Snort mailing list archives
Ready! Set! ... Nothing :-/
From: "Shaun T. Erickson" <ste () smxy org>
Date: Fri, 11 Jun 2004 14:25:38 -0400
Ok. I installed a snort sensor in my DMZ. It's configured thusly: var HOME_NET 65.206.7.144/28 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.
29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH ../share/snort
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include ../share/snort/classification.config
include ../share/snort/reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
It's virtually a default install. When started, it created the two
output files, in the correct place:
wile# pwd /usr/local/var/log/snort wile# ls -l total 4 -rw------- 1 root wheel 16 Jun 1 11:56 snort.alert.1086105378 -rw------- 1 root wheel 24 Jun 1 11:56 snort.log.1086105378 wile# snort is running:52099 ?? Ss 0:14.21 /usr/local/bin/snort -Dqc /usr/local/etc/snort.conf -l /usr/local/var/log/snort -i em0
barnyard is installed, and configured thusly: config daemon config interface: em0 config sid-msg-map: /usr/local/etc/barnyard/sid-msg.map config gen-msg-map: /usr/local/etc/barnyard/gen-msg.map config class-file: /usr/local/etc/barnyard/classification.configoutput log_acid_db: mysql, database snort, server 192.168.32.211, user barnyard,
password scudder!, detail full barnyard is running:85004 p0 S 0:00.83 barnyard -c /usr/local/etc/barnyard/barnyard.conf -d /usr/local/var/log/snort -L /usr/local/var/log/snort -f snort.log -n -w /var/run/by.bookmark
MySQL is running on the remote server, and when barnyard was started, it connected to the database:
040611 11:56:10 150 Connect barnyard () wile blackdogsoft net on snort150 Query SELECT sid FROM sensor WHERE hostname='wile.blackdogsoft.net' AND interface='em0' AND filter='' AND detail='1' AND encoding='0' 150 Query INSERT INTO sensor(hostname, interface, filter, detail, encoding, last_cid) VALUES('wile.blackdogsoft.net', 'em0', '', '1', '0', '0') 150 Query SELECT max(cid) FROM event WHERE sid='2'
So, I installed nessus on the snort sensor and just ran it against the systems in my DMZ. I was expecting to see the snort files grow in size, and for records to be added to the database, by barnyard. Nessus ran, and found various things I need to fix on my servers, but that's all. The snort logs didn't grow, and therefore nothing was sent to the database by barnyard.
Can someone help me debug this and get it working, please? TIA.
-ste
-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ready! Set! ... Nothing :-/ Shaun T. Erickson (Jun 11)
- Re: Ready! Set! ... Nothing :-/ Shaun T. Erickson (Jun 13)
- Snort message: Unable to create an IPSet from any ... ? James Sinnamon (Jun 15)
- Re: Snort message: Unable to create an IPSet from any ... ? Mike Mestnik (Jun 15)
- Snort message: Unable to create an IPSet from any ... ? James Sinnamon (Jun 15)
- <Possible follow-ups>
- Re: Ready! Set! ... Nothing :-/ David (Jun 14)
- Re: Ready! Set! ... Nothing :-/ Shaun T. Erickson (Jun 13)