Re: AANVAL or MYSQL question

["Gierczak, Stan" <SGierczak () presencehealth org>]

I got the following(see below).  Aanvaldb was created as part of the install instructions that I followed when aanval 
was installed, snortdb was created as part of the instructions for snort install.  The schema for snortdb was created 
from the barnyard install.  It seems that neither db has any data.  The alert file under eth0 does contain data(see 
below).  It just seems that it is not getting into mysql.  The install instructions that I followed are:

http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval

Thanks for your assistance.

mysql> show databases
    -> ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| aanvaldb           |
| mysql              |
| performance_schema |
| snortdb            |
| test               |
+--------------------+
6 rows in set (0.00 sec)

mysql> use snortdb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables
    -> ;
+-------------------+
| Tables_in_snortdb |
+-------------------+
| data              |
| detail            |
| encoding          |
| event             |
| icmphdr           |
| iphdr             |
| opt               |
| reference         |
| reference_system  |
| schema            |
| sensor            |
| sig_class         |
| sig_reference     |
| signature         |
| tcphdr            |
| udphdr            |
+-------------------+
16 rows in set (0.00 sec)

mysql> use aanvaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------------------------+
| Tables_in_aanvaldb                 |
+------------------------------------+
| idsActionMaster                    |
| idsActionStore                     |
| idsCollection                      |
| idsCollectionStore                 |
| idsDataStore                       |
| idsDataStore_1000_Events           |
| idsDataStore_1000_Master           |
| idsDataStore_1000_Review_Index     |
| idsDataStore_1000_Tag_Index        |
| idsDataStore_1000_Text             |
| idsDataStore_1000_Text_Index       |
| idsDataStore_1000_Timescale        |
| idsDataStore_TEMPLATE_Events       |
| idsDataStore_TEMPLATE_Master       |
| idsDataStore_TEMPLATE_Review_Index |
| idsDataStore_TEMPLATE_Tag_Index    |
| idsDataStore_TEMPLATE_Text         |
| idsDataStore_TEMPLATE_Text_Index   |
| idsDataStore_TEMPLATE_Timescale    |
| idsDeviceAddresses                 |
| idsDeviceMeta                      |
| idsDeviceServices                  |
| idsDeviceTypes                     |
| idsDevices                         |
| idsEmail                           |
| idsGeoCache                        |
| idsGeoData                         |
| idsGeoLocation                     |
| idsHostnames                       |
| idsImportFilters                   |
| idsLicense                         |
| idsMessageQueue                    |
| idsModules                         |
| idsNetworks                        |
| idsNotes                           |
| idsOps                             |
| idsQueries                         |
| idsReconnaissanceResults           |
| idsReportSchedule                  |
| idsSensor                          |
| idsSensorManage                    |
| idsSensorManageMessages            |
| idsSensorPolicy                    |
| idsSignaturePolicyIndex            |
| idsSignatureSources                |
| idsSignatures                      |
| idsSyslogModule                    |
| idsTags                            |
| idsTimezones                       |
| idsUserMessages                    |
| idsUsers                           |
+------------------------------------+
51 rows in set (0.00 sec)


-rw-r--r-- 1 root  root  46367479 Apr 16 14:21 alert

04/16-14:19:59.243731  [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] 
[Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:58557
04/16-14:19:59.250812  [**] [3:21355:2] BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid [**] 
[Classification: Attempted Information Leak] [Priority: 2] {UDP} 8.8.8.8:53 -> 107.0.43.250:58841
04/16-14:19:59.610969  [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] 
[Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:51590
04/16-14:19:59.654224  [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] 
[Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:64686
04/16-14:19:59.655229  [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] 
[Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:60128
04/16-14:19:59.657639  [**] [3:19187:3] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] 
[Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 8.8.8.8:53 -> 107.0.43.250:62473

From: Y M [mailto:snort () outlook com]
Sent: Wednesday, April 16, 2014 1:52 PM
To: Gierczak, Stan
Cc: snort-users
Subject: RE: [Snort-users] AANVAL or MYSQL question

How did you setup the database? Was it Aanval or you used the schema file that comes with Barnyard2?

> From the command (or your MySQL GUI), login to MySQL:
mysql -u [user] -p
you will be prompted for the password.

type:
show databases;

This should show all of the available database instances. If you know the database name, type:

use [databaseName];
show tables;
select * from [tableName] limit 5;

The above will allow to select the database you specify, enumerate the tables, then query 5 records from a table you 
specify. Look for the "event" table. This is may be different in your case, as I am not familiar with Aanval schema or 
their internal naming conventions.

YM

________________________________
From: SGierczak () presencehealth org
To: snort () outlook com
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] AANVAL or MYSQL question
Date: Wed, 16 Apr 2014 18:18:32 +0000
So,  do I need to be concerned with:
[Description: cid:image001.png@01CF595C.E309FE60]

Also how can I see if the db is getting data into it?


From: Y M [mailto:snort () outlook com]
Sent: Wednesday, April 16, 2014 12:03 PM
To: Gierczak, Stan
Cc: snort-users
Subject: RE: [Snort-users] AANVAL or MYSQL question

> The only error I see is about WALDO.  Not sure if that is an issue or not.

This is a rather warning than error. Barnyard2 will check if the waldo file exists, if it does not, then Barnyard2 will 
warn you about it and create the waldo file for you.

> Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Waiting for new data

This means that Barnyard2 is up and running and waiting for u2 data to read.

YM

________________________________
From: SGierczak () presencehealth org
To: snort-users () lists sourceforge net
Date: Wed, 16 Apr 2014 15:19:25 +0000
Subject: [Snort-users] AANVAL or MYSQL question
I have just finished installing snort/barnyard/aanval.
I can see that snort is working.  I see messages queuing in the alert file in /var/log/snort/eth0.
Not sure if barnyard is not populating mysql or if aanval is not working.
I got this message in aanval under configuration/snort module settings:
[https://image001.png@01CF5976.5BE8CC30]

I verified that the db is correct as is the user name and password.

I have this in the syslog for when barnyard loads:
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Running in Continuous mode
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]:
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]:         --== Initializing Barnyard2 ==--
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Input Plugins!
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Output Plugins!
Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Parsing config file "/etc/snort/barnyard.conf"
Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Log directory = /var/log/snort/eth0
Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Initializing daemon mode
Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Daemon parent exiting
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Daemon initialized, signaled parent pid: 1456
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: PID path stat checked out ok, PID path set to /var/run/
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Writing PID "1457" to file "/var/run//barnyard2_NULL.pid"
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: compiled support for (mysql)
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: configured to use mysql
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: schema version = 107
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:           host = localhost
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:           user = snort_user
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:  database name = snortdb
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:    sensor name = rlicsnortids1:NULL
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:      sensor id = 1
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:     sensor cid = 1
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:  data encoding = hex
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:   detail level = full
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:     ignore_bpf = no
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: using the "log" facility
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]:
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]:         --== Initialization Complete ==--
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Barnyard2 initialization completed successfully (pid=1457)
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: WARNING: Unable to open waldo file '/var/log/snort/eth0/barnyard2.waldo' 
(No such file or directory)
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397656582'
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Closing spool file '/var/log/snort/eth0/snort.log.1397656582'. Read 0 
records
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397658954'
Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Waiting for new data

The only error I see is about WALDO.  Not sure if that is an issue or not.

Again thanks everyone for all the help.

------------------------------------------------------------------------------ Learn Graph Databases - Download FREE 
O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three 
acclaimed leaders in the field, this first edition is now available. Download your free book today! 
http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge 
net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current 
on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!