Snort mailing list archives
Re: trying this again (UNCLASSIFIED)
From: "Cass, Mark A CTR (US)" <mark.a.cass2.ctr () mail mil>
Date: Thu, 13 Dec 2012 17:39:58 +0000
Classification: UNCLASSIFIED Caveats: NONE Jon (and others), First let me thank you for your reply. I'll try to do the best I can on providing information needed, but I'm by no means a Linux master, nor knowledgeable with IDS/IPS systems (but have a feeling I'm going to be by the end of this). This has been a process of mixed guides for various OS's/versions of the software trying to get things installed/configured for the last few months! With that said, I don't honestly remember a lot of specifics out of this over that time period, but did happen to capture a few terminal windows, which I hope will help. To answer your questions: 1. Right now, everything has been compiled from source. For snort it was 419 ./configure --with-mysql --enable-dynamicplugin --enable-perfprofiling --enable-ipv6 --enable-zlib --enable-gre --enable-reload --enable-linux-smp-stats 2. It is not running right now, but has successfully. I've tried it by itself, and with barnyard2 (barnyard2 errors out): 630 snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config & And 493 /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 Barnyard2 errors: When ran by itself with: [root@snort bin]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo Produces: Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1350485740 record_idx = 1 Opened spool file '/var/log/snort/snort.log.1350485740' barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion `data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed. Aborted (core dumped) When ran with snort: [root@snort log]# snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config & Produces: A bunch of WARNING messages about duplicate entries in a signature file (about 40k lines of WARNINGS), then database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='1';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='1';] [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snort database: database name = snort database: sensor name = thor:eth0 database: sensor id = 1 database: sensor cid = 2 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.10 (Build 310) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2012 Ian Firns <firnsy () securixlive com> WARNING: Ignoring corrupt/truncated waldofile '/etc/snort/bylog.waldo' ERROR: Unable to open directory '' (No such file or directory) ERROR: Unable to find the next spool file! =============================================================================== Record Totals: Records: 0 Events: 0 (0.000%) Packets: 0 (0.000%) Unknown: 0 (0.000%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 0 (0.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 0 (0.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 0 =============================================================================== [2]+ Done /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config 3. Yes snort is outputting to the /var/log/snort directory, but as I saw from your example, for some reason this would not be the unified2 format, as mine display "snort.log.1349461544" 4. I only saw the -d option for barnyard2, could you give me the command sequence and syntax that you'd like me to try? So far, I've only performed the following according to any guides that I've found: /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 5. I have no idea what you asked for this one. I know there was a "test" rule the guide had me do that looked for ICMP messages only, but I think I've already deleted that test rule and allowed it to run with all the rules that pulled pork had downloaded...I'll need some guidance here. After this is running I have no idea about the rules and what it should/shouldn't be listening for, but that's another topic to tackle I would presume, after everything else is functioning correctly? Thank you, Mark A. Cass Security+ CE, RHCSA, MCTS Systems Administrator/Network Manager (SANM) CGI Federal Contractor 700 McNair Ave. Suite 107 (Knox Hall) Fort Sill, Oklahoma 73503 Ph. 580.442.0098 Fax 580.248.2188 mark.a.cass2.ctr () mail mil -----Original Message----- From: Rhoades.Jon [mailto:Rhoades.Jon () ensco com] Sent: Thursday, December 13, 2012 8:00 AM To: Cass, Mark A CTR (US); snort-users () lists sourceforge net Subject: RE: trying this again (UNCLASSIFIED) I run about 15 sensors under Ubuntu but will try and help. Probably be a lot of back and forth as your description does not have a lot of details and it is a big request. Questions. Let's start with snort 1) How did you install snort? RPMs or source and compile? If compile what options did you pass to snort in the configure command? 2) Is snort running? ps -eaf | grep snort cut and paste the output. 3) If snort is running is it generating output. The typical place to dump what snort finds is /var/log/sort but that can be changed. In the directory do you see files like this? snort.u2.1355029461 4) If snort is running kill it then run snort without the -D option and see what it says. If it has something it does not like you should see it on the console. 5) What is snort supposed to listen to? Do you have TAPs? Span port? Basically are you getting traffic for snort to watch and how are you doing it. Enough for now. See what you reply with and go from there. -Jon Rhoades From: Cass, Mark A CTR (US) [mailto:mark.a.cass2.ctr () mail mil] Sent: Wednesday, December 12, 2012 10:28 AM To: snort-users () lists sourceforge net Subject: [Snort-users] trying this again (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Hello, I've tried e-mailing the list before with not one response, but here it goes again: I'm trying to implement a snort IDS with add-ons in a RHEL 6.3 x86 VMWare server. I need to get snort, mysql, barnyard2, snorby, and pulled pork all working together. The problem, is that guides are either made for just snort/mysql install, or for a different OS like Ubuntu, or for an old version of snort, or for other 3rd party software, or are telling you some sort of db configuration schema script to run that doesn't exist where it says it should (later finding out it came with barnyard2 instead of the snort package) so I've no help from any of the so-called "setup" or "configuration" guides. I've got snort, mysql, barnyard2 and pulled pork installed at the moment, but nothing is working together. Pulled pork has errors, but I believe the last I left it, was downloading rules, snort doesn't output to barnyard2 or barnyard2 isn't writing to the mysql database, I have no idea. I've never set up an IDS before, never messed with the CPAN or perl stuff, and honestly was expecting some rpm files to install and an hour or so on some of the configuration scripts. I'm pulling my hair out over this right now, as my work time to implement this doesn't allow the hours and hours and hours I apparently would need to spend scouring the internet's furthest reaches for correct and proper information pertaining to the operating system used and all add-ons, however, believe me, I've spent countless hours already trying to do just that. I've kind of given up just a bit in the last couple of weeks because I can't find any good useful information on this particular setup. Has anyone ever set this up on a RHEL 6 installation with the additional utilities I've listed, and can help me? Thank you, Mark A. Cass Security+ CE, RHCSA, MCTS Systems Administrator/Network Manager (SANM) CGI Federal Contractor 700 McNair Ave. Suite 107 (Knox Hall) Fort Sill, Oklahoma 73503 Ph. 580.442.0098 Fax 580.248.2188 mark.a.cass2.ctr () mail mil <mailto:mark.a.cass2.ctr () mail mil> Classification: UNCLASSIFIED Caveats: NONE ________________________________ The information contained in this email message is intended only for the use of the individual(s) to whom it is addressed and may contain information that is privileged and sensitive. If you are not the intended recipient, or otherwise have received this communication in error, please notify the sender immediately by email at the above referenced address and note that any further dissemination, distribution or copying of this communication is strictly prohibited. The U.S. Export Control Laws regulate the export and re-export of technology originating in the United States. This includes the electronic transmission of information and software to foreign countries and to certain foreign nationals. Recipient agrees to abide by these laws and their regulations -- including the U.S. Department of Commerce Export Administration Regulations and the U.S. Department of State International Traffic in Arms Regulations -- and not to transfer, by electronic transmission or otherwise, any content derived from this email to either a foreign national or a foreign destination in violation of such laws. Classification: UNCLASSIFIED Caveats: NONE
Attachment:
snort_command_history.txt
Description: snort_command_history.txt
Attachment:
Unsuccessfull_barnyard2_start.txt
Description: Unsuccessfull_barnyard2_start.txt
Attachment:
dependency_and_barnyard2_install.txt
Description: dependency_and_barnyard2_install.txt
Attachment:
successfull_snort_failed_barnyard2_truncated.txt
Description: successfull_snort_failed_barnyard2_truncated.txt
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- trying this again (UNCLASSIFIED) Cass, Mark A CTR (US) (Dec 13)
- Re: trying this again (UNCLASSIFIED) Rhoades . Jon (Dec 13)
- Re: trying this again (UNCLASSIFIED) Peter Bates (Dec 13)
- Re: trying this again (UNCLASSIFIED) Cass, Mark A CTR (US) (Dec 14)
- Re: trying this again (UNCLASSIFIED) beenph (Dec 14)
- Re: trying this again (UNCLASSIFIED) Cass, Mark A CTR (US) (Dec 14)
- Re: trying this again (UNCLASSIFIED) Peter Bates (Dec 14)
- Re: trying this again (UNCLASSIFIED) beenph (Dec 14)
- Re: trying this again (UNCLASSIFIED) beenph (Dec 14)
- Re: trying this again (UNCLASSIFIED) Rhoades . Jon (Dec 13)