Re: Lets talk about ....

[Peter Bates <peter.bates () ucl ac uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 07/10/2012 03:42, PR wrote:
> 1. isnt barnyard2 supposed to be able to allow you to view the
> sigs/data or just does it say ICMP yadda...

If snort is generating unified2 data in snort.log, you can use
u2spewfoo snort.log.x to read the contents.

If your snort.conf is also doing fast alerting then you'll have the
hits in 'alert' as well.

> 2. do need to do anything with my snort.rules, like cat snort.rules
> > > local.rules ??

This seems to have been asked about a few times recently.

You need to

include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

in your snort.conf.

There's an argument for Snort perhaps coming either with a default set
of rules or to have all the include lines except for local.rules
commented out.

> 3. how do i get data from barnyard2 to my db to view in a pretty
> browser GUI like base or snortreport, or jpgraph?

Barnyard2 should be putting the alerts into your DB if correctly
configured, see for example:

mysql snort -u snort -p

select count(*) from event;

If the count is increasing then your alerts are going into the DB.

The last time I set up a box from scratch I found the Debian HOWTO
from snort.org to be the most clear on different steps:
http://www.snort.org/assets/167/IDS_deb_snort_howto.pdf

PulledPork downloads the rules and also reads your snort.conf
for paths where to put things like Shared Object files, etc.

It then either outputs to individual rules which you need to include
individually as 'include' in snort.conf or as a single file.

Snort then runs and writes the unified2 logfiles.

Barnyard2 waits to see u2 files appearing in the place you designate
as input and then does its job as output processor - generally
outputting to DB as the simpler outputs Snort can still do itself.

Rule manager -> IDS -> Output processor -> Alert front-end

Lousy ASCII flowchart, I know.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQcUoqAAoJELhVoVpEMS6RyfsIAKSZBqva4mvMGxaX6E8s7qDK
EmeDGyGISlZtn4k16FLJERKIzyEbi+PdaRUPUxmpAHgMGUoVHNOu43UihZSuKD6J
uO/kzYLR6mIDBsAG78IzaQ3R7RxUqje8oVOGKz+5kQd6htZkTykM7U125//em4fD
Y6DZ+FxD7btmKsTAM+kKBAw/1XY/JUs7gbkts4in/F7jVfzuFTu4vBB5XMXXqpC5
18E0wzQovJ8h9bspVAYh2fz8emxTNQ7hM/MhhzozPCQ1DPhnuj2QKs5m6s6nR1cW
dIE1wVOh+i3y0h0LjzCZler/2cCv3nofKQmpoqob3QtMWDap6YlyrYrCdgPD9GA=
=+ejZ
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!