Snort mailing list archives
Re: MySQL support for Snort 2.9.4
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 11 Dec 2012 22:51:46 -0500
If you run pulledpork in it's default configuration, you can just use snort.rules -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Dec 11, 2012, at 10:50 PM, Kaya Saman <kayasaman () gmail com> wrote:
On 12/12/2012 03:37 AM, Jeremy Hoel wrote:Yeah you!Next time someone in my house makes cookies everyone's invited :-)Are you outputting snort in unified2 format and reading that with barnyard2?Yep: output unified2: filename snort.u2, limit 128Share your snort.conf output lines.Snort.conf is bog standard with: top customized with details of servers and IP addresses yada yada yada ..... man snort.conf {am glossing as is trivial } I just changed: # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH rules var SO_RULE_PATH so_rules var PREPROC_RULE_PATH preproc_rules # If you are using reputation preprocessor set these # Currently there is a bug with relative paths, they are relative to where snort is # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately var WHITE_LIST_PATH rules var BLACK_LIST_PATH rules ################################################### # Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries #dynamicdetection directory /usr/local/lib/snort_dynamicrules ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules #include $RULE_PATH/local.rules #include $RULE_PATH/attack-responses.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/blacklist.rules #include $RULE_PATH/botnet-cnc.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/content-replace.rules #include $RULE_PATH/ddos.rules #include $RULE_PATH/dns.rules #include $RULE_PATH/dos.rules #include $RULE_PATH/exploit.rules #include $RULE_PATH/file-identify.rules #include $RULE_PATH/finger.rules #include $RULE_PATH/ftp.rules #include $RULE_PATH/icmp.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/imap.rules #include $RULE_PATH/info.rules #include $RULE_PATH/misc.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/mysql.rules #include $RULE_PATH/netbios.rules #include $RULE_PATH/nntp.rules #include $RULE_PATH/oracle.rules #include $RULE_PATH/other-ids.rules #include $RULE_PATH/p2p.rules #include $RULE_PATH/phishing-spam.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/pop2.rules #include $RULE_PATH/pop3.rules #include $RULE_PATH/rpc.rules #include $RULE_PATH/rservices.rules #include $RULE_PATH/scada.rules #include $RULE_PATH/scan.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/smtp.rules #include $RULE_PATH/snmp.rules #include $RULE_PATH/specific-threats.rules #include $RULE_PATH/spyware-put.rules #include $RULE_PATH/sql.rules #include $RULE_PATH/telnet.rules #include $RULE_PATH/tftp.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/voip.rules #include $RULE_PATH/web-activex.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-client.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web-frontpage.rules #include $RULE_PATH/web-iis.rules #include $RULE_PATH/web-misc.rules #include $RULE_PATH/web-php.rules #include $RULE_PATH/x11.rules I also wrote a custom script'ish section to produce the file: #include $RULE_PATH/rule.set Basically: ls -l rules | cut -c 50-100 > rule.list sed 's/^/include $RULE_PATH\//' rule.list > rule.set This would be fine for adding any *.rules files to rule.list which then gets transformed to rule.set; saves having to write out each line manually! That's about it....... # ls -lh /var/log/snort total 837292 -rw-r--r-- 1 _snort _snort 0B Dec 4 01:21 alert -rw------- 1 root _snort 5.1K Dec 12 03:24 snort.u2.1355282592 -rw------- 1 root _snort 0B Dec 12 03:26 snort.u2.1355282785 -rw------- 1 root _snort 19.8M Dec 12 03:27 snort.u2.1355282811 -rw------- 1 root _snort 128M Dec 12 03:32 snort.u2.1355282879 -rw------- 1 root _snort 128M Dec 12 03:36 snort.u2.1355283128 -rw------- 1 root _snort 128M Dec 12 03:41 snort.u2.1355283410 -rw------- 1 root _snort 4.8M Dec 12 03:48 snort.u2.1355283668 Now all I need to do is get Barnyard2 working and with a bit of luck will start being able to see alerts back on Base. Few, that was a trek and half!On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com> wrote: On 12/11/2012 09:54 PM, Joel Esler wrote:Doesn't sound like that was the problem. Looks like you have a larger problem. Traffic not being received or analyzed correctly. You said that all you were getting was icmp alerts, and that doesn't sound right (unless that's all you have) -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager SourcefireFinally I got this working!!!! :-) Basically all I needed to do was to add the paths for these in and take out all the other obsolete rules which weren't working: include $RULE_PATH/decoder.rules include $RULE_PATH/preprocessor.rules include $RULE_PATH/sensitive-data.rules Now I get alerts even! The only issue is that Barnyard2 is now segfaulting when reading the Snort log files? :-( I keep getting "bus error" - which I've been having too much of lately! Thanks for all the help! Regards, Kaya ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MySQL support for Snort 2.9.4, (continued)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Russ Combs (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)