Snort mailing list archives
Re: AANVAL or MYSQL question
From: "Gierczak, Stan" <SGierczak () presencehealth org>
Date: Wed, 16 Apr 2014 19:25:00 +0000
I got the following(see below). Aanvaldb was created as part of the install instructions that I followed when aanval was installed, snortdb was created as part of the instructions for snort install. The schema for snortdb was created from the barnyard install. It seems that neither db has any data. The alert file under eth0 does contain data(see below). It just seems that it is not getting into mysql. The install instructions that I followed are: http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval Thanks for your assistance. mysql> show databases -> ; +--------------------+ | Database | +--------------------+ | information_schema | | aanvaldb | | mysql | | performance_schema | | snortdb | | test | +--------------------+ 6 rows in set (0.00 sec) mysql> use snortdb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables -> ; +-------------------+ | Tables_in_snortdb | +-------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-------------------+ 16 rows in set (0.00 sec) mysql> use aanvaldb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +------------------------------------+ | Tables_in_aanvaldb | +------------------------------------+ | idsActionMaster | | idsActionStore | | idsCollection | | idsCollectionStore | | idsDataStore | | idsDataStore_1000_Events | | idsDataStore_1000_Master | | idsDataStore_1000_Review_Index | | idsDataStore_1000_Tag_Index | | idsDataStore_1000_Text | | idsDataStore_1000_Text_Index | | idsDataStore_1000_Timescale | | idsDataStore_TEMPLATE_Events | | idsDataStore_TEMPLATE_Master | | idsDataStore_TEMPLATE_Review_Index | | idsDataStore_TEMPLATE_Tag_Index | | idsDataStore_TEMPLATE_Text | | idsDataStore_TEMPLATE_Text_Index | | idsDataStore_TEMPLATE_Timescale | | idsDeviceAddresses | | idsDeviceMeta | | idsDeviceServices | | idsDeviceTypes | | idsDevices | | idsEmail | | idsGeoCache | | idsGeoData | | idsGeoLocation | | idsHostnames | | idsImportFilters | | idsLicense | | idsMessageQueue | | idsModules | | idsNetworks | | idsNotes | | idsOps | | idsQueries | | idsReconnaissanceResults | | idsReportSchedule | | idsSensor | | idsSensorManage | | idsSensorManageMessages | | idsSensorPolicy | | idsSignaturePolicyIndex | | idsSignatureSources | | idsSignatures | | idsSyslogModule | | idsTags | | idsTimezones | | idsUserMessages | | idsUsers | +------------------------------------+ 51 rows in set (0.00 sec) -rw-r--r-- 1 root root 46367479 Apr 16 14:21 alert 04/16-14:19:59.243731 [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:58557 04/16-14:19:59.250812 [**] [3:21355:2] BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 8.8.8.8:53 -> 107.0.43.250:58841 04/16-14:19:59.610969 [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:51590 04/16-14:19:59.654224 [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:64686 04/16-14:19:59.655229 [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:60128 04/16-14:19:59.657639 [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:62473 From: Y M [mailto:snort () outlook com] Sent: Wednesday, April 16, 2014 1:52 PM To: Gierczak, Stan Cc: snort-users Subject: RE: [Snort-users] AANVAL or MYSQL question How did you setup the database? Was it Aanval or you used the schema file that comes with Barnyard2?
From the command (or your MySQL GUI), login to MySQL:
mysql -u [user] -p you will be prompted for the password. type: show databases; This should show all of the available database instances. If you know the database name, type: use [databaseName]; show tables; select * from [tableName] limit 5; The above will allow to select the database you specify, enumerate the tables, then query 5 records from a table you specify. Look for the "event" table. This is may be different in your case, as I am not familiar with Aanval schema or their internal naming conventions. YM ________________________________ From: SGierczak () presencehealth org To: snort () outlook com CC: snort-users () lists sourceforge net Subject: RE: [Snort-users] AANVAL or MYSQL question Date: Wed, 16 Apr 2014 18:18:32 +0000 So, do I need to be concerned with: [Description: cid:image001.png@01CF595C.E309FE60] Also how can I see if the db is getting data into it? From: Y M [mailto:snort () outlook com] Sent: Wednesday, April 16, 2014 12:03 PM To: Gierczak, Stan Cc: snort-users Subject: RE: [Snort-users] AANVAL or MYSQL question
The only error I see is about WALDO. Not sure if that is an issue or not.
This is a rather warning than error. Barnyard2 will check if the waldo file exists, if it does not, then Barnyard2 will warn you about it and create the waldo file for you.
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Waiting for new data
This means that Barnyard2 is up and running and waiting for u2 data to read. YM ________________________________ From: SGierczak () presencehealth org To: snort-users () lists sourceforge net Date: Wed, 16 Apr 2014 15:19:25 +0000 Subject: [Snort-users] AANVAL or MYSQL question I have just finished installing snort/barnyard/aanval. I can see that snort is working. I see messages queuing in the alert file in /var/log/snort/eth0. Not sure if barnyard is not populating mysql or if aanval is not working. I got this message in aanval under configuration/snort module settings: [https://image001.png@01CF5976.5BE8CC30] I verified that the db is correct as is the user name and password. I have this in the syslog for when barnyard loads: Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Running in Continuous mode Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: --== Initializing Barnyard2 ==-- Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Input Plugins! Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Output Plugins! Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Parsing config file "/etc/snort/barnyard.conf" Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Log directory = /var/log/snort/eth0 Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Initializing daemon mode Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Daemon parent exiting Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Daemon initialized, signaled parent pid: 1456 Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: PID path stat checked out ok, PID path set to /var/run/ Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Writing PID "1457" to file "/var/run//barnyard2_NULL.pid" Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: compiled support for (mysql) Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: configured to use mysql Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: schema version = 107 Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: host = localhost Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: user = snort_user Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: database name = snortdb Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: sensor name = rlicsnortids1:NULL Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: sensor id = 1 Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: sensor cid = 1 Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: data encoding = hex Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: detail level = full Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: ignore_bpf = no Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: using the "log" facility Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: --== Initialization Complete ==-- Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Barnyard2 initialization completed successfully (pid=1457) Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: WARNING: Unable to open waldo file '/var/log/snort/eth0/barnyard2.waldo' (No such file or directory) Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397656582' Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Closing spool file '/var/log/snort/eth0/snort.log.1397656582'. Read 0 records Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397658954' Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Waiting for new data The only error I see is about WALDO. Not sure if that is an issue or not. Again thanks everyone for all the help. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- AANVAL or MYSQL question Gierczak, Stan (Apr 16)
- Re: AANVAL or MYSQL question Y M (Apr 16)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 16)
- Re: AANVAL or MYSQL question Y M (Apr 16)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 16)
- Re: AANVAL or MYSQL question waldo kitty (Apr 16)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 16)
- Re: AANVAL or MYSQL question Y M (Apr 16)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question Y M (Apr 17)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question Y M (Apr 17)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question Y M (Apr 17)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 17)
- Re: AANVAL or MYSQL question Gierczak, Stan (Apr 16)
- Re: AANVAL or MYSQL question Y M (Apr 16)