Snort mailing list archives

Re: Barnyard2 startup issue

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 22 Jul 2011 07:00:16 -0600
From:  "Aycock, Jeff R." <JEFF.R.AYCOCK () saic com>
Date:  Fri, 22 Jul 2011 08:06:17 -0400
To:  Snort <snort-users () lists sourceforge net>
Subject:  [Snort-users] Barnyard2 startup issue



 
Running in Continuous mode
 
        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"

..
sguil:  Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil:  Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil:  Connected to localhost on 7735.
ERROR: Connecton closed by client
.

 


Jeff,

As much as I appreciated Sguils desire to go under a different user and
what not, just for testing this thing out seemed like it tookover my
already installed snort.  Here's what I did to get (limited) success:

Created dir /opt/bin/sguil and slapped all the executable scripts there
Created dir /opt/etc/sguild and put all the sguild.* config files as well
as the certs and lib dir, and autocat.conf
Created dir /opt/etc/sguild_agants and put all the agent conf files in
there

sguild:
total 64
-rw-r--r-- 1 root root  2167 2011-07-09 09:18 autocat.conf
drwxr-xr-x 2 root root  4096 2011-07-09 14:35 certs
drwxr-xr-x 2 root root  4096 2011-07-09 14:45 lib
-rwxr-xr-x 1 root root 27498 2011-07-09 09:18 sguild
-rw-r--r-- 1 root root  1286 2011-07-09 09:18 sguild.access
-rw-r--r-- 1 root root  2669 2011-07-12 18:44 sguild.conf
-rw-r--r-- 1 root root  2992 2011-07-09 09:18 sguild.email
-rw-r--r-- 1 root root   789 2011-07-09 09:18 sguild.queries
-rw-r--r-- 1 root root  2992 2011-07-09 09:18 sguild.reports
-rw-r--r-- 1 root root   344 2011-07-09 09:18 sguild.users

sguild_agents:
total 28
-rw-r--r-- 1 root root  761 2011-07-10 08:38 example_agent.conf
-rw-r--r-- 1 root root  961 2011-07-10 08:38 pads_agent.conf
-rw-r--r-- 1 root root 1661 2011-07-10 08:38 pcap_agent.conf
-rw-r--r-- 1 root root 1839 2011-07-10 08:38 pcap_agent-sancp.conf
-rw-r--r-- 1 root root 1279 2011-07-10 08:38 sancp_agent.conf
-rw-r--r-- 1 root root  896 2011-07-10 08:38 sancp-indexed.conf
-rw-r--r-- 1 root root 1676 2011-07-12 19:01 snort_agent.conf



I'd run all these in separate consoles in the foreground so you can see
what's going on..change dir's to suite your needs:

sudo /opt/bin/snort -i eth1 -c /opt/etc/snort/sguilsnort.conf

sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C
/opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g
/opt/etc/snort/sguild/sguild.queries -A /opt/etc/snort/sguild/sguild.access

sudo /opt/bin/sguil/snort_agent.tcl -c
/opt/etc/snort/sguild_agents/snort_agent.conf

sudo barnyard2 -c /opt/etc/snort/barnyard2.conf -d /var/log/snort -f
sguil.u2 -w /var/log/snort/sguil.waldo



Sguild.conf:
set SGUILD_LIB_PATH /opt/etc/snort/sguild/lib
set DEBUG 2
set DAEMON 0
set SYSLOGFACILITY daemon
set SENSOR_AGGREGATION_ON 1
set SERVERPORT 7734
set SENSORPORT 7736
set RULESDIR /opt/etc/snort/rules
set TMPDATADIR /tmp
set DBNAME sguildb
set DBPASS "yourpass"
set DBHOST localhost
set DBPORT 3306
set DBUSER sguil
set LOCAL_LOG_DIR /var/log/snort/sguild_archive
set TMP_LOAD_DIR /tmp/load
set TCPFLOW "/usr/bin/tcpflow"
set P0F 1
set P0F_PATH "/usr/sbin/p0f"

sguild_agent.conf:

set DEBUG 1
set DAEMON 0
set SERVER_HOST localhost
set SERVER_PORT 7736
set BY_PORT 7735
set HOSTNAME gateway
set NET_GROUP Ext_Net
set LOG_DIR /var/log/snort
set PORTSCAN 0
set PORTSCAN_DIR ${LOG_DIR}/portscans
set SNORT_PERF_STATS 1
set SNORT_PERF_FILE "${LOG_DIR}/snort.stats"
set WATCH_DIR ${LOG_DIR}
set PS_CHECK_DELAY_IN_MSECS 10000
set DISK_CHECK_DELAY_IN_MSECS 1800000
set PING_DELAY 300000

barnyard2.conf

config reference_file:      /opt/etc/snort/reference.config
config classification_file: /opt/etc/snort/classification.config
config gen_file:            /opt/etc/snort/gen-msg.map
config sid_file:            /opt/etc/snort/sid-msg.map
config hostname:   gateway
config interface: eth1
input unified2
output alert_fast: stdout
output sguil: agent_port=7735, sensor_name=gateway



Sguilsnort.conf areas pertaining to sguil:
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
10000

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: /var/log/snort/sguil.fast
output log_tcpdump: /var/log/snort/sguil.pcap
output unified2: filename /var/log/snort/sguil.u2




Alas, even after the amazing PITA it was to have to manually compile all
the tcl stuff (Ubuntu's tcl packages are all threaded, which sguil isn't)
I still don't really run it....the tcl interface on a 2.93 Ghz Intel Core
i7 Mac run slow as dirt.  Good luck!

James



------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Current thread:

Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue James Lay (Jul 22)
  - Re: Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
    - Re: Barnyard2 startup issue Lay, James (Jul 22)
    - Re: Barnyard2 startup issue beenph (Jul 22)