Snort mailing list archives
Re: upgrading to snort 2.6
From: Joel Esler <joel.esler () sourcefire com>
Date: Thu, 28 Sep 2006 14:10:03 -0400
Just to say... Are you sure snort is outputting in unified format? J On Thu, Sep 28, 2006 at 12:47:30PM -0500, Derek Stinchfield apparently sent me:
Recently, my department was able to free up a new server that we decided to use to replace our old snort box. I
figured that this would be a good time to update to 2.6. I saved a few of the old config files and went to work with
the new box from scratch. I loaded RHELAS 4 and after the install, I downloaded and installed 2.6.0.2, and Barnyard
0.2.0. I then checked and copied over the config files, rulesets, and startup scripts from our old snort 2.4 box and
I thought I pounded out any issues with file locations and permissions. Both snort and barnyard are now starting and
running, however I let it run last night, outputting unified files and having barnyard pointed at a remote syslog
server, and I didn't have a single rule in the remote syslog today.
I had snort make a fast alert output to be sure that rules were being triggered, and sure enough they are, which
leaves me with barnyard. I did the fast alert for this too and it didn't even create the file for it. This is the
first time I've tried to use the barnyard startup script. before I would just start it with <barnyard -D -n -f
/var/log/snort/snort.alert>
Now that I'm trying to use the script, the command is </usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d
/var/log/snort -a /var/log/snort-proces....> obviously, if I try to start it the old way I now get a segmentation
fault.
I have posted the barnyard script as well as what I use in the barnyard.conf Any help I can get is appreciated.
Also if it helps, I don't absolutely have to use the barnyard script, so if there is an idea the excludes it, I would
appreciate that as much as any help.
Thanks in advance,
Derek
The barnyard script I used is this:
#!/bin/bash
#
# barnyard Start/Stop barnyard daemon
#
# Written by Alejandro Flores <alejandrorfloresgmail.com>
#
# chkconfig: 2345 42 62
# description: Output spool reader for Snort! This program decouples
#output overhead from # the Snort network intrusion detection system
#and allows Snort to run at full speed. It takes #input and output
#plugins and can therefore be used to convert almost any spooled fil
#
. /etc/rc.d/init.d/functions
# Barnyard binary
# Executavel do barnyard
BARNYARD=/usr/local/bin/barnyard
# Where to place processed logs
# Diretorio onde v??ficar os logs j??rocessados
PROCESSADOS=/var/log/snort-processados
# Base dir for snort logs
# Diret?? base dos logs do snort
LOG_BASE=/var/log/snort
# Unified log filename
# Nome do arquivo de log unified
LOG_FILE=snort.log
# Barnyard config
# Configura?? do barnyard
CONFIG=/etc/snort/barnyard.conf
# where is sid-msg.map
# Localiza?? do arquivo sid-msg.map
SIDMAP=/etc/snort/sid-msg.map
# where is gen-msg.map
# Localiza?? do arquivo gen-msg.map
GENMAP=/etc/snort/gen-msg.map
# where is classification.config
# Localiza?? do arquivo classification.config
CLASSCONF=/etc/snort/classification.config
# where to place the barnyard bookmark
# Localiza?? do bookmark do barnyard
WALDO=/var/log/snort/waldo
case "$1" in
start)
if [ -f /var/lock/subsys/barnyard ]; then
echo "Barnyard is already running."
exit
fi
echo -n "Starting Barnyard: "
daemon $BARNYARD \
-c $CONFIG \
-d $LOG_BASE \
-a $PROCESSADOS \
-f $LOG_FILE \
-w $WALDO \
-s $SIDMAP \
-g $GENMAP \
-p $CLASSCONF \
-D
touch /var/lock/subsys/barnyard
;;
stop)
echo -n "Stopping Barnyard"
killproc barnyard
rm /var/lock/subsys/barnyard
/script
This is my barnyard.conf <some commented parts omitted>
#-------------------------------------------------------------
# http://www.snort.org Barnyard 0.1.0 configuration file
# Contact: snort-barnyard () lists sourceforge net
#-------------------------------------------------------------
# $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
########################################################
# Currently you want to do two things in here: turn on
# available data processors and turn on output plugins.
# The data processors (dp's) and output plugin's (op's)
# automatically associate with each other by type and
# are automatically selected at run time depending on
# the type of file you try to load.
########################################################
# Step 1: configuration declarations
# To keep from having a commandline that uses every letter in the alphabet
# most configuration options are set here
# enable daemon mode
config daemon
#INSERTED BY DEREK. Indicate which interface shall be monitored
config interface: eth1
#INSERTED BY DEREK. Give Barnyad the information location of Meta-data.
config sid-msg-map: /etc/snort/sid-msg.map
config gen-msg-map: /etc/snort/gen-msg.map
config class-file: /etc/snort/classification.config
# set the hostname (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config hostname: snorthost
# set the interface name (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config interface: fxp0
# set the filter (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config filter: not port 22
# Step 2: setup the output plugins
# alert_fast
#-----------------------------
# Converts data from the dp_alert plugin into an approximation of Snort's
# "fast alert" mode. Argument: <filename>
output alert_fast: barnyard.alert
# log_dump
#-----------------------------
# Converts data from the dp_log plugin into an approximation of Snort's
# "ASCII packet dump" mode. Argument: <filename>
#COMMENTED OUT BY DEREK. output log_dump
# alert_syslog2
#-------------------------------
# Generates a syslog alert. This supports considerably more features than
# the original syslog output plugin.
#
output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x;
/barnyard.config
??????????????????????????????????????
Derek Stinchfield
Network Analyst
Scientific Computing Center
University of North Dakota - ?ROSPACE
derek () aero und edu
??????????????????????????????????????
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- upgrading to snort 2.6 Derek Stinchfield (Sep 28)
- Re: upgrading to snort 2.6 Joel Esler (Sep 28)
- <Possible follow-ups>
- Re: upgrading to snort 2.6 Derek Stinchfield (Sep 28)
- Re: upgrading to snort 2.6 Derek Stinchfield (Sep 29)
- Re: upgrading to snort 2.6 Jason (Sep 29)