Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Post Snort 2.9.2.1 (Ubuntu 10.04 LTS) installation issues.

From: Randy Peif <rpeif () co weld co us>
Date: Wed, 7 Mar 2012 10:29:27 -0700
All,
I have two issues that I am currently experiencing and have not found a good solution for via http://www.snort.org/docs 
or any other site resource. I recently installed Snort 2.9.2.1 following the guide detailed by David Gullet 
(http://www.snort.org/assets/158/014-snortinstallguide292.pdf).

My current setup is on a physical server Dell PowerEdge R710. I installed Ubuntu 10.04 LTS as the OS and am running 
Snort 2.9.2.1 with Barnyard 1.9.  I have 11 interfaces, but only 4 are being used. Eth0 is for management, Eth4 is for 
Core1, Eth5 is for the DMZ, Eth8 is for Core2, and Eth9 is for the OE.


1.)    Rc.local script is not starting barnyard.

I followed David's guide by  adding the following to /etc/rc.local

ifconfig eth4 up
ifconfig eth5 up
ifconfig eth8 up
ifconfig eth9 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth4
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth5
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth8
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth9

/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S 
/usr/local/snort/etc/sid-msg.map -d    \  /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

               When I do a "/etc/init.d/rc.local start" it creates the child daemons for each interface and it appears 
all goes well, but when I look at the processes running I          do not see barnyard2 running. I confirm that 
barnyard2 is not functioning by reviewing the mysql snort db data table and see there is no data. I have done
some testing on my Core1 interface eth4 by killing all services for snort and starting the snort service manually. Once 
the unified2 log is created in /var/snort/log I manually start barnyard2 and it starts successfully. I then begin to 
see data in the snort db as well as alerts in snort report.

How can I get snort started for each interface and barnyard2 started all at server startup? David's guide only covers 
one interface so I may not have my snort.conf and barnyard2.conf configured properly for a multiple interface setup. 
Any feedback or direction would be appreciated.

2.)    Snort report is not loading at all (the site hangs and never displays content) / guidance on reducing amount of 
traffic snort reviews.

Despite issue number 1, I manually kicked off snort for all four interfaces which ultimately started creating the 
unified2 logs that I needed to successfully manually start barnyard2. I was going to forego the automation of those 
services starting and just see if by starting each interface manually as well as barnyard2 manually I would be able to 
simply move forward with reviewing the alerts. Well, once I started all 4 interfaces and then barnyard2 snort report no 
longer would load. I restarted the Apache2 service and it did not help. I believe I have so much data coming from the 
cores that snort report cannot load all of the alerts.

How can I overcome this? Ultimately I will be using Snorby for log review, but I would like to confirm my Snort 
installation is working successfully before I move forward and at this point I can't confirm that as I am unable to see 
the alerts via snort report anymore. I was able to uncover some information about this issue such as reduce the amount 
of traffic snort is reporting  via the snort.conf, but there is nothing out there that states specifically what I 
should modify to make my snort installation function more smoothly. Anyone have a decent guide on the snort.conf config 
and a breakout of performance medications to make?

I apologize for the longevity of the issues, but I was trying to get everything in there that I have attempted so I 
could get some valuable responses. I appreciate all assistance!

Regards,
Randy Peif
Information Security Analyst

Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for 
the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise 
protected from disclosure. If you have received this communication in error, please immediately notify sender by return 
e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the 
contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited.



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: