Snort mailing list archives
Re: MySQL support for Snort 2.9.4
From: Kaya Saman <kayasaman () gmail com>
Date: Wed, 12 Dec 2012 04:15:39 +0000
On 12/12/2012 04:07 AM, Jeremy Hoel wrote:
And your barnyard2 is looking in the right directory for the snort.u2 file? Can you run by2 and paste the output? And the command line you are calling for by2
This is what I'm running:# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" Log directory = /var/log/barnyard2 Node unique name is: localhost:trunk0 database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = <mod> database: user = <mod> database: database name = <mod> database: sensor name = localhost:trunk0 database: sensor id = 9 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "alert" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263)|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php
+ '''' + (C) Copyright 2008-2010 SecurixLive.Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/etc/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1355280273 record_idx = 1 Opened spool file '/var/log/snort/snort.u2.1355282592' Bus error
On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman () gmail com <mailto:kayasaman () gmail com>> wrote:On 12/12/2012 03:37 AM, Jeremy Hoel wrote:Yeah you!Next time someone in my house makes cookies everyone's invited :-)Are you outputting snort in unified2 format and reading that with barnyard2?Yep: output unified2: filename snort.u2, limit 128Share your snort.conf output lines.Snort.conf is bog standard with: top customized with details of servers and IP addresses yada yada yada ..... man snort.conf {am glossing as is trivial } I just changed: # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH rules var SO_RULE_PATH so_rules var PREPROC_RULE_PATH preproc_rules # If you are using reputation preprocessor set these # Currently there is a bug with relative paths, they are relative to where snort is # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately var WHITE_LIST_PATH rules var BLACK_LIST_PATH rules ################################################### # Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries #dynamicdetection directory /usr/local/lib/snort_dynamicrules ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules #include $RULE_PATH/local.rules #include $RULE_PATH/attack-responses.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/blacklist.rules #include $RULE_PATH/botnet-cnc.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/content-replace.rules #include $RULE_PATH/ddos.rules #include $RULE_PATH/dns.rules #include $RULE_PATH/dos.rules #include $RULE_PATH/exploit.rules #include $RULE_PATH/file-identify.rules #include $RULE_PATH/finger.rules #include $RULE_PATH/ftp.rules #include $RULE_PATH/icmp.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/imap.rules #include $RULE_PATH/info.rules #include $RULE_PATH/misc.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/mysql.rules #include $RULE_PATH/netbios.rules #include $RULE_PATH/nntp.rules #include $RULE_PATH/oracle.rules #include $RULE_PATH/other-ids.rules #include $RULE_PATH/p2p.rules #include $RULE_PATH/phishing-spam.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/pop2.rules #include $RULE_PATH/pop3.rules #include $RULE_PATH/rpc.rules #include $RULE_PATH/rservices.rules #include $RULE_PATH/scada.rules #include $RULE_PATH/scan.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/smtp.rules #include $RULE_PATH/snmp.rules #include $RULE_PATH/specific-threats.rules #include $RULE_PATH/spyware-put.rules #include $RULE_PATH/sql.rules #include $RULE_PATH/telnet.rules #include $RULE_PATH/tftp.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/voip.rules #include $RULE_PATH/web-activex.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-client.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web-frontpage.rules #include $RULE_PATH/web-iis.rules #include $RULE_PATH/web-misc.rules #include $RULE_PATH/web-php.rules #include $RULE_PATH/x11.rules I also wrote a custom script'ish section to produce the file: #include $RULE_PATH/rule.set Basically: ls -l rules | cut -c 50-100 > rule.list sed 's/^/include $RULE_PATH\//' rule.list > rule.set This would be fine for adding any *.rules files to rule.list which then gets transformed to rule.set; saves having to write out each line manually! That's about it....... # ls -lh /var/log/snort total 837292 -rw-r--r-- 1 _snort _snort 0B Dec 4 01:21 alert -rw------- 1 root _snort 5.1K Dec 12 03:24 snort.u2.1355282592 -rw------- 1 root _snort 0B Dec 12 03:26 snort.u2.1355282785 -rw------- 1 root _snort 19.8M Dec 12 03:27 snort.u2.1355282811 -rw------- 1 root _snort 128M Dec 12 03:32 snort.u2.1355282879 -rw------- 1 root _snort 128M Dec 12 03:36 snort.u2.1355283128 -rw------- 1 root _snort 128M Dec 12 03:41 snort.u2.1355283410 -rw------- 1 root _snort 4.8M Dec 12 03:48 snort.u2.1355283668 Now all I need to do is get Barnyard2 working and with a bit of luck will start being able to see alerts back on Base. Few, that was a trek and half!On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com <mailto:kayasaman () gmail com>> wrote: On 12/11/2012 09:54 PM, Joel Esler wrote:Doesn't sound like that was the problem. Looks like you have a larger problem. Traffic not being received or analyzed correctly. You said that all you were getting was icmp alerts, and that doesn't sound right (unless that's all you have) -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager SourcefireFinally I got this working!!!! :-) Basically all I needed to do was to add the paths for these in and take out all the other obsolete rules which weren't working: include $RULE_PATH/decoder.rules include $RULE_PATH/preprocessor.rules include $RULE_PATH/sensitive-data.rules Now I get alerts even! The only issue is that Barnyard2 is now segfaulting when reading the Snort log files? :-( I keep getting "bus error" - which I've been having too much of lately! Thanks for all the help! Regards, Kaya ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MySQL support for Snort 2.9.4, (continued)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Russ Combs (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)