Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MySQL support for Snort 2.9.4

From: Kaya Saman <kayasaman () gmail com>
Date: Wed, 12 Dec 2012 04:15:39 +0000
On 12/12/2012 04:07 AM, Jeremy Hoel wrote:
And your barnyard2 is looking in the right directory for the snort.u2 file? Can you run by2 and paste the output? And the command line you are calling for by2 



This is what I'm running:
# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
Node unique name is: localhost:trunk0

database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = <mod>
database:           user = <mod>
database:  database name = <mod>
database:    sensor name = localhost:trunk0
database:      sensor id = 9
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "alert" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php 
 + '''' +  (C) Copyright 2008-2010 SecurixLive.
Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html 
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/etc/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1355280273
    record_idx      = 1
Opened spool file '/var/log/snort/snort.u2.1355282592'
Bus error
On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman () gmail com <mailto:kayasaman () gmail com>> wrote: 

    On 12/12/2012 03:37 AM, Jeremy Hoel wrote:


    Yeah you!



    Next time someone in my house makes cookies everyone's invited :-)


    Are you outputting snort in unified2 format and reading that with
    barnyard2?



    Yep:

    output unified2: filename snort.u2, limit 128


    Share your snort.conf output lines.



    Snort.conf is bog standard with:

    top customized with details of servers and IP addresses yada yada
    yada ..... man snort.conf {am glossing as is trivial }

    I just changed:

    # Path to your rules files (this can be a relative path)
    # Note for Windows users:  You are advised to make this an
    absolute path,
    # such as:  c:\snort\rules
    var RULE_PATH rules
    var SO_RULE_PATH so_rules
    var PREPROC_RULE_PATH preproc_rules

    # If you are using reputation preprocessor set these
    # Currently there is a bug with relative paths, they are relative
    to where snort is
    # not relative to snort.conf like the above variables
    # This is completely inconsistent with how other vars work, BUG 89986
    # Set the absolute path appropriately
    var WHITE_LIST_PATH rules
    var BLACK_LIST_PATH rules


    ###################################################
    # Step #4: Configure dynamic loaded libraries.
    # For more information, see Snort Manual, Configuring Snort -
    Dynamic Modules
    ###################################################

    # path to dynamic preprocessor libraries
    dynamicpreprocessor directory
    /usr/local/lib/snort_dynamicpreprocessor/

    # path to base preprocessor engine
    dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

    # path to dynamic rules libraries
    #dynamicdetection directory /usr/local/lib/snort_dynamicrules



    ###################################################
    # Step #7: Customize your rule set
    # For more information, see Snort Manual, Writing Snort Rules
    #
    # NOTE: All categories are enabled in this conf file
    ###################################################

    # site specific rules
    #include $RULE_PATH/local.rules

    #include $RULE_PATH/attack-responses.rules
    #include $RULE_PATH/backdoor.rules
    #include $RULE_PATH/bad-traffic.rules
    #include $RULE_PATH/blacklist.rules
    #include $RULE_PATH/botnet-cnc.rules
    #include $RULE_PATH/chat.rules
    #include $RULE_PATH/content-replace.rules
    #include $RULE_PATH/ddos.rules
    #include $RULE_PATH/dns.rules
    #include $RULE_PATH/dos.rules
    #include $RULE_PATH/exploit.rules
    #include $RULE_PATH/file-identify.rules
    #include $RULE_PATH/finger.rules
    #include $RULE_PATH/ftp.rules
    #include $RULE_PATH/icmp.rules
    #include $RULE_PATH/icmp-info.rules
    #include $RULE_PATH/imap.rules
    #include $RULE_PATH/info.rules
    #include $RULE_PATH/misc.rules
    #include $RULE_PATH/multimedia.rules
    #include $RULE_PATH/mysql.rules
    #include $RULE_PATH/netbios.rules
    #include $RULE_PATH/nntp.rules
    #include $RULE_PATH/oracle.rules
    #include $RULE_PATH/other-ids.rules
    #include $RULE_PATH/p2p.rules
    #include $RULE_PATH/phishing-spam.rules
    #include $RULE_PATH/policy.rules
    #include $RULE_PATH/pop2.rules
    #include $RULE_PATH/pop3.rules
    #include $RULE_PATH/rpc.rules
    #include $RULE_PATH/rservices.rules
    #include $RULE_PATH/scada.rules
    #include $RULE_PATH/scan.rules
    #include $RULE_PATH/shellcode.rules
    #include $RULE_PATH/smtp.rules
    #include $RULE_PATH/snmp.rules
    #include $RULE_PATH/specific-threats.rules
    #include $RULE_PATH/spyware-put.rules
    #include $RULE_PATH/sql.rules
    #include $RULE_PATH/telnet.rules
    #include $RULE_PATH/tftp.rules
    #include $RULE_PATH/virus.rules
    #include $RULE_PATH/voip.rules
    #include $RULE_PATH/web-activex.rules
    #include $RULE_PATH/web-attacks.rules
    #include $RULE_PATH/web-cgi.rules
    #include $RULE_PATH/web-client.rules
    #include $RULE_PATH/web-coldfusion.rules
    #include $RULE_PATH/web-frontpage.rules
    #include $RULE_PATH/web-iis.rules
    #include $RULE_PATH/web-misc.rules
    #include $RULE_PATH/web-php.rules
    #include $RULE_PATH/x11.rules



    I also wrote a custom script'ish section to produce the file:

    #include $RULE_PATH/rule.set

    Basically:

    ls -l rules | cut -c 50-100 > rule.list
    sed 's/^/include $RULE_PATH\//' rule.list > rule.set


    This would be fine for adding any *.rules files to rule.list which
    then gets transformed to rule.set; saves having to write out each
    line manually!


    That's about it.......


    # ls -lh /var/log/snort
    total 837292
    -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
    -rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
    -rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
    -rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
    -rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
    -rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
    -rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
    -rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668



    Now all I need to do is get Barnyard2 working and with a bit of
    luck will start being able to see alerts back on Base.

    Few, that was a trek and half!


    On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com
    <mailto:kayasaman () gmail com>> wrote:

        On 12/11/2012 09:54 PM, Joel Esler wrote:


        Doesn't sound like that was the problem.  Looks like you
        have a larger problem.  Traffic not being received or
        analyzed correctly.  You said that all you were getting was
        icmp alerts, and that doesn't sound right (unless that's all
        you have)

        --
        *Joel Esler*
        Senior Research Engineer, VRT
        OpenSource Community Manager
        Sourcefire



        Finally I got this working!!!! :-)

        Basically all I needed to do was to add the paths for these
        in and take out all the other obsolete rules which weren't
        working:

        include $RULE_PATH/decoder.rules
        include $RULE_PATH/preprocessor.rules
        include $RULE_PATH/sensitive-data.rules

        Now I get alerts even!

        The only issue is that Barnyard2 is now segfaulting when
        reading the Snort log files? :-( I keep getting "bus error" -
        which I've been having too much of lately!


        Thanks for all the help!


        Regards,


        Kaya

        ------------------------------------------------------------------------------
        LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
        Trial
        Remotely access PCs and mobile devices and provide instant
        support
        Improve your efficiency, and focus on delivering more
        value-add services
        Discover what IT Professionals Know. Rescue delivers
        http://p.sf.net/sfu/logmein_12329d2d
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        <mailto:Snort-users () lists sourceforge net>
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

        Please visit http://blog.snort.org to stay current on all the
        latest Snort news!






------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: