Snort mailing list archives
Re: upgrading to snort 2.6
From: Joel Esler <joel.esler () sourcefire com>
Date: Thu, 28 Sep 2006 14:10:03 -0400
Just to say... Are you sure snort is outputting in unified format? J On Thu, Sep 28, 2006 at 12:47:30PM -0500, Derek Stinchfield apparently sent me:
Recently, my department was able to free up a new server that we decided to use to replace our old snort box. I figured that this would be a good time to update to 2.6. I saved a few of the old config files and went to work with the new box from scratch. I loaded RHELAS 4 and after the install, I downloaded and installed 2.6.0.2, and Barnyard 0.2.0. I then checked and copied over the config files, rulesets, and startup scripts from our old snort 2.4 box and I thought I pounded out any issues with file locations and permissions. Both snort and barnyard are now starting and running, however I let it run last night, outputting unified files and having barnyard pointed at a remote syslog server, and I didn't have a single rule in the remote syslog today. I had snort make a fast alert output to be sure that rules were being triggered, and sure enough they are, which leaves me with barnyard. I did the fast alert for this too and it didn't even create the file for it. This is the first time I've tried to use the barnyard startup script. before I would just start it with <barnyard -D -n -f /var/log/snort/snort.alert> Now that I'm trying to use the script, the command is </usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -a /var/log/snort-proces....> obviously, if I try to start it the old way I now get a segmentation fault. I have posted the barnyard script as well as what I use in the barnyard.conf Any help I can get is appreciated. Also if it helps, I don't absolutely have to use the barnyard script, so if there is an idea the excludes it, I would appreciate that as much as any help. Thanks in advance, Derek The barnyard script I used is this: #!/bin/bash # # barnyard Start/Stop barnyard daemon # # Written by Alejandro Flores <alejandrorfloresgmail.com> # # chkconfig: 2345 42 62 # description: Output spool reader for Snort! This program decouples #output overhead from # the Snort network intrusion detection system #and allows Snort to run at full speed. It takes #input and output #plugins and can therefore be used to convert almost any spooled fil # . /etc/rc.d/init.d/functions # Barnyard binary # Executavel do barnyard BARNYARD=/usr/local/bin/barnyard # Where to place processed logs # Diretorio onde v??ficar os logs j??rocessados PROCESSADOS=/var/log/snort-processados # Base dir for snort logs # Diret?? base dos logs do snort LOG_BASE=/var/log/snort # Unified log filename # Nome do arquivo de log unified LOG_FILE=snort.log # Barnyard config # Configura?? do barnyard CONFIG=/etc/snort/barnyard.conf # where is sid-msg.map # Localiza?? do arquivo sid-msg.map SIDMAP=/etc/snort/sid-msg.map # where is gen-msg.map # Localiza?? do arquivo gen-msg.map GENMAP=/etc/snort/gen-msg.map # where is classification.config # Localiza?? do arquivo classification.config CLASSCONF=/etc/snort/classification.config # where to place the barnyard bookmark # Localiza?? do bookmark do barnyard WALDO=/var/log/snort/waldo case "$1" in start) if [ -f /var/lock/subsys/barnyard ]; then echo "Barnyard is already running." exit fi echo -n "Starting Barnyard: " daemon $BARNYARD \ -c $CONFIG \ -d $LOG_BASE \ -a $PROCESSADOS \ -f $LOG_FILE \ -w $WALDO \ -s $SIDMAP \ -g $GENMAP \ -p $CLASSCONF \ -D touch /var/lock/subsys/barnyard ;; stop) echo -n "Stopping Barnyard" killproc barnyard rm /var/lock/subsys/barnyard /script This is my barnyard.conf <some commented parts omitted> #------------------------------------------------------------- # http://www.snort.org Barnyard 0.1.0 configuration file # Contact: snort-barnyard () lists sourceforge net #------------------------------------------------------------- # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $ ######################################################## # Currently you want to do two things in here: turn on # available data processors and turn on output plugins. # The data processors (dp's) and output plugin's (op's) # automatically associate with each other by type and # are automatically selected at run time depending on # the type of file you try to load. ######################################################## # Step 1: configuration declarations # To keep from having a commandline that uses every letter in the alphabet # most configuration options are set here # enable daemon mode config daemon #INSERTED BY DEREK. Indicate which interface shall be monitored config interface: eth1 #INSERTED BY DEREK. Give Barnyad the information location of Meta-data. config sid-msg-map: /etc/snort/sid-msg.map config gen-msg-map: /etc/snort/gen-msg.map config class-file: /etc/snort/classification.config # set the hostname (currently only used for the acid db output plugin) #COMMENTED OUT BY DEREK. config hostname: snorthost # set the interface name (currently only used for the acid db output plugin) #COMMENTED OUT BY DEREK. config interface: fxp0 # set the filter (currently only used for the acid db output plugin) #COMMENTED OUT BY DEREK. config filter: not port 22 # Step 2: setup the output plugins # alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of Snort's # "fast alert" mode. Argument: <filename> output alert_fast: barnyard.alert # log_dump #----------------------------- # Converts data from the dp_log plugin into an approximation of Snort's # "ASCII packet dump" mode. Argument: <filename> #COMMENTED OUT BY DEREK. output log_dump # alert_syslog2 #------------------------------- # Generates a syslog alert. This supports considerably more features than # the original syslog output plugin. # output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x; /barnyard.config ?????????????????????????????????????? Derek Stinchfield Network Analyst Scientific Computing Center University of North Dakota - ?ROSPACE derek () aero und edu ?????????????????????????????????????? ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- upgrading to snort 2.6 Derek Stinchfield (Sep 28)
- Re: upgrading to snort 2.6 Joel Esler (Sep 28)
- <Possible follow-ups>
- Re: upgrading to snort 2.6 Derek Stinchfield (Sep 28)
- Re: upgrading to snort 2.6 Derek Stinchfield (Sep 29)
- Re: upgrading to snort 2.6 Jason (Sep 29)