Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problems with Snort, Barnyard2, BASE on SUSE 11

From: Michael Sloan <sloan () caps fsu edu>
Date: Thu, 29 Apr 2010 09:43:57 -0400
It seems the database got populated quickly after I restarted snort and barnyard this morning, but that leads to other questions/problems.
There are now 131 alerts in BASE, all the same: SSH Protocol Mismatch, which from the BASE environment seems to be ID 128-4, although this format doesn't match up with anything at snortid.com. I did see a thread in the forums about having to alter BASE to point to snortid.com instead of snort.org for the extended information on any given alert. All the alerts give my desktop as the source address (I'm connecting to the server via SSH). Attempting to drill down into the alert data gives:
/srv/www/htdocs/base-1.4.5/base_qry_alert.php:535: db->DB->MetaColumnNames('data') is NOT an array. Ignoring.
All of the alerts are from this morning, approximately a 1-minute timespan, (matching the time I restarted Snort from an SSH session) despite the 135k snort.log file with a timestamp from yesterday.
I checked the snort database to make sure it looked like it had been created correctly. It has 22 rows, created by: 

cd /usr/local/src/snort-2.8.5.3/schemas
mysql -u root -p < create_mysql snort

The following in /var/log/messages is also of concern:
Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL server has gone away SQL=BEGIN Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL server has gone away Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL server has gone away SQL=INSERT INTO signature (sig_name,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('ssh: Protocol mismatch',3,1,4,128) Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL server has gone away Apr 29 08:51:42 capstest barnyard2[15828]: database: Problem inserting a new signature 'ssh: Protocol mismatch': INSERT INTO signature (sig_name,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('ssh: Protocol mismatch',3,1,4,128) Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL server has gone away SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES (3, 131, 0, '2010-04-29 08:51:41') Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL server has gone away SQL=ROLLBACK
I've seen references to this in the forums, but had not seen any solutions to this outside of restarting snort every 20-30 minutes. I'm beginning to think that maybe removing everything and starting over might be better, although I don't know that my results will differ a lot. 

On 4/28/2010 3:35 PM, Joel Esler wrote:

Do you have any information in the database?  Can you check that?

J
On Wed, Apr 28, 2010 at 3:04 PM, Michael Sloan <sloan () caps fsu edu <mailto:sloan () caps fsu edu>> wrote: 

    I've tried to set up Snort on SUSE Linux Enterprise Server 11, and
    have
    run into troubles. I think it might have been working at one
    point, but
    now i think it's stopped but I'm not sure, and not entirely sure I
    even
    compiled and configured everything correctly.

    I'm using Snort 2.8.5.3, Base 1.4.5, Barnyard2 1.8, and mySQL 5.0.67

    Barnyard2: compiled with --enable-mysql

    Snort: compiled with --enable-targetbased (I could not get
    --with-mysql
    to work, and didn't actually peruse the mailing lists until long
    after I
    got everything installed and possibly configured)

    In snort.conf:
      output unified2: filename snort.log, limit 128

    In barnyard2.conf:
      output database: alert, mysql, user=snort password=TopSecretPassword
    dbname=snort host=localhost

    mysql reports that the user snort@localhost has
      SELECT, INSERT, UPDATE, DELETE, CREATE on snort.*
      SELECT, INSERT, UPDATE on snort.sensor

    Snort is started with:
      /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -d -D -u snort

    And barnyard2 is started with:
      /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -D -d
    /var/log/snort
        -f snort.log -u snort

    After a couple of weeks, I see that snort.log is 133k, but no alerts
    whatsoever have been displayed in BASE. BASE is showing the proper
    database name, and user.

    I see in /var/log/messages (after restarting snort and barnyard2
    today)
    that barnyard2 read 706 records from the 133k file. I do not see any
    errors in the mysqld logs.

    I've looked at installation guides for SUSE 10, Fedora Core 11,
    and read
    enough from different sources that now I really have no idea what
    could
    be wrong and after spending quite a few hours on this over the
    course of
    the last few weeks, I've run out of ideas on what to tweak and change.

    Any suggestions or (or requests for further information needed)
    would be
    greatly appreciated.


    --
    Michael Sloan
    Systems Administrator
    FSU Center for Advanced Power Systems
    sloan () caps fsu edu <mailto:sloan () caps fsu edu>


    ------------------------------------------------------------------------------
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users





--
Michael Sloan
Systems Administrator
FSU Center for Advanced Power Systems
sloan () caps fsu edu


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: