Aycock, Jeff R.
2011-07-22 13:36:07 UTC
Hello,
Please excuse me for posting this request earlier in the announcement
mailing list which should be in the users mailing list instead. My bad.
I'm new to Sguil and Snort and would appreciate any suggestion for an
issue I am having with Barnyard2.
I've installed Snort 2.9.0.5, Barnyard2 (1.10 beta 1) , and sguil-0.8.0
in a Fedora 15 box. Snort, snort_agent, and sguild all ran with no
issues - I verified this using ps -ef|grep sguil:
[***@10 firnsy-barnyard2-411db8a]ps -ef|grep sguil
root 18246 22388 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18251 18246 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18252 18246 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18354 18332 0 15:14 pts/5 00:00:00 grep --color=auto sguil
sguil 22705 22438 0 08:55 pts/6 00:00:12 snort -u sguil -g sguil
-c /etc/snort/snort.conf -i eth0 -U -A none -m 122 -l
/var/log/snort_data/sensor
root 22772 1 0 09:11 ? 00:00:06 tclsh
/opt/sguil-0.8.0/sensor/snort_agent.tcl -c
/opt/sguil-0.8.0/sensor/snort_agent.conf
I verified that the correct ports are used:
[***@10 firnsy-barnyard2-411db8a]# lsof -i :7736
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 18246 root 14u IPv4 4665775 0t0 TCP *:7736 (LISTEN)
[***@10 firnsy-barnyard2-411db8a]# lsof -i :7735
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 22772 root 4u IPv4 4442250 0t0 TCP XXXXXXXXXX:7735
(LISTEN)
When I attempt to start Barnyard2:
[***@10 firnsy-barnyard2-411db8a]# /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -d /snort_data/sensor -f snort.log -w
/etc/snort/waldo.file -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -v
I get this error message:
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
............
...........
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
.............
............
It didn't matter whether I ran as another user or root, the results are
the same. Does anyone have any suggestion or encounter the same issue?
Thanks in advance!
Jeff
Please excuse me for posting this request earlier in the announcement
mailing list which should be in the users mailing list instead. My bad.
I'm new to Sguil and Snort and would appreciate any suggestion for an
issue I am having with Barnyard2.
I've installed Snort 2.9.0.5, Barnyard2 (1.10 beta 1) , and sguil-0.8.0
in a Fedora 15 box. Snort, snort_agent, and sguild all ran with no
issues - I verified this using ps -ef|grep sguil:
[***@10 firnsy-barnyard2-411db8a]ps -ef|grep sguil
root 18246 22388 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18251 18246 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18252 18246 0 14:40 pts/4 00:00:00 tclsh ./sguild
root 18354 18332 0 15:14 pts/5 00:00:00 grep --color=auto sguil
sguil 22705 22438 0 08:55 pts/6 00:00:12 snort -u sguil -g sguil
-c /etc/snort/snort.conf -i eth0 -U -A none -m 122 -l
/var/log/snort_data/sensor
root 22772 1 0 09:11 ? 00:00:06 tclsh
/opt/sguil-0.8.0/sensor/snort_agent.tcl -c
/opt/sguil-0.8.0/sensor/snort_agent.conf
I verified that the correct ports are used:
[***@10 firnsy-barnyard2-411db8a]# lsof -i :7736
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 18246 root 14u IPv4 4665775 0t0 TCP *:7736 (LISTEN)
[***@10 firnsy-barnyard2-411db8a]# lsof -i :7735
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 22772 root 4u IPv4 4442250 0t0 TCP XXXXXXXXXX:7735
(LISTEN)
When I attempt to start Barnyard2:
[***@10 firnsy-barnyard2-411db8a]# /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -d /snort_data/sensor -f snort.log -w
/etc/snort/waldo.file -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -v
I get this error message:
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
............
...........
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil: Connected to localhost on 7735.
ERROR: Connecton closed by client
.............
............
It didn't matter whether I ran as another user or root, the results are
the same. Does anyone have any suggestion or encounter the same issue?
Thanks in advance!
Jeff