Re: trying this again (UNCLASSIFIED)

["Cass, Mark A CTR (US)" <mark.a.cass2.ctr () mail mil>]

Classification: UNCLASSIFIED
Caveats: NONE

Thank you for the reply.
Let me see if I got this straight...

I'll need to specify the -f option for barnyard2 and tell it the prefix naming convention of the files it needs to 
input to log to mysql database?  The reason for the barnyard2 aborting was because the test rule did not have a 
"rev:xxx" at the top of the text file?  So when I downloaded the new rules from pulled pork, and commented out the test 
rule, should the rules downloaded from pulled pork not have had a revision with it already?  I'm going to have to go 
into a thousand files and manually add "rev:(some number)" to them all in order for it to work?  That seems really 
ridiculous.  And would I have to do this manually every time the rules are updated?

The last thing about the -G and -S options, I'm totally lost.  I'm just running it how the guide told me to, with those 
options.  You're saying that at this point, the -G -S options are not allowing barnyard2 to write the data to mysql?

Thank you,

Mark A. Cass
Security+ CE, RHCSA, MCTS
Systems Administrator/Network Manager (SANM)
CGI Federal Contractor

700 McNair Ave.
Suite 107 (Knox Hall)
Fort Sill, Oklahoma 73503
Ph.     580.442.0098
Fax     580.248.2188
mark.a.cass2.ctr () mail mil


-----Original Message-----
From: beenph [mailto:beenph () gmail com] 
Sent: Friday, December 14, 2012 10:12 AM
To: Cass, Mark A CTR (US)
Cc: snort-users () lists sourceforge net; barnyard2-users () googlegroups com
Subject: Re: [Snort-users] trying this again (UNCLASSIFIED)



On Thu, Dec 13, 2012 at 12:39 PM, Cass, Mark A CTR (US) <mark.a.cass2.ctr () mail mil> wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Jon (and others),
>
> First let me thank you for your reply.  I'll try to do the best I can on providing information needed, but I'm by no 
> means a Linux master, nor knowledgeable with IDS/IPS systems (but have a feeling I'm going to be by the end of this). 
>  This has been a process of mixed guides for various OS's/versions of the software trying to get things 
> installed/configured for the last few months!  With that said, I don't honestly remember a lot of specifics out of 
> this over that time period, but did happen to capture a few terminal windows, which I hope will help.
>
> To answer your questions:
> 1. Right now, everything has been compiled from source.  For snort it was
>         419  ./configure --with-mysql --enable-dynamicplugin 
> --enable-perfprofiling --enable-ipv6 --enable-zlib --enable-gre 
> --enable-reload --enable-linux-smp-stats
>
> 2.  It is not running right now, but has successfully.  I've tried it by itself, and with barnyard2 (barnyard2 errors 
> out):
>         630  snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/barnyard2 -c 
> /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S 
> /etc/snort/sid-msg.map \ -C /etc/snort/classification.config &
>         And
>         493  /usr/local/bin/snort -A console -q -u snort -g snort -c 
> /etc/snort/snort.conf -i eth1
>
> Barnyard2 errors:
>         When ran by itself with:
> [root@snort bin]# barnyard2 -c /etc/snort/barnyard2.conf -d 
> /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
>
>         Produces:
> Using waldo file '/var/log/snort/barnyard2.waldo':
>     spool directory = /var/log/snort
>     spool filebase  = snort.log
>     time_stamp      = 1350485740
>     record_idx      = 1
> Opened spool file '/var/log/snort/snort.log.1350485740'
> barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion 
> `data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed.
> Aborted (core dumped)
 
Well a little more information in a post can help, and i can't say this post lacked some info ;)
 
As for barnyard2
the -d command line argument is needed if you want specifiy it a directory to monitor for spool file.
If you monitor a directory you will also want to give it a -f (spool prefix) spool prefix is the file name that prefix 
the timestamp of the snort generated unified2 file. for example, snort.log.<timestamp> So according to your previously 
defined command line argument and some information you posted,
by2 should be run like you tried at first.
 
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo, so it is 
correct.
The reason why you hit an assert is probably because you created a test rule without a revision. 
 
so in your test rule you allways want to have at least rev:xxx; where xxx is an integer >= 1, if you want
barnyard2 to be able to output it to database. If you want it to be send via syslog or an other output mechanism, you 
do not need to do that.
 
Unfortunatly if you absolutely want to log to database  you will need to delete that unified2 file snort.log.1350485740 
and any further unified2 generated file where there is a possibility for a signature with a revision 0 of being logged 
in it else you will allways hit that condition. 
 
(i would suggest that you upgrade to barnyard2 2-1.11 and you can download it from github 
www.github.com/firnsy/barnyard2
2-1.11 print out a nicer message when this case occur, but will fail if you try to write to a database.
 
This being said, you will probably be able to get events to your database with that info i am sure.
 
Also a good snort ressource is the manual (snort manual) http://manual.snort.org (allways up to date)

>         When ran with snort:
> [root@snort log]# snort -q -u snort -g snort -c /etc/snort/snort.conf 
> -i eth1 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d 
> /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G 
> /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C 
> /etc/snort/classification.config &
>
>         Produces:
> A bunch of WARNING messages about duplicate entries in a signature 
> file (about 40k lines of WARNINGS), then
 
As for the 2nd case, the reason you where getting duplicate signature message is that you included the -G and -S 
command line argument and i assume that you also have the 
 
configure directive 
 
config gen_file: (equivalent of -G)
and
config sid_file:  (equivalent of -S) 
 
configured in your barnyard2.conf.
 
The message are generated by the database output plugin when its creating its local cache to synchronize its 
information with the DB.
 
If you do not want this to happen simply remove your -G and -S argument from the command line OR comment both lines 
mentioned above  in barnyard2.conf.
 
I hope this will help you to get a step forward.
 
-elz
 

Classification: UNCLASSIFIED
Caveats: NONE



------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!