Re: MySQL support for Snort 2.9.4

[Kaya Saman <kayasaman () gmail com>]

On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
> Yeah you!

Next time someone in my house makes cookies everyone's invited :-)

> Are you outputting snort in unified2 format and reading that with 
> barnyard2?

Yep:

output unified2: filename snort.u2, limit 128

> Share your snort.conf output lines.

Snort.conf is bog standard with:

top customized with details of servers and IP addresses yada yada yada 
..... man snort.conf {am glossing as is trivial }

I just changed:

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to 
where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules


###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic 
Modules
###################################################

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules



###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules
#include $RULE_PATH/local.rules

#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/botnet-cnc.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/file-identify.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules



I also wrote a custom script'ish section to produce the file:

#include $RULE_PATH/rule.set

Basically:

ls -l rules | cut -c 50-100 > rule.list
sed 's/^/include $RULE_PATH\//' rule.list > rule.set


This would be fine for adding any *.rules files to rule.list which then 
gets transformed to rule.set; saves having to write out each line manually!


That's about it.......


# ls -lh /var/log/snort
total 837292
-rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
-rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
-rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
-rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
-rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
-rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
-rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
-rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668



Now all I need to do is get Barnyard2 working and with a bit of luck 
will start being able to see alerts back on Base.

Few, that was a trek and half!

> On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com 
> <mailto:kayasaman () gmail com>> wrote:
>
>     On 12/11/2012 09:54 PM, Joel Esler wrote:
> >     Doesn't sound like that was the problem.  Looks like you have a
> >     larger problem.  Traffic not being received or analyzed
> >     correctly.  You said that all you were getting was icmp alerts,
> >     and that doesn't sound right (unless that's all you have)
> >
> >     --
> >     *Joel Esler*
> >     Senior Research Engineer, VRT
> >     OpenSource Community Manager
> >     Sourcefire
>
>     Finally I got this working!!!! :-)
>
>     Basically all I needed to do was to add the paths for these in and
>     take out all the other obsolete rules which weren't working:
>
>     include $RULE_PATH/decoder.rules
>     include $RULE_PATH/preprocessor.rules
>     include $RULE_PATH/sensitive-data.rules
>
>     Now I get alerts even!
>
>     The only issue is that Barnyard2 is now segfaulting when reading
>     the Snort log files? :-( I keep getting "bus error" - which I've
>     been having too much of lately!
>
>
>     Thanks for all the help!
>
>
>     Regards,
>
>
>     Kaya
>
>     ------------------------------------------------------------------------------
>     LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>     Remotely access PCs and mobile devices and provide instant support
>     Improve your efficiency, and focus on delivering more value-add
>     services
>     Discover what IT Professionals Know. Rescue delivers
>     http://p.sf.net/sfu/logmein_12329d2d
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!