base prior to executing;
    # /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 & 
    # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/ -S 
    /etc/snort/ -C /etc/snort/classification.config &

    and after the command is executed.

    And this is when executing the command;
    mysql -uroot -p -D snort -e "select count(*) fromevent"
    Last edited by atreyu; 05-01-2013 at 04:06 AM. Reason: fixed links and added CODE tags

  4. $spacer_open
  5. #4
    i see a table named "event" in your list of tables, so i think you definitely need a space after "from" and before "event", like this:
    mysql -uroot -p -D snort -e "select count(*) from event"
    is this what you have done?

    btw, that query will just show the number of records in the table. if you want to see the actual data, try this:

    mysql -uroot -p -D snort -e "select * from event"

  6. #5
    Got it all working, thanks ever so much.

    Just need to figure out how to compare it with suricata now, the joys. Thanks again, I really appreciate your time.

  7. #6
    np, happy to help. i'll go ahead and mark this as Solved for you. Note that you can do this yourself at any time using the Thread Tools link at the top of the page.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts