Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MySQL support for Snort 2.9.4

From: Kaya Saman <kayasaman () gmail com>
Date: Wed, 12 Dec 2012 04:24:15 +0000
On 12/12/2012 04:19 AM, Jeremy Hoel wrote:


Have you tired a newer version of by2?  They are up to 2.1.11.



Is this the development version?
From the site it only shows version 1.9: http://www.securixlive.com/barnyard2/download.php 


Let me look for the bus error and get some other ideas.
Thanks! It could be the fact that I'm using sparc meaning something to do with aligned/unaligned access?
On Dec 11, 2012 9:15 PM, "Kaya Saman" <kayasaman () gmail com <mailto:kayasaman () gmail com>> wrote: 

    On 12/12/2012 04:07 AM, Jeremy Hoel wrote:


    And your barnyard2 is looking in the right directory for the
    snort.u2 file?  Can you run by2 and paste the output?  And the
    command line you are calling for by2



    This is what I'm running:

    # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
    /var/log/snort -f snort.u2
    Running in Continuous mode

            --== Initializing Barnyard2 ==--
    Initializing Input Plugins!
    Initializing Output Plugins!
    Parsing config file "/etc/snort/barnyard2.conf"
    Log directory = /var/log/barnyard2
    Node unique name is: localhost:trunk0

    database: compiled support for (mysql)
    database: configured to use mysql
    database: schema version = 107
    database:           host = <mod>
    database:           user = <mod>
    database:  database name = <mod>
    database:    sensor name = localhost:trunk0
    database:      sensor id = 9
    database:     sensor cid = 1
    database:  data encoding = hex
    database:   detail level = full
    database:     ignore_bpf = no
    database: using the "alert" facility

            --== Initialization Complete ==--

      ______   -*> Barnyard2 <*-
     / ,,_  \  Version 2.1.9 (Build 263)
     |o"  )~|  By the SecurixLive.com Team:
    http://www.securixlive.com/about.php
     + '''' +  (C) Copyright 2008-2010 SecurixLive.

               Snort by Martin Roesch & The Snort Team:
    http://www.snort.org/team.html
               (C) Copyright 1998-2007 Sourcefire Inc., et al.

    Using waldo file '/etc/snort/barnyard2.waldo':
        spool directory = /var/log/snort
        spool filebase  = snort.u2
        time_stamp      = 1355280273
        record_idx      = 1
    Opened spool file '/var/log/snort/snort.u2.1355282592'
    Bus error


    On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman () gmail com
    <mailto:kayasaman () gmail com>> wrote:

        On 12/12/2012 03:37 AM, Jeremy Hoel wrote:


        Yeah you!



        Next time someone in my house makes cookies everyone's
        invited :-)


        Are you outputting snort in unified2 format and reading that
        with barnyard2?



        Yep:

        output unified2: filename snort.u2, limit 128


        Share your snort.conf output lines.



        Snort.conf is bog standard with:

        top customized with details of servers and IP addresses yada
        yada yada ..... man snort.conf {am glossing as is trivial }

        I just changed:

        # Path to your rules files (this can be a relative path)
        # Note for Windows users:  You are advised to make this an
        absolute path,
        # such as:  c:\snort\rules
        var RULE_PATH rules
        var SO_RULE_PATH so_rules
        var PREPROC_RULE_PATH preproc_rules

        # If you are using reputation preprocessor set these
        # Currently there is a bug with relative paths, they are
        relative to where snort is
        # not relative to snort.conf like the above variables
        # This is completely inconsistent with how other vars work,
        BUG 89986
        # Set the absolute path appropriately
        var WHITE_LIST_PATH rules
        var BLACK_LIST_PATH rules


        ###################################################
        # Step #4: Configure dynamic loaded libraries.
        # For more information, see Snort Manual, Configuring Snort -
        Dynamic Modules
        ###################################################

        # path to dynamic preprocessor libraries
        dynamicpreprocessor directory
        /usr/local/lib/snort_dynamicpreprocessor/

        # path to base preprocessor engine
        dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

        # path to dynamic rules libraries
        #dynamicdetection directory /usr/local/lib/snort_dynamicrules



        ###################################################
        # Step #7: Customize your rule set
        # For more information, see Snort Manual, Writing Snort Rules
        #
        # NOTE: All categories are enabled in this conf file
        ###################################################

        # site specific rules
        #include $RULE_PATH/local.rules

        #include $RULE_PATH/attack-responses.rules
        #include $RULE_PATH/backdoor.rules
        #include $RULE_PATH/bad-traffic.rules
        #include $RULE_PATH/blacklist.rules
        #include $RULE_PATH/botnet-cnc.rules
        #include $RULE_PATH/chat.rules
        #include $RULE_PATH/content-replace.rules
        #include $RULE_PATH/ddos.rules
        #include $RULE_PATH/dns.rules
        #include $RULE_PATH/dos.rules
        #include $RULE_PATH/exploit.rules
        #include $RULE_PATH/file-identify.rules
        #include $RULE_PATH/finger.rules
        #include $RULE_PATH/ftp.rules
        #include $RULE_PATH/icmp.rules
        #include $RULE_PATH/icmp-info.rules
        #include $RULE_PATH/imap.rules
        #include $RULE_PATH/info.rules
        #include $RULE_PATH/misc.rules
        #include $RULE_PATH/multimedia.rules
        #include $RULE_PATH/mysql.rules
        #include $RULE_PATH/netbios.rules
        #include $RULE_PATH/nntp.rules
        #include $RULE_PATH/oracle.rules
        #include $RULE_PATH/other-ids.rules
        #include $RULE_PATH/p2p.rules
        #include $RULE_PATH/phishing-spam.rules
        #include $RULE_PATH/policy.rules
        #include $RULE_PATH/pop2.rules
        #include $RULE_PATH/pop3.rules
        #include $RULE_PATH/rpc.rules
        #include $RULE_PATH/rservices.rules
        #include $RULE_PATH/scada.rules
        #include $RULE_PATH/scan.rules
        #include $RULE_PATH/shellcode.rules
        #include $RULE_PATH/smtp.rules
        #include $RULE_PATH/snmp.rules
        #include $RULE_PATH/specific-threats.rules
        #include $RULE_PATH/spyware-put.rules
        #include $RULE_PATH/sql.rules
        #include $RULE_PATH/telnet.rules
        #include $RULE_PATH/tftp.rules
        #include $RULE_PATH/virus.rules
        #include $RULE_PATH/voip.rules
        #include $RULE_PATH/web-activex.rules
        #include $RULE_PATH/web-attacks.rules
        #include $RULE_PATH/web-cgi.rules
        #include $RULE_PATH/web-client.rules
        #include $RULE_PATH/web-coldfusion.rules
        #include $RULE_PATH/web-frontpage.rules
        #include $RULE_PATH/web-iis.rules
        #include $RULE_PATH/web-misc.rules
        #include $RULE_PATH/web-php.rules
        #include $RULE_PATH/x11.rules



        I also wrote a custom script'ish section to produce the file:

        #include $RULE_PATH/rule.set

        Basically:

        ls -l rules | cut -c 50-100 > rule.list
        sed 's/^/include $RULE_PATH\//' rule.list > rule.set


        This would be fine for adding any *.rules files to rule.list
        which then gets transformed to rule.set; saves having to
        write out each line manually!


        That's about it.......


        # ls -lh /var/log/snort
        total 837292
        -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
        -rw-------  1 root    _snort   5.1K Dec 12 03:24
        snort.u2.1355282592
        -rw-------  1 root    _snort     0B Dec 12 03:26
        snort.u2.1355282785
        -rw-------  1 root    _snort  19.8M Dec 12 03:27
        snort.u2.1355282811
        -rw-------  1 root    _snort   128M Dec 12 03:32
        snort.u2.1355282879
        -rw-------  1 root    _snort   128M Dec 12 03:36
        snort.u2.1355283128
        -rw-------  1 root    _snort   128M Dec 12 03:41
        snort.u2.1355283410
        -rw-------  1 root    _snort   4.8M Dec 12 03:48
        snort.u2.1355283668



        Now all I need to do is get Barnyard2 working and with a bit
        of luck will start being able to see alerts back on Base.

        Few, that was a trek and half!


        On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com
        <mailto:kayasaman () gmail com>> wrote:

            On 12/11/2012 09:54 PM, Joel Esler wrote:


            Doesn't sound like that was the problem.  Looks like
            you have a larger problem.  Traffic not being received
            or analyzed correctly.  You said that all you were
            getting was icmp alerts, and that doesn't sound right
            (unless that's all you have)

            --
            *Joel Esler*
            Senior Research Engineer, VRT
            OpenSource Community Manager
            Sourcefire



            Finally I got this working!!!! :-)

            Basically all I needed to do was to add the paths for
            these in and take out all the other obsolete rules which
            weren't working:

            include $RULE_PATH/decoder.rules
            include $RULE_PATH/preprocessor.rules
            include $RULE_PATH/sensitive-data.rules

            Now I get alerts even!

            The only issue is that Barnyard2 is now segfaulting when
            reading the Snort log files? :-( I keep getting "bus
            error" - which I've been having too much of lately!


            Thanks for all the help!


            Regards,


            Kaya

            ------------------------------------------------------------------------------
            LogMeIn Rescue: Anywhere, Anytime Remote support for IT.
            Free Trial
            Remotely access PCs and mobile devices and provide
            instant support
            Improve your efficiency, and focus on delivering more
            value-add services
            Discover what IT Professionals Know. Rescue delivers
            http://p.sf.net/sfu/logmein_12329d2d
            _______________________________________________
            Snort-users mailing list
            Snort-users () lists sourceforge net
            <mailto:Snort-users () lists sourceforge net>
            Go to this URL to change user options or unsubscribe:
            https://lists.sourceforge.net/lists/listinfo/snort-users
            Snort-users list archive:
            http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

            Please visit http://blog.snort.org to stay current on
            all the latest Snort news!








------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: