Snort mailing list archives
Re: Snort Install successful - Need a proper database
From: k vijay sai prashanth <vijaysaiprashanth () gmail com>
Date: Wed, 21 Nov 2012 22:48:45 +0530
All resolved now. Each time I start barnyard2 the events count is incremented. So barnyard2 is feeding the events from snort to the mysql database. Thanks Ron. Appreciate the advise. Sadly I am not sure which of the steps rectified the issue. The following are the changes I made which caused the installation to be successful: 1. output alert_fast to output alert_fast: stdout. 2. change is barnyard.conf 3. Did a make clean on the barnyard2 installation and then did the ./configure --with-mysql. 4. changed the variables config hostname from thor to localhost. 5. And make sure when you run barnyard2 using the below command the snort process must already be running. Regards, Prashanth On Wed, Nov 21, 2012 at 9:28 PM, Ron Sinclair <unixfool () gmail com> wrote:
I didn't mess with the config hostname entry within barnyard2.conf, so I don't know...working fine for me regardless. To run snort as a background process, use -D (for daemon). I believe the same applies for BY2. And congrats on now getting events. I'm not sure about the count being stuck, but hopefully, you'll resolve that with a restart. On Wed, Nov 21, 2012 at 10:49 AM, k vijay sai prashanth < vijaysaiprashanth () gmail com> wrote:I have got some events now. But the count seems to be stuck at a specific value. Will restart snort and update the status. Regards, Prashanth On Wed, Nov 21, 2012 at 9:09 PM, k vijay sai prashanth < vijaysaiprashanth () gmail com> wrote:Is it also critical to change the below variables in barnyard2.conf?? config hostname: localhost config interface: eth2 I have executed all of these configurations. Still no events in mysql database. :( Where could I be going wrong? And what is the command for having snort run as a background process [daemon] and restart when the server restarts? Regards, Prashanth On Wed, Nov 21, 2012 at 8:28 AM, Ron Sinclair <unixfool () gmail com>wrote:I also forgot to add that snort.conf might also need some editing, specifically the "configure output plugins" section: Edit the "unified2" section to your liking. I use: output unified2: filename snort.u2, limit 128 Edit the database section. Specifically, comment out "include database.conf" (I think it's uncommented by default). That way, it disables the plugin for Snort (BY2 will be configured with the database details so that it can input the alerts into the database). -- Ron On Tue, Nov 20, 2012 at 9:02 PM, Ron Sinclair <unixfool () gmail com>wrote:Prashanth, I use the same BY2 startup command as you, so I think you're OK with that. In barnyard.conf, I've used the following (I edited only those, and left everything else as default, for now): === output alert_fast: stdout output database: alert, mysql, user=snort password=xxxxxx dbname=snort host=localhost === When I test, I usually test via browser or telnet: http://localhost/root.exe (or cmd.exe) telnet localhost root.exe (or cmd.exe) Those two commands will trigger CodeRed or Nimda sigs, if they're enabled. If not enabled, I'll sometimes run a simple Nmap scan (nmap localhost) if I don't have any luck with the previous commands, which triggers SNMP sigs for me. I then check the database, and I usually see the triggered signatures. I hope that helps. -- Ron On Tue, Nov 20, 2012 at 4:57 PM, k vijay sai prashanth < vijaysaiprashanth () gmail com> wrote:Yes. I've made sure that snort is functioning properly and logging alerts onto the snort.log files. Barnyard2 is working too. When I enter the command which I got from an installation guide: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config I get an output shown below: --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/etc/snort/bylog.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1353441428 record_idx = 25592 Opened spool file '/var/log/snort/snort.log.1353441428' But I see that the mysql tables are still empty. Can someone tell me how to have barnyard2 log events into the tables? I've compiled barnyard2 with mysql. [./configure --with-mysql] Regards, Prashanth ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort Install successful - Need a proper database, (continued)
- Re: Snort Install successful - Need a proper database k vijay sai prashanth (Nov 19)
- Re: Snort Install successful - Need a proper database waldo kitty (Nov 19)
- Re: Snort Install successful - Need a proper database k vijay sai prashanth (Nov 20)
- Re: Snort Install successful - Need a proper database waldo kitty (Nov 20)
- Re: Snort Install successful - Need a proper database k vijay sai prashanth (Nov 20)
- Re: Snort Install successful - Need a proper database Ron Sinclair (Nov 20)
- Re: Snort Install successful - Need a proper database Ron Sinclair (Nov 20)
- Re: Snort Install successful - Need a proper database k vijay sai prashanth (Nov 21)
- Re: Snort Install successful - Need a proper database k vijay sai prashanth (Nov 21)
- Re: Snort Install successful - Need a proper database Ron Sinclair (Nov 21)
- Re: Snort Install successful - Need a proper database k vijay sai prashanth (Nov 21)
- Re: Snort Install successful - Need a proper database beenph (Nov 21)
- Re: Snort Install successful - Need a proper database waldo kitty (Nov 21)
- Re: Snort Install successful - Need a proper database beenph (Nov 21)
- Re: Snort Install successful - Need a proper database waldo kitty (Nov 19)
- Re: Snort Install successful - Need a proper database k vijay sai prashanth (Nov 19)