Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: trying this again (UNCLASSIFIED)

From: "Cass, Mark A CTR (US)" <mark.a.cass2.ctr () mail mil>
Date: Thu, 13 Dec 2012 17:39:58 +0000
Classification: UNCLASSIFIED
Caveats: NONE

Jon (and others),

First let me thank you for your reply.  I'll try to do the best I can on providing information needed, but I'm by no 
means a Linux master, nor knowledgeable with IDS/IPS systems (but have a feeling I'm going to be by the end of this).  
This has been a process of mixed guides for various OS's/versions of the software trying to get things 
installed/configured for the last few months!  With that said, I don't honestly remember a lot of specifics out of this 
over that time period, but did happen to capture a few terminal windows, which I hope will help.

To answer your questions:
1. Right now, everything has been compiled from source.  For snort it was 
        419  ./configure --with-mysql --enable-dynamicplugin --enable-perfprofiling --enable-ipv6 --enable-zlib 
--enable-gre --enable-reload --enable-linux-smp-stats

2.  It is not running right now, but has successfully.  I've tried it by itself, and with barnyard2 (barnyard2 errors 
out):
        630  snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/barnyard2 -c 
/etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S 
/etc/snort/sid-msg.map \ -C /etc/snort/classification.config &
        And 
        493  /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1

Barnyard2 errors:
        When ran by itself with:  
[root@snort bin]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w 
/var/log/snort/barnyard2.waldo
        
        Produces:
Using waldo file '/var/log/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.log
    time_stamp      = 1350485740
    record_idx      = 1
Opened spool file '/var/log/snort/snort.log.1350485740'
barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion 
`data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed.
Aborted (core dumped)

        When ran with snort:
[root@snort log]# snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/barnyard2 -c 
/etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S 
/etc/snort/sid-msg.map \ -C /etc/snort/classification.config &
        
        Produces:
A bunch of WARNING messages about duplicate entries in a signature file (about 40k lines of WARNINGS), then
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';] 
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';] 
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';] 
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';] 
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';] 
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';] 
database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';] 
[SignatureReferencePullDataStore()]: No Reference found in database ... 
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = thor:eth0
database:      sensor id = 1
database:     sensor cid = 2
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.10 (Build 310)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2012 Ian Firns <firnsy () securixlive com>

WARNING: Ignoring corrupt/truncated waldofile '/etc/snort/bylog.waldo'
ERROR: Unable to open directory '' (No such file or directory)
ERROR: Unable to find the next spool file!
===============================================================================
Record Totals:
   Records:            0
    Events:            0 (0.000%)
   Packets:            0 (0.000%)
   Unknown:            0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 0          (0.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 0          (0.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 0         
===============================================================================

[2]+  Done                    /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w 
/etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config

3.  Yes snort is outputting to the /var/log/snort directory, but as I saw from your example, for some reason this would 
not be the unified2 format, as mine display "snort.log.1349461544"

4.  I only saw the -d option for barnyard2, could you give me the command sequence and syntax that you'd like me to 
try?  So far, I've only performed the following according to any guides that I've found:
        /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
        /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1

5.  I have no idea what you asked for this one.  I know there was a "test" rule the guide had me do that looked for 
ICMP messages only, but I think  I've already deleted that test rule and allowed it to run with all the rules that 
pulled pork had downloaded...I'll need some guidance here.  After this is running I have no idea about the rules and 
what it should/shouldn't be listening for, but that's another topic to tackle I would presume, after everything else is 
functioning correctly?


Thank you,

Mark A. Cass
Security+ CE, RHCSA, MCTS
Systems Administrator/Network Manager (SANM)
CGI Federal Contractor

700 McNair Ave.
Suite 107 (Knox Hall)
Fort Sill, Oklahoma 73503
Ph.     580.442.0098
Fax     580.248.2188
mark.a.cass2.ctr () mail mil


-----Original Message-----
From: Rhoades.Jon [mailto:Rhoades.Jon () ensco com] 
Sent: Thursday, December 13, 2012 8:00 AM
To: Cass, Mark A CTR (US); snort-users () lists sourceforge net
Subject: RE: trying this again (UNCLASSIFIED)

I run about 15 sensors under Ubuntu but will try and help. Probably be a lot of back and forth as your description does 
not have a lot of details and it is a big request. 

 

Questions. Let's start with snort 

 

1)      How did you install snort? RPMs or source and compile? If compile what options did you pass to snort in the 
configure command?

2)      Is snort running? ps -eaf | grep snort cut and paste the output. 

3)      If snort is running is it generating output. The typical place to dump what snort finds is /var/log/sort but 
that can be changed. In the directory do you see files like this? snort.u2.1355029461

4)      If snort is running kill it then run snort without the -D option and see what it says. If it has something it 
does not like you should see it on the console. 

5)      What is snort supposed to listen to? Do you have TAPs? Span port? Basically are you getting traffic for snort 
to watch and how are you doing it. 

 

Enough for now. See what you reply with and go from there. 

 

 

-Jon Rhoades

 

From: Cass, Mark A CTR (US) [mailto:mark.a.cass2.ctr () mail mil] 
Sent: Wednesday, December 12, 2012 10:28 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] trying this again (UNCLASSIFIED)

 

Classification: UNCLASSIFIED
Caveats: NONE

Hello,

 

I've tried e-mailing the list before with not one response, but here it goes again:

 

I'm trying to implement a snort IDS with add-ons in a RHEL 6.3 x86 VMWare server.  I need to get snort, mysql, 
barnyard2, snorby, and pulled pork all working together.  The problem, is that guides are either made for just 
snort/mysql install, or for a different OS like Ubuntu, or for an old version of snort, or for other 3rd party 
software, or are telling you some sort of db configuration schema script to run that doesn't exist where it says it 
should (later finding out it came with barnyard2 instead of the snort package) so I've no help from any of the 
so-called "setup" or "configuration" guides.  I've got snort, mysql, barnyard2 and pulled pork installed at the moment, 
but nothing is working together.  Pulled pork has errors, but I believe the last I left it, was downloading rules, 
snort doesn't output to barnyard2 or barnyard2 isn't writing to the mysql database, I have no idea.  I've never set up 
an IDS before, never messed with the CPAN or perl stuff, and honestly was expecting some rpm files to install and an 
hour or so on some of the configuration scripts.  I'm pulling my hair out over this right now, as my work time to 
implement this doesn't allow the hours and hours and hours I apparently would need to spend scouring the internet's 
furthest reaches for correct and proper information pertaining to the operating system used and all add-ons, however, 
believe me, I've spent countless hours already trying to do just that.  I've kind of given up just a bit in the last 
couple of weeks because I can't find any good useful information on this particular setup.

 

Has anyone ever set this up on a RHEL 6 installation with the additional utilities I've listed, and can help me?

 

Thank you,

 

Mark A. Cass

Security+ CE, RHCSA, MCTS

Systems Administrator/Network Manager (SANM)

CGI Federal Contractor

 

700 McNair Ave.

Suite 107 (Knox Hall)

Fort Sill, Oklahoma 73503

Ph.   580.442.0098

Fax   580.248.2188

mark.a.cass2.ctr () mail mil <mailto:mark.a.cass2.ctr () mail mil> 

 


Classification: UNCLASSIFIED
Caveats: NONE


________________________________

The information contained in this email message is intended only for the use of the individual(s) to whom it is 
addressed and may contain information that is privileged and sensitive. If you are not the intended recipient, or 
otherwise have received this communication in error, please notify the sender immediately by email at the above 
referenced address and note that any further dissemination, distribution or copying of this communication is strictly 
prohibited.

The U.S. Export Control Laws regulate the export and re-export of technology originating in the United States. This 
includes the electronic transmission of information and software to foreign countries and to certain foreign nationals. 
Recipient agrees to abide by these laws and their regulations -- including the U.S. Department of Commerce Export 
Administration Regulations and the U.S. Department of State International Traffic in Arms Regulations -- and not to 
transfer, by electronic transmission or otherwise, any content derived from this email to either a foreign national or 
a foreign destination in violation of such laws.


Classification: UNCLASSIFIED
Caveats: NONE

Attachment: snort_command_history.txt
Description: snort_command_history.txt

Attachment: Unsuccessfull_barnyard2_start.txt
Description: Unsuccessfull_barnyard2_start.txt

Attachment: dependency_and_barnyard2_install.txt
Description: dependency_and_barnyard2_install.txt

Attachment: successfull_snort_failed_barnyard2_truncated.txt
Description: successfull_snort_failed_barnyard2_truncated.txt

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: