barnyard2 icon indicating copy to clipboard operation
barnyard2 copied to clipboard

Published 20 hours ago verified publisher icon firnsy

Barnyard requires sid-msg-map to name the variables

Open purefan opened this issue 9 years ago • 2 comments

After posting here I decided to open an issue hoping to get more attention.

Background Info

  • OS: Ubuntu Server, Trusty 64 bit
  • Following the installation guide from snort
  • Installation of both Snort and Barnyard2 went smoothly without any errors

What I have done

  • Created a test rules file to alert on ICMP requests
  • Checked permissions and ownership of /var/log/snort and everything in it, tried several combinations (especially with permissions) and none of it helped. The current values for ownerships are snort:snort

What happens

  • Snort triggers the alert when doing a ping request and the /var/log/snort.u2 file is populated (this is good)
  • Running Barnyard2 throws these warnings:
$ sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f /var/log/snort/snort.u2.1454679345 -w /var/log/snort/barnyard2.waldo

WARNING: invalid Reference spec '001'. Ignored
WARNING: invalid Reference spec 'icmp-event'. Ignored
WARNING: invalid Reference spec '0'. Ignored
WARNING: invalid Reference spec 'ICMP Test detected'. Ignored

1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

How I "fixed" it

After reading a post by beenph I was able to come up with this solution. Basically the sid-msg.map file needs to have the "names" of the variables, something like this: varname,value || varname,value.

This works for me in terms of Barnyard2 not throwing those warnings anymore:

gid,1 || sid,10000001 || ref,001 || classification,icmp-event || priority,0 || msg,ICMP Test detected || url,tools.ietf.org/html/rfc792

But this is not a real solution because pulledpork does not add those varnames, and when using snort for anything serious it becomes impractical to keep the sid-msg.map up to date

purefan avatar Feb 10 '16 11:02 purefan

I am having the same problem. Did you ever find a solution?

Even when I put the labels I still get an error from mysql. Its not the write error and the logs/alerts are going into the DB. I have only seen it when stopping barnyard2, so maybe its just telling me i disconnected? Odd disconnect message from mysql.

2016-12-08T05:15:53.392026Z 75 [Note] Aborted connection 75 to db: 'database' user: 'mysqluser' host: 'localhost' (Got an error reading communication packets)

/usr/local/bin/barnyard2 -V ______ -> Barnyard2 <- / ,,_ \ Version 2.1.14 (Build 337)

stoggy875 avatar Dec 08 '16 05:12 stoggy875

Hi, I have two big problems when i configure my IDS. I used snort IDS, barnyard2 with BASE. I don't undestand why when i add a new rule in sid-msg-map and i see the new rule in BASE. BASE show me the alert somethink linke alert[1:10002:]; i can't solve this problem.

Simon1207 avatar Mar 01 '17 05:03 Simon1207