Re: Problem with using 2 sensors

[Mike Boeckeler <boeckelr () gmail com>]

Hi Kev,

I'm glad that I asked that question, but unfortunately it leads to more
questions:

1) Just so I know that we are on the same page....will doing all of this
allow me to successfully use 2 sensors...with one MySQL database and one
Base install?

2)  Second, I was always under the impression that when setting up a Snort
sensor, in order to keep it stealthy you do not assign it an ip address.  If
that is the case, then how do I do what you suggest?  I mean, if I set up
eth1 as follows:  "ifconfig eth1 0.0.0.0", then what ip address do I have
MySQL bind to?

3) Third - when I had Snort/BASE running last week (when it would only
report alerts on one sensor), I noticed that the amount of data shown in
BASE for each alert was kind of skimpy compared to the way it was when I had
it set up in the past.  So that leads me to output questions:

Should I use "output database: log...." or "output database: alert" if I
want to maximize what is captured by Snort/MySQL.

And in Barnyard2.conf should I use "output alert_fast" or "output
alert_full"?

I have looked for the answers to all of these questions - I get conflicting
info on them.  One more thing - If I can ever get this set up successfully,
I am going to write a config guide and submit it to Snort.org - I have
looked thru all of the guides that are currently posted there, and not one
of them mentions half of the things that you all have told me on this
thread.

Take care and thanks again for your help.
Mike


On Sat, Oct 8, 2011 at 8:56 AM, Kevin Ross <kevross33 () googlemail com> wrote:

> Yes. You just need to configure the database user to be snort@REMOTESENSOR IP. Setup mysql to bind to the IP address, 
> point barnyard on the
> remote sensor to log to the remote datababase and then allow access through
> firewall.
>
> i.e
> LOCAL:
> mysql configuration file: bind-address=LOCAL_IP
> iptables -I INPUT 1 -s REMOTE_SENSOR -p tcp --destination-port 3306 -j
> ACCEPT
>
> mysql -u root -p
> grant ALL PRIVILEGES on snort.* to snort@REMOTE_IP with GRANT option;
> SET PASSWORD FOR snort@REMOTE IP=PASSWORD(‘test’);
>
> REMOTE:
> Make sure to write snort Unified 2. Snort opening a database itself rather
> than just writing to unified2 slows snort down significantly as it cannot
> watch the network while doing this; over network will be even slower.
> Barnyard2.conf: output database: log, mssql, dbname=snort user=snort
> password=test host=REMOTE SENSOR IP
> restart barnyard
> Also in barnyard2.conf set the localhost name to be something meaningful to
> that sensor so when you look at snort say with BASE you can narrow down with
> sensor and also see what sensor is actually generating alert:
>
> i.e
> Internet_Sensor
> Server_Room1
> Server_Room2
> Remote_Site1
>
> And so on.  Otherwise you will have difficulty telling which sensors are
> actually generating the alerts. Also use emergingthreats.net signatures
> for more insight into malware and current events.
>
>
> http://www.emergingthreats.net/index.php?option=com_content&view=frontpage&Itemid=1
> You can see rule updates for ET (Free) and ETPRO (paid) here:
> http://blog.emergingthreatspro.com/
>
> Regards, Kev
>
>
>
> On 8 October 2011 02:19, Mike Boeckeler <boeckelr () gmail com> wrote:
>
> > Hi everyone,
> >
> > I wanted to thank all of you for giving such detailed responses.  I am
> > going to try to tackle this again tonite and this weekend.
> >
> > I posted my original message at the bottom of this in case you forgot the
> > issues involved...after reading thru all of your responses I have another
> > question or two:
> >
> > OK, so I will set up two instances of Snort, Barnyard2, 2 unique unified2
> > files etc.....but what about MySQL?  Will the single MySQL database work
> > with this setup?  Or will I need to create a unique database for each
> > sensor....and then a unique install of BASE for each sensor?
> >
> > Thanks again!
> > Mike
> >
> > BTW I don't know where I got the -E command line option from.
> >
> >
> >
> > On Tue, Sep 27, 2011 at 4:27 PM, Lay, James <james.lay () wincofoods com>wrote:
> >
> > > <snip>
> > >
> > > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i
> > > eth1 &
> > > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i
> > > eth2 &
> > >
> > > /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
> > > -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
> > > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
> > > -C /etc/snort/classification.config
> > >
> > > <snip>
> > >
> > >
> > > Mike,
> > > Just like folks are saying, you'll need two separate instances of both
> > > snort AND barnyard2 (I thought the same thing when I first started with
> > > barnyard...thought "I can run it once and it will read all my u2 files from
> > > all my running snort instances"...wrong ;)).  I would copy snort.conf to
> > > snort1.conf and snort2.conf, and barnyard2.conf to barnyard21.conf and
> > > barnyard22.conf, then change where they log at least where the u2 files are
> > > kept for snort, and change to reflect the interface in both barnyard files.
> > >
> > > Change in your barnyard2 conf files:
> > > Barnyard21:     config interface:  eth1
> > > Barnyard22:     config interface:  eth2
> > >
> > > And in your snort conf files:
> > > Snort1.conf:    output unified2: filename /var/log/snort1/snort1.u2
> > > Snort2.conf:    output unified2: filename /var/log/snort2/snort2.u2
> > >
> > > Then run like so:
> > >
> > > /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort1.conf -i
> > > eth1 &
> > > /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort2.conf -i
> > > eth2 &
> > >
> > > /usr/local/bin/barnyard2 -c /etc/snort/barnyard21.conf -d
> > > /var/log/snort/snort1 -f snort1.us -w /etc/snort/snort1.waldo
> > > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C
> > > /etc/snort/classification.config
> > >
> > > /usr/local/bin/barnyard2 -c /etc/snort/barnyard22.conf -d
> > > /var/log/snort/snort2 -f snort2.us -w /etc/snort/snort2.waldo
> > > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C
> > > /etc/snort/classification.config
> > >
> > >
> > > I've found separating out the .u2 files in different directories to be
> > > cleaner (although I have all instances logging to a single all.fast file for
> > > easy monitoring).  You can change the names to whatever...I've found naming
> > > the interfaces (internal/external) and integrating it into the conf name
> > > works well too (intbyard2.conf, intsnort.conf). Hope that helps.
> > >
> > > James
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > All the data continuously generated in your IT infrastructure contains a
> > > definitive record of customers, application performance, security
> > > threats, fraudulent activity and more. Splunk takes this data and makes
> > > sense of it. Business sense. IT sense. Common sense.
> > > http://p.sf.net/sfu/splunk-d2dcopy1
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> >
> >
> > -------------------------------------------------------------------------------------------
> >
> > Original Message:
> >
> >
> > On Tue, Sep 27, 2011 at 3:53 PM, Mike Boeckeler <boeckelr () gmail com>
> >  wrote:
> >
> > > Hi everyone,
> > >
> > > A few days ago I posted a message about how no matter what I tried, I
> > > could not get my setup running.  Needless to say my frustration level was
> > > off of the charts.
> > >
> > > Anyway I seem to have crossed most of the hurdles and have gotten almost
> > > everything working.  I am running Ubuntu 10.04, Snort 2.9.1,
> > > Snortrules-snapshot-2910, BASE and Barnyard 2.
> > >
> > > I have 3 interfaces - eth0 goes to the Internet for updates etc.....eth1
> > > is a sensor and it is located on a hub between my dsl modem and router.
> > >  eth2 is also a sensor, and it is located on a SPAN port, monitoring traffic
> > > inside of my ASA.
> > >
> > > BTW I used the Snort/Debian install guide posted on Snort.org for most of
> > > this install.
> > >
> > > If I start up first Snort and then Barnyard2 like you see below,
> > > everything runs, but BASE only reports alerts on eth2 (inside my network).
> > >  Also, it only reports that there is 1 interface.
> > >
> > > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i
> > > eth1 &
> > > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i
> > > eth2 &
> > >
> > > /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
> > > -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
> > > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
> > > -C /etc/snort/classification.config
> > >
> > > Now I know that traffic is getting thru by using Wireshark and tcpdump to
> > > watch eth1 and eth2 as I try to trigger alerts with nmap.
> > >
> > > In fact, if I forget about BASE, Barnyard and Mysql, and run snort like
> > > this:  "snort -i eth1" in one terminal, and "snort -i eth2" in another
> > > terminal, both get the alerts that they should.  So the problem must be in
> > > Mysql, Barnyard2, etc.
> > >
> > > I have tried using two different snort.confs - one for the command that
> > > starts the eth1 instance; and the other for the command that starts the eth2
> > > instance, but to no avail.
> > >
> > > Does anybody have any ideas that might help?  I have emailed Joel
> > > off-list and he provided some good insights on particular issues, but I
> > > still need help with the aforementioned problems.
> > >
> > > I greatly appreciate any help that you guys can provide.
> > >
> > > Thanks!
> > Mike
> >
> >
> >
> > ------------------------------------------------------------------------------
> > All of the data generated in your IT infrastructure is seriously valuable.
> > Why? It contains a definitive record of application performance, security
> > threats, fraudulent activity, and more. Splunk takes this data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2dcopy2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!