Snort mailing list archives
Re: Lets talk about ....
From: AllowOverride <allowoverride () gmail com>
Date: Sun, 07 Oct 2012 14:15:36 -0700
Rule manager -> IDS -> Output processor -> Alert front-end pp.pl > snort > barnyard2 > base-1.4.5 / snortreport 1.3.3 / jpgraph-1.27.1 1. what am i missing to get unified2 or alerts to mysql db. here is what i have so far... configured: barnyard2.conf currently: # this is not hard, only unified2 is supported ;) input unified2 #output alert_fast: stdout output alert_fast both snort/barnyard2 run from cmd for testing, no script involved: configured snort: /usr/local/bin/snort -A fast -q -u snort -g snort -c /etc/snort/etc/snort.conf -i eth0 & configured barnyard2: /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D & output database: log, mysql user=snort password=sorry-hidden dbname=snort host=localhost no errors for snort/barnyard2... * stop ufw operations: # ufw disable Firewall stopped and disabled on system startup # service ufw stop ufw stop/waiting * ping remote snort/barnyard2 server from remote host: vulcan:~$ ping 192.168.1.14 PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data. 64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=0.403 ms 64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=0.129 ms 64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=0.133 ms * /var/log/snort/snort.log = increased in size /var/log/snort/alert = increased in size -rw------- 1 snort snort 19632 Oct 7 13:15 snort.log.1349640603 -rw-r--r-- 1 root root 1451982 Oct 7 13:15 alert
-rw------- 1 snort snort 21228 Oct 7 13:16 snort.log.1349640603 -rw-r--r-- 1 root root 1453494 Oct 7 13:16 alert * mysql not logging anything as snort user for snort db: mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 0 | +----------+ * no change in file size: ls -altr /var/lib/mysql/snort* total 280 -rw-rw---- 1 mysql mysql 65 Oct 4 10:32 db.opt -rw-rw---- 1 mysql mysql 8592 Oct 4 10:32 schema.frm -rw-rw---- 1 mysql mysql 8666 Oct 4 10:32 event.frm -rw-rw---- 1 mysql mysql 8802 Oct 4 10:32 signature.frm -rw-rw---- 1 mysql mysql 8634 Oct 4 10:32 sig_reference.frm -rw-rw---- 1 mysql mysql 8648 Oct 4 10:32 reference.frm -rw-rw---- 1 mysql mysql 8630 Oct 4 10:32 reference_system.frm -rw-rw---- 1 mysql mysql 8626 Oct 4 10:32 sig_class.frm -rw-rw---- 1 mysql mysql 8780 Oct 4 10:32 sensor.frm -rw-rw---- 1 mysql mysql 9004 Oct 4 10:32 iphdr.frm -rw-rw---- 1 mysql mysql 8960 Oct 4 10:32 tcphdr.frm -rw-rw---- 1 mysql mysql 8740 Oct 4 10:32 udphdr.frm -rw-rw---- 1 mysql mysql 8780 Oct 4 10:32 icmphdr.frm -rw-rw---- 1 mysql mysql 8770 Oct 4 10:32 opt.frm -rw-rw---- 1 mysql mysql 8632 Oct 4 10:32 data.frm -rw-rw---- 1 mysql mysql 8626 Oct 4 10:32 encoding.frm -rw-rw---- 1 mysql mysql 8618 Oct 4 10:32 detail.frm -rw-rw---- 1 mysql mysql 8710 Oct 6 19:33 acid_ag.frm -rw-rw---- 1 mysql mysql 8630 Oct 6 19:33 acid_ag_alert.frm -rw-rw---- 1 mysql mysql 8758 Oct 6 19:33 acid_ip_cache.frm -rw-rw---- 1 mysql mysql 13090 Oct 6 19:33 acid_event.frm -rw-rw---- 1 mysql mysql 8646 Oct 6 19:33 base_roles.frm -rw-rw---- 1 mysql mysql 8758 Oct 6 19:33 base_users.frm drwx------ 2 mysql mysql 4096 Oct 6 19:33 . drwx------ 5 mysql mysql 4096 Oct 7 12:46 .. perms good above? should be mysql:mysql or... snort:snort? 2. can both alert and snort.log work from schema/create_mysql? which one, snort.log only? 3. how can i have http://192.168.1.14/base-1.4.5/base_main.php log unified2 output from /var/log/snort/alert or snort.log? 3. i followed the deb snort pdf howto. 2011, looking at 2012 version, looks the same, i'll recheck against my script. 4. old dan farmer satan alert reader: # ./snort_stats.pl alert The log begins from: 10 06 19:23:17 The log ends at: 10 07 13:24:57 Total events: 13476 Signatures recorded: 6 Source IP recorded: 2 Destination IP recorded: 2 The number of attacks from same host to same destination using same method ========================================================================= # of attacks from to method ========================================================================= 11898 192.168.1.35 192.168.1.14 ICMP test [Priority: 0] {ICMP} 809 192.168.1.14 192.168.1.35 ICMP test [Priority: 0] {ICMP} 640 192.168.1.35 192.168.1.14 (spp_ssh) Protocol mismatch {TCP} 64 192.168.1.35 192.168.1.14 Reset outside window {TCP} 43 192.168.1.14 192.168.1.35 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE {TCP} 16 192.168.1.14 192.168.1.35 Consecutive TCP small segments exceeding threshold {TCP} 5 192.168.1.35 192.168.1.14 Consecutive TCP small segments exceeding threshold {TCP} 1 192.168.1.14 192.168.1.35 (spp_sdf) SDF Combination Alert {PROTO:254} ...trunc'd I have a reader ;) thanks!
--- Begin Message --- From: Peter Bates <peter.bates () ucl ac uk>
Date: Sun, 7 Oct 2012 10:23:54 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 07/10/2012 03:42, PR wrote:1. isnt barnyard2 supposed to be able to allow you to view the sigs/data or just does it say ICMP yadda...If snort is generating unified2 data in snort.log, you can use u2spewfoo snort.log.x to read the contents. If your snort.conf is also doing fast alerting then you'll have the hits in 'alert' as well.2. do need to do anything with my snort.rules, like cat snort.ruleslocal.rules ??This seems to have been asked about a few times recently. You need to include $RULE_PATH/local.rules include $RULE_PATH/snort.rules in your snort.conf. There's an argument for Snort perhaps coming either with a default set of rules or to have all the include lines except for local.rules commented out.3. how do i get data from barnyard2 to my db to view in a pretty browser GUI like base or snortreport, or jpgraph?Barnyard2 should be putting the alerts into your DB if correctly configured, see for example: mysql snort -u snort -p select count(*) from event; If the count is increasing then your alerts are going into the DB. The last time I set up a box from scratch I found the Debian HOWTO from snort.org to be the most clear on different steps: http://www.snort.org/assets/167/IDS_deb_snort_howto.pdf PulledPork downloads the rules and also reads your snort.conf for paths where to put things like Shared Object files, etc. It then either outputs to individual rules which you need to include individually as 'include' in snort.conf or as a single file. Snort then runs and writes the unified2 logfiles. Barnyard2 waits to see u2 files appearing in the place you designate as input and then does its job as output processor - generally outputting to DB as the simpler outputs Snort can still do itself. Rule manager -> IDS -> Output processor -> Alert front-end Lousy ASCII flowchart, I know. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQcUoqAAoJELhVoVpEMS6RyfsIAKSZBqva4mvMGxaX6E8s7qDK EmeDGyGISlZtn4k16FLJERKIzyEbi+PdaRUPUxmpAHgMGUoVHNOu43UihZSuKD6J uO/kzYLR6mIDBsAG78IzaQ3R7RxUqje8oVOGKz+5kQd6htZkTykM7U125//em4fD Y6DZ+FxD7btmKsTAM+kKBAw/1XY/JUs7gbkts4in/F7jVfzuFTu4vBB5XMXXqpC5 18E0wzQovJ8h9bspVAYh2fz8emxTNQ7hM/MhhzozPCQ1DPhnuj2QKs5m6s6nR1cW dIE1wVOh+i3y0h0LjzCZler/2cCv3nofKQmpoqob3QtMWDap6YlyrYrCdgPD9GA= =+ejZ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
--- End Message ---
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Lets talk about .... PR (Oct 06)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 08)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Jeremy Hoel (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Message not available
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Peter Bates (Oct 07)