Error Unable To Find The Next Spool File
Packet crafters More Site News Advertising About/Contact Sponsors: Snort mailing list archives By Date By Thread barnyard2: Unable to open directory '/var/log/snort' and Unable to find the next spool file! From: Joyabrata Ghosh
previous next » Print Pages: [1] Go Down Author Topic: Snort - Barnyard2 not working (Read 25134 times) 0 Members and 1 Guest are viewing this topic. jaysonr Newbie Posts: 9 Karma: +0/-0 Snort - Barnyard2 not working « on: April 08, 2010, 03:32:42 pm » I just upgraded my box in order to get the new SNORT working and that went off without a hitch. However, Barnyard2 does not work anymore. I receive the errors:barnyard2[29422]: WARNING: Unable to open waldo file '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo' (No such file or directory)barnyard2[29422]: ERROR: Unable to open directory '' (No such file or directory)barnyard2[29422]: ERROR: Unable to find the next spool file!Any ideas? It worked prior to the upgrade Logged jamesdean Sr. Member http://seclists.org/snort/2014/q4/396 Posts: 352 Karma: +0/-0 Re: Snort - Barnyard2 not working « Reply #1 on: April 08, 2010, 04:07:39 pm » Do this in the terminaltouch /usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldochown snort:snort /usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo Logged PLease post your Pfsense Version and Snort Version when asking questions. Thank you. jaysonr Newbie Posts: 9 Karma: +0/-0 Re: Snort - Barnyard2 not working « Reply #2 on: April 08, 2010, 05:52:56 pm » I did that and now it throws the error:barnyard2[46672]: https://forum.pfsense.org/index.php?topic=24201.0 WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'Then the other two errors... I did check the directory and the file is there, 0 bytes, but it's there. Do I need to put anything in that file? Logged jaysonr Newbie Posts: 9 Karma: +0/-0 Re: Snort - Barnyard2 not working « Reply #3 on: April 08, 2010, 07:03:13 pm » I saw the bug for barnyard, wasn't sure how to get around it. I did check the running processes and barnyard2 is not running.I do already have 30008 records in my data file, so would I need to put anything in the waldo file? Logged lightenup Newbie Posts: 15 Karma: +0/-0 Re: Snort - Barnyard2 not working « Reply #4 on: April 09, 2010, 09:33:43 am » Quote from: jaysonr on April 08, 2010, 05:52:56 pmI did that and now it throws the error:barnyard2[46672]: WARNING: Ignoring corrupt/truncated waldofile '/usr/local/etc/snort/snort_9867_fxp0/barnyard2.waldo'Then the other two errors... I did check the directory and the file is there, 0 bytes, but it's there. Do I need to put anything in that file?Same result here, latest snort 2.8.5.3 pkg v. 1.21 under pfSense 1.2.3-RELEASE Logged Jare Newbie Posts: 10 Karma: +0/-0 Re: Snort - Barnyard2 not working « Reply #5 on: April 12, 2010, 01:06:01 pm » I've got a solution on how to get B
instructions: Windows Mac Red Hat Linux Ubuntu Click URL instructions: Right-click on ad, choose "Copy Link", then paste here → https://sourceforge.net/p/snort/mailman/snort-users/thread/52245BE9.5080803@ucl.ac.uk/ (This may not be possible with some types of ads) https://github.com/firnsy/barnyard2/issues/89 More information about our ad policies X You seem to have CSS turned off. Please don't fill out this field. You seem to have CSS turned off. Please don't fill out this field. Briefly describe the problem (required): Upload screenshot of ad error unable (required): Select a file, or drag & drop file here. ✔ ✘ Please provide the ad click URL, if possible: Home Browse Snort Mailing Lists Snort Brought to you by: andrewbaker, joelesler, roesch Summary Files Reviews Support Wiki Mailing Lists snort-devel snort-openappid snort-sigs snort-users snort-users [Snort-users] @barnyard error From: anagha b
Sign in Pricing Blog Support Search GitHub This repository Watch 51 Star 186 Fork 134 firnsy/barnyard2 Code Issues 49 Pull requests 5 Projects 0 Wiki Pulse Graphs New issue Barnyard2 does not read the output of snort - mysql empty #89 Closed Tmolle opened this Issue May 23, 2013 · 8 comments Projects None yet Labels None yet Milestone No milestone Assignees No one assigned 7 participants Tmolle commented May 23, 2013 Hello all, Like many people, Barnyard2 does not read logs from Snort. But I don't understand why. Some help is welcome. I use : Version 2.9.4 GRE (Build 40) Barnyard2 - version 2-1.13 I test with only one local rule which is : alert icmp any any -> any any (msg: "test ICMP"; sid: 10000001;) I tried with rev: 1; but it's not better. When I run Snort, I can see the ICMP alerts. # snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 05/23-09:55:37.102206 [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.121 -> 10.70.0.178 05/23-09:55:37.102224 [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.178 -> 10.70.0.121 05/23-09:55:38.102885 [**] [1:10000001:1] test ICMP [**] [Priority: 0] {ICMP} 10.70.0.121 -> 10.70.0.178 And Barnyard2 is waiting for new data : barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo [...] barnyard2: Closing spool file '/var/log/snort/snort.log.1369295582'. Read 0 records barnyard2: Opened spool file '/var/log/snort/snort.log.1369295736' barnyard2: Waiting for new data ls -l /var/log/snort -rw------- 1 snort snort 384 May 23 09:55 snort.log.1369295736 But my database is empty mysql> select * from event; Empty set (0.00 sec) Where mysql> select * from sensor; +-----+----------------+-----------+--------+--------+----------+----------+ | sid | hostname | interface | filter | detail | encoding | last_cid | +-----+----------------+-----------+--------+--------+----------+----------+ | 1 | localhost:eth0 | eth0 | NULL | 1 | 0 | 0 | +-----+----------------+-----------+--------+--------+----------+----------+ 1 row in set (0.00 sec) Below my config : Snort : # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 Barnyard2 : output database: alert, mysql, user=snort password=******** dbname=snort host=localhost Do you see a mistake somewhere? Thanks in advance. Tmolle commented May 23, 2013 It's better with snort -q -u snort -g snort -c /etc/snort/snort.conf