Snort mailing list archives
Re: Lets talk about ....
From: Peter Bates <peter.bates () ucl ac uk>
Date: Sun, 7 Oct 2012 23:19:54 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 07/10/2012 22:15, AllowOverride wrote:
Rule manager -> IDS -> Output processor -> Alert front-end pp.pl > snort > barnyard2 > base-1.4.5 / snortreport 1.3.3 / jpgraph-1.27.1 1. what am i missing to get unified2 or alerts to mysql db.
Okay, let's take some quick steps that are useful when debugging /usr/local/bin/snort -i eth0 -c /etc/snort/etc/snort.conf -T > /tmp/snort.out 2>&1 grep 'rules read' /tmp/snort.out You should see something like xxx Snort rules read This shows your Snort is reading the configuration okay (-T) and also reading some rules Now /usr/local/bin/snort -A console -u snort -g snort -c /etc/snort/etc/snort.conf -i eth0 This runs Snort and in the foreground and then alerts will show on the console - generate some ICMP traffic and you should see hits Finally /usr/local/bin/snort -i eth0 -D -c /etc/snort/etc/snort.conf -l /var/log/snort (Note you can see user and group in snort.conf with config set_gid: snort config set_uid: snort - - to avoid -u and -g on the command line) In snort.conf we have output unified2: filename snort.log, limit 128 Snort will then be running daemonized and you should see snort.log appear in /var/log/snort - - you might have to chown snort:snort /var/log/snort Then /usr/local/bin/barnyard2 -D -c /etc/snort/etc/barnyard2.conf -d /var/log/snort -w /var/log/snort/bylog.waldo -f snort.log - -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map The -G and -S should be unnecessary as they are defined in barnyard2.conf but I've sometimes found it doesn't read them but that might be a bug in the version I'm running - a new one was released recently. After that, you can try mysql> select count(*) from event; and it should be increasing when you generate traffic that hits rules. The MySQL file permissions should be irrelevant - MySQL runs as the MySQL user and barnyard2 just connects to the socket on 3306 and makes the usual INSERT calls. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQcgAJAAoJELhVoVpEMS6RYVcH/2QK5xbZasH0X5fRnxvEcq3B DAdiIKpRsOVuyUYYW1OKa0QZlI6/Mx3ottiOnf5PsxAT8VDbr97nato8G7gCAXQY 4RjFQcu3OtSfwmQWBo63IxQB+yyeU85AEgHpe2yGdRAzp1x/xSWLeYu8GUAlVL25 2VAyUaF5etNdp2cHYottOtE9RUEDGAyPMLBZqb+5hm8UMlmfwyaN5bWGch61vJbo vhldspeUyvoMcEnm8FASpmVOf1quZO95oo19tBL9k0UJOPwNYyeB5wXb34j8Xn/V Qkbix7OzM+a8pNQf1++3qLmwRg94weqvVoxjZRAAi4o7ItAJSmOE8NipQsFJW6o= =hxt2 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Lets talk about .... PR (Oct 06)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 08)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Jeremy Hoel (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Message not available
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 09)