Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MySQL support for Snort 2.9.4

From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 11 Dec 2012 21:19:50 -0700
Have you tired a newer version of by2?  They are up to 2.1.11.

Let me look for the bus error and get some other ideas.
On Dec 11, 2012 9:15 PM, "Kaya Saman" <kayasaman () gmail com> wrote:


 On 12/12/2012 04:07 AM, Jeremy Hoel wrote:

And your barnyard2 is looking in the right directory for the snort.u2
file?  Can you run by2 and paste the output?  And the command line you are
calling for by2


This is what I'm running:

# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
-f snort.u2
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
Node unique name is: localhost:trunk0

database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = <mod>
database:           user = <mod>
database:  database name = <mod>
database:    sensor name = localhost:trunk0
database:      sensor id = 9
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "alert" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team:
http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/etc/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1355280273
    record_idx      = 1
Opened spool file '/var/log/snort/snort.u2.1355282592'
Bus error

 On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman () gmail com> wrote:


 On 12/12/2012 03:37 AM, Jeremy Hoel wrote:

Yeah you!


Next time someone in my house makes cookies everyone's invited :-)

 Are you outputting snort in unified2 format and reading that with
barnyard2?


Yep:

output unified2: filename snort.u2, limit 128

 Share your snort.conf output lines.


Snort.conf is bog standard with:

top customized with details of servers and IP addresses yada yada yada
..... man snort.conf {am glossing as is trivial }

I just changed:

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to
where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules


###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic
Modules
###################################################

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules



###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules
#include $RULE_PATH/local.rules

#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/botnet-cnc.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/file-identify.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules



I also wrote a custom script'ish section to produce the file:

#include $RULE_PATH/rule.set

Basically:

ls -l rules | cut -c 50-100 > rule.list
sed 's/^/include $RULE_PATH\//' rule.list > rule.set


This would be fine for adding any *.rules files to rule.list which then
gets transformed to rule.set; saves having to write out each line manually!


That's about it.......


# ls -lh /var/log/snort
total 837292
-rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
-rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
-rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
-rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
-rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
-rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
-rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
-rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668



Now all I need to do is get Barnyard2 working and with a bit of luck will
start being able to see alerts back on Base.

Few, that was a trek and half!

 On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com> wrote:


 On 12/11/2012 09:54 PM, Joel Esler wrote:


 Doesn't sound like that was the problem.  Looks like you have a larger
problem.  Traffic not being received or analyzed correctly.  You said that
all you were getting was icmp alerts, and that doesn't sound right (unless
that's all you have)

 --
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


Finally I got this working!!!! :-)

Basically all I needed to do was to add the paths for these in and take
out all the other obsolete rules which weren't working:

include $RULE_PATH/decoder.rules
include $RULE_PATH/preprocessor.rules
include $RULE_PATH/sensitive-data.rules

Now I get alerts even!

The only issue is that Barnyard2 is now segfaulting when reading the
Snort log files? :-( I keep getting "bus error" - which I've been having
too much of lately!


Thanks for all the help!


Regards,


Kaya


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: