Snort mailing list archives

Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 21 Dec 2010 11:50:12 -0700

Hi, (answers in-line)

1.) Do I have to install Snort via "sudo apt-get install snort-mysql" in order to make BASE work?    

No, you don't and it isn't recommended.  You should run Snort with Unified2 output, and use Barnyard2 to parse those 
and insert into your MySQL database.  From the output you have shown below, it looks like you had/have an error in your 
barnyard2 config.

2.) Do I get the newest verstion (e.g. 2.9.0.3, etc) of Snort via  "sudo apt-get install snort-mysql" ?

I would compile and install from source... I do that personally.  You don't need to compile in MySQL support in that 
case.  This the way I compile:

./configure --enable-perfprofiling --enable-targetbased --enable-reload --enable-zlib 
--enable-decoder-preprocessor-rules
Make
Make install

Hope that makes sense.

________________________________________
From: Jun Wan [mailto:junwei_wan () hotmail com] 
Sent: Monday, December 20, 2010 3:22 PM
To: Jefferson, Shawn
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede

Hi Shawn,
 
I followed two setup guides to install Snort by using "sudo apt-get install snort-mysql" : 
1.) https://wwwx.cs.unc.edu/~hays/archives/2010/03/entry_23.php      The Snort version was 2.8.4.1 on Ubundu 9.1, 
Snort&BASE worked fine, this was my first Snort experience.
2.) http://it.thelibrarie.com/weblog/2010/06/installing-snort-on-ubuntu-10-04/   The Snort version was 2.8.x.x (?) on 
Ububdu 10.Barnyard2 failed to initialize, please see the following:
-== Initializing Barnyard2 ==-
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
ERROR: /etc/snort/barnyard2.conf(310) Undefined variable name: 12.
Fatal Error, Quitting..
 
barnyard2 still failed despite the fact I took the suggestions from others.  Then I moved on and tried the Snort Report 
1.3.1 on Snort 2.8.6.0 and 2.9.0.0, they are working okey except the slowness of loading data into a browser. These two 
Snort IDS boxes are running in my company's live network at moment after some fine tuning via snort.conf, 
emerging.conf, threshold.conf and individual rule.
 
My qustions would be:
 
1.) Do I have to install Snort via "sudo apt-get install snort-mysql" in order to make BASE work?    
2.) Do I get the newest verstion (e.g. 2.9.0.3, etc) of Snort via  "sudo apt-get install snort-mysql" ?
 
Any information and help would be much appreciated.
 
Thanks
 
Regards
 
John
 
 
________________________________________
From: Shawn.Jefferson () bcferries com
To: junwei_wan () hotmail com; randy () procyonlabs com
CC: snort-users () lists sourceforge net
Date: Mon, 20 Dec 2010 12:35:35 -0700
Subject: RE: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede
Hmm, I just did that very thing.  What problems are you having?
 
________________________________________
From: Jun Wan [mailto:junwei_wan () hotmail com] 
Sent: Monday, December 20, 2010 2:36 AM
To: randy () procyonlabs com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede
 
Hi Randy,
 
It's a good news, I would love to try BASE again.
 
I am using Ubundu10.04 at moment, do you have any guide for Ubundu10.04?
 
I would like to set up Snort 2.9.0.2/ barnyard2 /base 1.4.5 on Ubundu 10.04.
 
Many thanks in advance
 
Regards
 
John

Date: Sun, 19 Dec 2010 21:45:29 -0500
From: randy () procyonlabs com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede

On 12/19/2010 9:06 PM, Jun Wan wrote:

Hi Joe,

I am using Snort 2.8.6&2.9.0/barnyard2/Snort report 1.3.0, they are okay
but they are very slow to load the data into the browser.

I used Snort 2.8.5.3/ barnyard2 / base 1.4.5 before by
following https://wwwx.cs.unc.edu/~hays/archives/2010/03/entry_23.php, I
loved BASE as it's much fast than Snort Report.

I just wonder if you have some setup instruction/guide I can follow to
setup Snort 2.9.0.2 / barnyard2 / base 1.4.5.

Any information and help would be much appreciated.


I'm actually one of the BASE developers (though it is mid-transition to
a new lead and a newer version at some point, so you won't see much
action right now) and I help on Barnyard2.

I also do a lot of guides. What platform/OS are you looking for help on?
I think you mentioned RHEL - what version? I'm currently working on a
RHEL 6.0 guide for x86_64 that should be ready later this week.

Thanks,
Randy

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your 
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified, (continued)
- - - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 19)
  - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Randal T. Rioux (Dec 19)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 20)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 21)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Joel Esler (Dec 21)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 25)