Snort mailing list archives
Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede
From: Jun Wan <junwei_wan () hotmail com>
Date: Sat, 25 Dec 2010 09:35:21 +0000
Hi Jefferson, Thanks for your help, it's very informative, I certainly will try it again by using your recommendation. Merry Christmas to you and all from the list. Regards John
From: Shawn.Jefferson () bcferries com To: junwei_wan () hotmail com CC: snort-users () lists sourceforge net Date: Tue, 21 Dec 2010 11:50:12 -0700 Subject: RE: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Hi, (answers in-line) 1.) Do I have to install Snort via "sudo apt-get install snort-mysql" in order to make BASE work? No, you don't and it isn't recommended. You should run Snort with Unified2 output, and use Barnyard2 to parse those and insert into your MySQL database. From the output you have shown below, it looks like you had/have an error in your barnyard2 config. 2.) Do I get the newest verstion (e.g. 2.9.0.3, etc) of Snort via "sudo apt-get install snort-mysql" ? I would compile and install from source... I do that personally. You don't need to compile in MySQL support in that case. This the way I compile: ./configure --enable-perfprofiling --enable-targetbased --enable-reload --enable-zlib --enable-decoder-preprocessor-rules Make Make install Hope that makes sense. ________________________________________ From: Jun Wan [mailto:junwei_wan () hotmail com] Sent: Monday, December 20, 2010 3:22 PM To: Jefferson, Shawn Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Hi Shawn, I followed two setup guides to install Snort by using "sudo apt-get install snort-mysql" : 1.) https://wwwx.cs.unc.edu/~hays/archives/2010/03/entry_23.php The Snort version was 2.8.4.1 on Ubundu 9.1, Snort&BASE worked fine, this was my first Snort experience. 2.) http://it.thelibrarie.com/weblog/2010/06/installing-snort-on-ubuntu-10-04/ The Snort version was 2.8.x.x (?) on Ububdu 10.Barnyard2 failed to initialize, please see the following: -== Initializing Barnyard2 ==- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" ERROR: /etc/snort/barnyard2.conf(310) Undefined variable name: 12. Fatal Error, Quitting.. barnyard2 still failed despite the fact I took the suggestions from others. Then I moved on and tried the Snort Report 1.3.1 on Snort 2.8.6.0 and 2.9.0.0, they are working okey except the slowness of loading data into a browser. These two Snort IDS boxes are running in my company's live network at moment after some fine tuning via snort.conf, emerging.conf, threshold.conf and individual rule. My qustions would be: 1.) Do I have to install Snort via "sudo apt-get install snort-mysql" in order to make BASE work? 2.) Do I get the newest verstion (e.g. 2.9.0.3, etc) of Snort via "sudo apt-get install snort-mysql" ? Any information and help would be much appreciated. Thanks Regards John ________________________________________ From: Shawn.Jefferson () bcferries com To: junwei_wan () hotmail com; randy () procyonlabs com CC: snort-users () lists sourceforge net Date: Mon, 20 Dec 2010 12:35:35 -0700 Subject: RE: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Hmm, I just did that very thing. What problems are you having? ________________________________________ From: Jun Wan [mailto:junwei_wan () hotmail com] Sent: Monday, December 20, 2010 2:36 AM To: randy () procyonlabs com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Hi Randy, It's a good news, I would love to try BASE again. I am using Ubundu10.04 at moment, do you have any guide for Ubundu10.04? I would like to set up Snort 2.9.0.2/ barnyard2 /base 1.4.5 on Ubundu 10.04. Many thanks in advance Regards JohnDate: Sun, 19 Dec 2010 21:45:29 -0500 From: randy () procyonlabs com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede On 12/19/2010 9:06 PM, Jun Wan wrote:Hi Joe, I am using Snort 2.8.6&2.9.0/barnyard2/Snort report 1.3.0, they are okay but they are very slow to load the data into the browser. I used Snort 2.8.5.3/ barnyard2 / base 1.4.5 before by following https://wwwx.cs.unc.edu/~hays/archives/2010/03/entry_23.php, I loved BASE as it's much fast than Snort Report. I just wonder if you have some setup instruction/guide I can follow to setup Snort 2.9.0.2 / barnyard2 / base 1.4.5. Any information and help would be much appreciated.I'm actually one of the BASE developers (though it is mid-transition to a new lead and a newer version at some point, so you won't see much action right now) and I help on Barnyard2. I also do a lot of guides. What platform/OS are you looking for help on? I think you mentioned RHEL - what version? I'm currently working on a RHEL 6.0 guide for x86_64 that should be ready later this week. Thanks, Randy ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified, (continued)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 19)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Randal T. Rioux (Dec 19)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 21)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Joel Esler (Dec 21)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 25)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Randal T. Rioux (Dec 19)