I have snort installed with following config
#/etc/snort/snort.conf
ipvar HOME_NET 172.16.0.0/22
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
output log_unified2: filename snort.u2, limit 128
I have a icmp rule set up as follows
#/etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
I start snort using the following which starts fine and is logging as i see entries in alerts and snort.u2.timestamp
snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens32 -D
My banyard2 config file
#/etc/snort/barnyard2.conf
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname: snort
config interface: ens32
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=root password=support dbname=snorby host=127.0.0.1
# if you want to have to forward alerts also to syslog, uncomment the following 2 lines.
#output alert_syslog_full: sensor_name snortIds1-eth1, local
#output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT
I start using the following command
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
In the logs i get the following problem and nothing gets written to mysql.
Sep 1 17:15:22 snort snort[4374]:
Sep 1 17:15:22 snort snort[4374]: [ Port Based Pattern Matching Memory ]
Sep 1 17:15:22 snort snort[4374]: +- [ Aho-Corasick Summary ] -------------------------------------
Sep 1 17:15:22 snort snort[4374]: | Storage Format : Full-Q
Sep 1 17:15:22 snort snort[4374]: | Finite Automaton : DFA
Sep 1 17:15:22 snort snort[4374]: | Alphabet Size : 256 Chars
Sep 1 17:15:22 snort snort[4374]: | Sizeof State : Variable (1,2,4 bytes)
Sep 1 17:15:22 snort snort[4374]: | Instances : 169
Sep 1 17:15:22 snort snort[4374]: | 1 byte states : 159
Sep 1 17:15:22 snort snort[4374]: | 2 byte states : 10
Sep 1 17:15:22 snort snort[4374]: | 4 byte states : 0
Sep 1 17:15:22 snort snort[4374]: | Characters : 94550
Sep 1 17:15:22 snort snort[4374]: | States : 72655
Sep 1 17:15:22 snort snort[4374]: | Transitions : 7856776
Sep 1 17:15:22 snort snort[4374]: | State Density : 42.2%
Sep 1 17:15:22 snort snort[4374]: | Patterns : 5205
Sep 1 17:15:22 snort snort[4374]: | Match States : 5820
Sep 1 17:15:22 snort snort[4374]: | Memory (MB) : 37.50
Sep 1 17:15:22 snort snort[4374]: | Patterns : 0.58
Sep 1 17:15:22 snort snort[4374]: | Match Lists : 1.27
Sep 1 17:15:22 snort snort[4374]: | DFA
Sep 1 17:15:22 snort snort[4374]: | 1 byte states : 0.97
Sep 1 17:15:22 snort snort[4374]: | 2 byte states : 34.39
Sep 1 17:15:22 snort snort[4374]: | 4 byte states : 0.00
Sep 1 17:15:22 snort snort[4374]: +----------------------------------------------------------------
Sep 1 17:15:22 snort snort[4374]: [ Number of patterns truncated to 20 bytes: 319 ]
Sep 1 17:15:22 snort snort[4374]: pcap DAQ configured to passive.
Sep 1 17:15:22 snort snort[4374]: Acquiring network traffic from "ens32".
Sep 1 17:15:22 snort snort[4374]: Initializing daemon mode
Sep 1 17:15:22 snort snort[4375]: Daemon initialized, signaled parent pid: 4374
Sep 1 17:15:22 snort snort[4375]: Reload thread starting...
Sep 1 17:15:22 snort snort[4375]: Reload thread started, thread 0x7f1b35e85700 (4376)
Sep 1 17:15:22 snort snort[4375]: Decoding Ethernet
Sep 1 17:15:22 snort snort[4375]: Checking PID path...
Sep 1 17:15:22 snort snort[4375]: PID path stat checked out ok, PID path set to /var/run/
Sep 1 17:15:22 snort snort[4375]: Writing PID "4375" to file "/var/run//snort_ens32.pid"
Sep 1 17:15:22 snort kernel: device ens32 entered promiscuous mode
Sep 1 17:15:22 snort snort[4375]: Set gid to 40000
Sep 1 17:15:22 snort snort[4375]: Set uid to 40000
Sep 1 17:15:22 snort snort[4375]:
Sep 1 17:15:22 snort snort[4375]: --== Initialization Complete ==--
Sep 1 17:15:22 snort snort[4375]: Commencing packet processing (pid=4375)
Sep 1 17:15:39 snort barnyard2: +[ Signature Suppress list ]+
----------------------------
Sep 1 17:15:39 snort barnyard2: +[No entry in Signature Suppress List]+
Sep 1 17:15:39 snort barnyard2: ----------------------------
+[ Signature Suppress list ]+
Sep 1 17:15:47 snort barnyard2: Barnyard2 spooler: Event cache size set to [2048]
Sep 1 17:15:47 snort barnyard2: Log directory = /var/log/snort
Sep 1 17:15:47 snort barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Sep 1 17:15:47 snort barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second
Sep 1 17:15:47 snort barnyard2: Initializing daemon mode
Sep 1 17:15:47 snort barnyard2: Daemon initialized, signaled parent pid: 4378
Sep 1 17:15:47 snort barnyard2: PID path stat checked out ok, PID path set to /var/run/
Sep 1 17:15:47 snort barnyard2: Writing PID "4379" to file "/var/run//barnyard2_ens32.pid"
Sep 1 17:15:47 snort barnyard2: Daemon parent exiting
Sep 1 17:16:14 snort avahi-daemon[579]: Invalid response packet from host 172.16.0.211.
Sep 1 17:17:15 snort barnyard2: [SignatureReferencePullDataStore()]: No Reference found in database ...
Sep 1 17:17:15 snort barnyard2: database: compiled support for (mysql)
Sep 1 17:17:15 snort barnyard2: database: configured to use mysql
Sep 1 17:17:15 snort barnyard2: database: schema version = 107
Sep 1 17:17:15 snort barnyard2: database: host = 127.0.0.1
Sep 1 17:17:15 snort barnyard2: database: user = root
Sep 1 17:17:15 snort barnyard2: database: database name = snorby
Sep 1 17:17:15 snort barnyard2: database: sensor name = snort:ens32
Sep 1 17:17:15 snort barnyard2: database: sensor id = 1
Sep 1 17:17:15 snort barnyard2: database: sensor cid = 12
Sep 1 17:17:15 snort barnyard2: database: data encoding = hex
Sep 1 17:17:15 snort barnyard2: database: detail level = full
Sep 1 17:17:15 snort barnyard2: database: ignore_bpf = no
Sep 1 17:17:15 snort barnyard2: database: using the "log" facility
Sep 1 17:17:15 snort barnyard2:
Sep 1 17:17:15 snort barnyard2: --== Initialization Complete ==--
Sep 1 17:17:15 snort barnyard2: Barnyard2 initialization completed successfully (pid=4379)
Sep 1 17:17:15 snort barnyard2: Using waldo file '/var/log/snort/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1409587851
record_idx = 475
Sep 1 17:17:15 snort barnyard2: Opened spool file '/var/log/snort/snort.u2.1409587851'
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: Closing spool file '/var/log/snort/snort.u2.1409587851'. Read 484 records
Sep 1 17:17:15 snort barnyard2: Opened spool file '/var/log/snort/snort.u2.1409588122'
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
Sep 1 17:17:15 snort barnyard2: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x13f0d00], information has not been outputed.
For barnyard2 to work, your unified2 output file created by snort must contain alert AND PCAP data.
So, in /etc/snort/snort.conf (or wherever your snort configuration is), you need to specify output unified2: <filename> (I recommend NOT using "snort.log" for the filename).
Review the barnyard2 global variable file /etc/default/barnyard2 or /etc/sysconfig/barnyard2 comment out the BINARY_LOG Setting, and also make sure the log filename matches the one you used in snort.conf.
Restart snort, and then restart barnyard2 to see if you are up and running.
EDIT:
For whatever reason, the BINARY_LOG setting trumps other settings and will cause snort to only produce a pcap log file. (Try running file /var/log/snort/snort.log.* and you will likely see the files are pure pcaps (packet captures) - meaning they don't contain the Snort alert/event info.
And Barnyard2 will only work with log files that contain both event and pcap info. Unless there is some setting I overlooked. Go figure. If you run file on a valid barnyard2 unified2 file, the result should just be "data" or something of that nature.
I hope this helps. I lost many hours and hairs over this.