Snort mailing list archives

Re: Lets talk about ....

From: AllowOverride <allowoverride () gmail com>
Date: Sun, 07 Oct 2012 14:15:36 -0700

Rule manager -> IDS -> Output processor -> Alert front-end
pp.pl > snort > barnyard2 > base-1.4.5 / snortreport 1.3.3 /
jpgraph-1.27.1

1.  what am i missing to get unified2 or alerts to mysql db.

here is what i have so far...


configured: barnyard2.conf currently:

# this is not hard, only unified2 is supported ;)
input unified2

#output alert_fast: stdout
output alert_fast

both snort/barnyard2 run from cmd for testing, no script involved:

configured snort:
/usr/local/bin/snort -A fast -q -u snort -g snort
-c /etc/snort/etc/snort.conf -i eth0 &

configured barnyard2:
 /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf
-d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &

output database: log, mysql user=snort password=sorry-hidden
dbname=snort host=localhost

no errors for snort/barnyard2...

*

stop ufw operations:

# ufw disable 
Firewall stopped and disabled on system startup

# service ufw stop
ufw stop/waiting

*

ping remote snort/barnyard2 server from remote host:

vulcan:~$ ping 192.168.1.14
PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=0.403 ms
64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=0.129 ms
64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=0.133 ms

*

/var/log/snort/snort.log = increased in size
/var/log/snort/alert = increased in size

-rw-------  1 snort snort   19632 Oct  7 13:15 snort.log.1349640603
-rw-r--r--  1 root  root  1451982 Oct  7 13:15 alert


-rw-------  1 snort snort   21228 Oct  7 13:16 snort.log.1349640603
-rw-r--r--  1 root  root  1453494 Oct  7 13:16 alert

*

mysql not logging anything as snort user for snort db:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|        0 |
+----------+

* 

no change in file size:
ls -altr /var/lib/mysql/snort*
total 280
-rw-rw---- 1 mysql mysql    65 Oct  4 10:32 db.opt
-rw-rw---- 1 mysql mysql  8592 Oct  4 10:32 schema.frm
-rw-rw---- 1 mysql mysql  8666 Oct  4 10:32 event.frm
-rw-rw---- 1 mysql mysql  8802 Oct  4 10:32 signature.frm
-rw-rw---- 1 mysql mysql  8634 Oct  4 10:32 sig_reference.frm
-rw-rw---- 1 mysql mysql  8648 Oct  4 10:32 reference.frm
-rw-rw---- 1 mysql mysql  8630 Oct  4 10:32 reference_system.frm
-rw-rw---- 1 mysql mysql  8626 Oct  4 10:32 sig_class.frm
-rw-rw---- 1 mysql mysql  8780 Oct  4 10:32 sensor.frm
-rw-rw---- 1 mysql mysql  9004 Oct  4 10:32 iphdr.frm
-rw-rw---- 1 mysql mysql  8960 Oct  4 10:32 tcphdr.frm
-rw-rw---- 1 mysql mysql  8740 Oct  4 10:32 udphdr.frm
-rw-rw---- 1 mysql mysql  8780 Oct  4 10:32 icmphdr.frm
-rw-rw---- 1 mysql mysql  8770 Oct  4 10:32 opt.frm
-rw-rw---- 1 mysql mysql  8632 Oct  4 10:32 data.frm
-rw-rw---- 1 mysql mysql  8626 Oct  4 10:32 encoding.frm
-rw-rw---- 1 mysql mysql  8618 Oct  4 10:32 detail.frm
-rw-rw---- 1 mysql mysql  8710 Oct  6 19:33 acid_ag.frm
-rw-rw---- 1 mysql mysql  8630 Oct  6 19:33 acid_ag_alert.frm
-rw-rw---- 1 mysql mysql  8758 Oct  6 19:33 acid_ip_cache.frm
-rw-rw---- 1 mysql mysql 13090 Oct  6 19:33 acid_event.frm
-rw-rw---- 1 mysql mysql  8646 Oct  6 19:33 base_roles.frm
-rw-rw---- 1 mysql mysql  8758 Oct  6 19:33 base_users.frm
drwx------ 2 mysql mysql  4096 Oct  6 19:33 .
drwx------ 5 mysql mysql  4096 Oct  7 12:46 ..

perms good above? should be mysql:mysql or... snort:snort?


2. can both alert and snort.log work from schema/create_mysql?
which one, snort.log only?

3. how can i have http://192.168.1.14/base-1.4.5/base_main.php log
unified2 output
from /var/log/snort/alert or snort.log?

3. i followed the deb snort pdf howto. 2011, looking at 2012 version,
looks the same, i'll recheck 
against my script.

4. old dan farmer satan alert reader:
# ./snort_stats.pl alert 

The log begins from: 10 06 19:23:17
The log ends     at: 10 07 13:24:57
Total events: 13476
Signatures recorded: 6
Source IP recorded: 2
Destination IP recorded: 2

The number of attacks from same host to same
destination using same method
=========================================================================
  # of
 attacks  from              to                method
=========================================================================
   11898     192.168.1.35      192.168.1.14       ICMP test  [Priority:
0] {ICMP}
   809     192.168.1.14      192.168.1.35       ICMP test  [Priority: 0]
{ICMP}
   640     192.168.1.35      192.168.1.14       (spp_ssh) Protocol
mismatch   {TCP}
   64     192.168.1.35      192.168.1.14       Reset outside window
{TCP}
   43     192.168.1.14      192.168.1.35       (http_inspect) NO
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE   {TCP}
   16     192.168.1.14      192.168.1.35       Consecutive TCP small
segments exceeding threshold   {TCP}
   5      192.168.1.35      192.168.1.14       Consecutive TCP small
segments exceeding threshold   {TCP}
   1      192.168.1.14      192.168.1.35       (spp_sdf) SDF Combination
Alert   {PROTO:254}
...trunc'd

I have a reader ;) 


thanks!

--- Begin Message --- From: Peter Bates <peter.bates () ucl ac uk>
Date: Sun, 7 Oct 2012 10:23:54 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 07/10/2012 03:42, PR wrote:

1. isnt barnyard2 supposed to be able to allow you to view the
sigs/data or just does it say ICMP yadda...


If snort is generating unified2 data in snort.log, you can use
u2spewfoo snort.log.x to read the contents.

If your snort.conf is also doing fast alerting then you'll have the
hits in 'alert' as well.

2. do need to do anything with my snort.rules, like cat snort.rules

local.rules ??


This seems to have been asked about a few times recently.

You need to

include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

in your snort.conf.

There's an argument for Snort perhaps coming either with a default set
of rules or to have all the include lines except for local.rules
commented out.

3. how do i get data from barnyard2 to my db to view in a pretty
browser GUI like base or snortreport, or jpgraph?


Barnyard2 should be putting the alerts into your DB if correctly
configured, see for example:

mysql snort -u snort -p

select count(*) from event;

If the count is increasing then your alerts are going into the DB.

The last time I set up a box from scratch I found the Debian HOWTO
from snort.org to be the most clear on different steps:
http://www.snort.org/assets/167/IDS_deb_snort_howto.pdf

PulledPork downloads the rules and also reads your snort.conf
for paths where to put things like Shared Object files, etc.

It then either outputs to individual rules which you need to include
individually as 'include' in snort.conf or as a single file.

Snort then runs and writes the unified2 logfiles.

Barnyard2 waits to see u2 files appearing in the place you designate
as input and then does its job as output processor - generally
outputting to DB as the simpler outputs Snort can still do itself.

Rule manager -> IDS -> Output processor -> Alert front-end

Lousy ASCII flowchart, I know.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQcUoqAAoJELhVoVpEMS6RyfsIAKSZBqva4mvMGxaX6E8s7qDK
EmeDGyGISlZtn4k16FLJERKIzyEbi+PdaRUPUxmpAHgMGUoVHNOu43UihZSuKD6J
uO/kzYLR6mIDBsAG78IzaQ3R7RxUqje8oVOGKz+5kQd6htZkTykM7U125//em4fD
Y6DZ+FxD7btmKsTAM+kKBAw/1XY/JUs7gbkts4in/F7jVfzuFTu4vBB5XMXXqpC5
18E0wzQovJ8h9bspVAYh2fz8emxTNQ7hM/MhhzozPCQ1DPhnuj2QKs5m6s6nR1cW
dIE1wVOh+i3y0h0LjzCZler/2cCv3nofKQmpoqob3QtMWDap6YlyrYrCdgPD9GA=
=+ejZ
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

--- End Message ---

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Lets talk about .... PR (Oct 06)
- Re: Lets talk about .... Peter Bates (Oct 07)
  - Re: Lets talk about .... AllowOverride (Oct 07)
  - Re: Lets talk about .... AllowOverride (Oct 07)
    - Re: Lets talk about .... Peter Bates (Oct 07)
    - Re: Lets talk about .... AllowOverride (Oct 08)
    - Re: Lets talk about .... Peter Bates (Oct 08)
    - Re: Lets talk about .... AllowOverride (Oct 08)
    - Re: Lets talk about .... Peter Bates (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Re: Lets talk about .... Jeremy Hoel (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Message not available
    - Re: Lets talk about .... Peter Bates (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)

(Thread continues...)