Re: Lets talk about ....

[Peter Bates <peter.bates () ucl ac uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 07/10/2012 22:15, AllowOverride wrote:
> Rule manager -> IDS -> Output processor -> Alert front-end pp.pl >
> snort > barnyard2 > base-1.4.5 / snortreport 1.3.3 / 
> jpgraph-1.27.1
>
> 1.  what am i missing to get unified2 or alerts to mysql db.

Okay, let's take some quick steps that are useful when debugging

/usr/local/bin/snort -i eth0 -c /etc/snort/etc/snort.conf -T >
/tmp/snort.out 2>&1
grep 'rules read' /tmp/snort.out

You should see something like

xxx Snort rules read

This shows your Snort is reading the configuration okay (-T)
and also reading some rules

Now

/usr/local/bin/snort -A console -u snort -g snort -c
/etc/snort/etc/snort.conf -i eth0

This runs Snort and in the foreground and then alerts will show
on the console - generate some ICMP traffic and you should see hits

Finally

/usr/local/bin/snort -i eth0 -D -c /etc/snort/etc/snort.conf -l
/var/log/snort

(Note you can see user and group in snort.conf with
config set_gid: snort
config set_uid: snort
- - to avoid -u and -g on the command line)

In snort.conf we have

output unified2: filename snort.log, limit 128

Snort will then be running daemonized and you should see
snort.log appear in /var/log/snort
- - you might have to chown snort:snort /var/log/snort

Then

/usr/local/bin/barnyard2 -D -c /etc/snort/etc/barnyard2.conf -d
/var/log/snort -w /var/log/snort/bylog.waldo -f snort.log
- -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map

The -G and -S should be unnecessary as they are defined in
barnyard2.conf but I've sometimes found it doesn't read them but that
might be a bug in the version I'm running - a new one was released
recently.

After that, you can try

mysql> select count(*) from event;

and it should be increasing when you generate traffic that hits rules.

The MySQL file permissions should be irrelevant - MySQL runs as the
MySQL user and barnyard2 just connects to the socket on 3306 and makes
the usual INSERT calls.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQcgAJAAoJELhVoVpEMS6RYVcH/2QK5xbZasH0X5fRnxvEcq3B
DAdiIKpRsOVuyUYYW1OKa0QZlI6/Mx3ottiOnf5PsxAT8VDbr97nato8G7gCAXQY
4RjFQcu3OtSfwmQWBo63IxQB+yyeU85AEgHpe2yGdRAzp1x/xSWLeYu8GUAlVL25
2VAyUaF5etNdp2cHYottOtE9RUEDGAyPMLBZqb+5hm8UMlmfwyaN5bWGch61vJbo
vhldspeUyvoMcEnm8FASpmVOf1quZO95oo19tBL9k0UJOPwNYyeB5wXb34j8Xn/V
Qkbix7OzM+a8pNQf1++3qLmwRg94weqvVoxjZRAAi4o7ItAJSmOE8NipQsFJW6o=
=hxt2
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!