Snort mailing list archives
Re: upgrading to snort 2.6
From: Jason <security () brvenik com>
Date: Fri, 29 Sep 2006 09:41:55 -0400
Is this a 64bit system? Did you compile from sources? Can you run barnyard under gdb and provide a backtrace. Thx, Jason. Derek Stinchfield wrote:
Yeah, I gave it a glance. I haven't had a lot of time to read in depth, but I know the lines that configure snort to output unified files has not changed. I still believe that there is something bizarre happening in Barnyard, but I can't lock it down. «««««««««««««««««««»»»»»»»»»»»»»»»»»»» Derek Stinchfield Network Analyst Scientific Computing Center University of North Dakota - ÆROSPACE derek () aero und edu «««««««««««««««««««»»»»»»»»»»»»»»»»»»»"info+lucretia.ca" <info () lucretia ca> 9/29/2006 7:55 AM >>>Actually there is vast difference between 2.4 and 2.6. Did you review the release notes or the manual? Cheers, James Friesen, CIO Lucretia Enterprises Our World Is Here info at lucretia dot ca http://lucretia.ca-----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Derek Stinchfield Sent: Thursday, September 28, 2006 12:54 PM Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] upgrading to snort 2.6 Yes, I believe so, unless something very different between 2.4 and 2.6. Here is the excerpt from my snort.conf output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 Thanks again, Derek «««««««««««««««««««»»»»»»»»»»»»»»»»»»» Derek Stinchfield Network Analyst Scientific Computing Center University of North Dakota - ÆROSPACE derek () aero und edu «««««««««««««««««««»»»»»»»»»»»»»»»»»»»Joel Esler <joel.esler () sourcefire com> 9/28/2006 1:10 PM >>>Just to say... Are you sure snort is outputting in unified format? J On Thu, Sep 28, 2006 at 12:47:30PM -0500, Derek Stinchfield apparently sent me:Recently, my department was able to free up a new serverthat we decided to use to replace our old snort box. I figured that this would be a good time to update to 2.6. I saved a few of the old config files and went to work with the new box from scratch. I loaded RHELAS 4 and after the install, I downloaded and installed 2.6.0.2, and Barnyard 0.2.0. I then checked and copied over the config files, rulesets, and startup scripts from our old snort 2.4 box and I thought I pounded out any issues with file locations and permissions. Both snort and barnyard are now starting and running, however I let it run last night, outputting unified files and having barnyard pointed at a remote syslog server, and I didn't have a single rule in the remote syslog today.I had snort make a fast alert output to be sure that ruleswere being triggered, and sure enough they are, which leaves me with barnyard. I did the fast alert for this too and it didn't even create the file for it. This is the first time I've tried to use the barnyard startup script. before I would just start it with <barnyard -D -n -f /var/log/snort/snort.alert>Now that I'm trying to use the script, the command is</usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -a /var/log/snort-proces....> obviously, if I try to start it the old way I now get a segmentation fault.I have posted the barnyard script as well as what I use inthe barnyard.conf Any help I can get is appreciated. Also if it helps, I don't absolutely have to use the barnyard script, so if there is an idea the excludes it, I would appreciate that as much as any help.Thanks in advance, Derek The barnyard script I used is this: #!/bin/bash # # barnyard Start/Stop barnyard daemon # # Written by Alejandro Flores <alejandrorfloresgmail.com> # # chkconfig: 2345 42 62 # description: Output spool reader for Snort! This program decouples #output overhead from # the Snort network intrusion detection system #and allows Snort to run at fullspeed. Ittakes #input and output #plugins and can therefore be usedto convertalmost any spooled fil # . /etc/rc.d/init.d/functions # Barnyard binary # Executavel do barnyard BARNYARD=/usr/local/bin/barnyard # Where to place processed logs # Diretorio onde v??ficar os logs j??rocessados PROCESSADOS=/var/log/snort-processados # Base dir for snort logs # Diret?? base dos logs do snort LOG_BASE=/var/log/snort # Unified log filename # Nome do arquivo de log unified LOG_FILE=snort.log # Barnyard config # Configura?? do barnyard CONFIG=/etc/snort/barnyard.conf # where is sid-msg.map # Localiza?? do arquivo sid-msg.map SIDMAP=/etc/snort/sid-msg.map # where is gen-msg.map # Localiza?? do arquivo gen-msg.map GENMAP=/etc/snort/gen-msg.map # where is classification.config # Localiza?? do arquivo classification.config CLASSCONF=/etc/snort/classification.config # where to place the barnyard bookmark # Localiza?? do bookmark do barnyard WALDO=/var/log/snort/waldo case "$1" in start) if [ -f /var/lock/subsys/barnyard ]; then echo "Barnyard is already running." exit fi echo -n "Starting Barnyard: " daemon $BARNYARD \ -c $CONFIG \ -d $LOG_BASE \ -a $PROCESSADOS \ -f $LOG_FILE \ -w $WALDO \ -s $SIDMAP \ -g $GENMAP \ -p $CLASSCONF \ -D touch /var/lock/subsys/barnyard ;; stop) echo -n "Stopping Barnyard" killproc barnyard rm /var/lock/subsys/barnyard /script This is my barnyard.conf <some commented parts omitted> #------------------------------------------------------------- # http://www.snort.org Barnyard 0.1.0 configuration file # Contact: snort-barnyard () lists sourceforge net #------------------------------------------------------------- # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $ ######################################################## # Currently you want to do two things in here: turn on # available data processors and turn on output plugins. # The data processors (dp's) and output plugin's (op's) # automatically associate with each other by type and # are automatically selected at run time depending on # the typeof file youtry to load. ######################################################## # Step 1: configuration declarations # To keep from having a commandline that uses every letter in the alphabet # most configuration options are set here # enable daemon mode config daemon #INSERTED BY DEREK. Indicate which interface shall be monitored config interface: eth1 #INSERTED BY DEREK. Give Barnyad the information locationof Meta-data.config sid-msg-map: /etc/snort/sid-msg.map config gen-msg-map: /etc/snort/gen-msg.map config class-file: /etc/snort/classification.config # set the hostname (currently only used for the acid dboutput plugin)#COMMENTED OUT BY DEREK. config hostname: snorthost # set the interface name (currently only used for the aciddb outputplugin) #COMMENTED OUT BY DEREK. config interface: fxp0 # set the filter (currently only used for the acid dboutput plugin)#COMMENTED OUT BY DEREK. config filter: not port 22 # Step 2: setup the output plugins # alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of Snort's # "fast alert" mode. Argument: <filename> output alert_fast: barnyard.alert # log_dump #----------------------------- # Converts data from the dp_log plugin into an approximation of Snort's # "ASCII packet dump" mode. Argument: <filename> #COMMENTED OUT BY DEREK. output log_dump # alert_syslog2 #------------------------------- # Generates a syslog alert. This supports considerablymore featuresthan # the original syslog output plugin. # output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x; /barnyard.config ?????????????????????????????????????? Derek Stinchfield Network Analyst Scientific Computing Center University of North Dakota - ?ROSPACE derek () aero und edu ??????????????????????????????????????------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cashhttp://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users+------------------------------------------------------------- --------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +------------------------------------------------------------- --------+ -------------------------------------------------------------- ----------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -------------------------------------------------------------- ----------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- upgrading to snort 2.6 Derek Stinchfield (Sep 28)
- Re: upgrading to snort 2.6 Joel Esler (Sep 28)
- <Possible follow-ups>
- Re: upgrading to snort 2.6 Derek Stinchfield (Sep 28)
- Re: upgrading to snort 2.6 Derek Stinchfield (Sep 29)
- Re: upgrading to snort 2.6 Jason (Sep 29)