Snort mailing list archives

Re: Lets talk about ....

From: AllowOverride <allowoverride () gmail com>
Date: Mon, 08 Oct 2012 15:28:34 -0700

next topic, revisited:

u2spewfoo snort.log.1349734894 
get_record: (2) Failed to read all of record data.
        Read 14476 of 33555456 bytes

why?

i run snort/barnyard2 this way: should i change?

/usr/local/bin/snort -A fast -c /etc/snort/etc/snort.conf -i eth0 &
/usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf
-d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

i used the corrections you provided in last email(s).
snort is logging properly, no errors, just Warnings, i fixed the
whitelist sorta, but does not error out, and 3 ip's were loaded,

i think snort is logging NOT to unified2 format properly, since
u2spewfoo gives that error,which could explain why my DB is not
inputing data to mysql db using schemas/mysql_create. make sense?
advise,,, thanks...

ps Mr. Bates is definitely community thus far ;)

--- Begin Message --- From: Peter Bates <peter.bates () ucl ac uk>
Date: Mon, 8 Oct 2012 10:06:17 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 08/10/2012 00:42, AllowOverride wrote:

1. here is stdout after starting snort: see attached: anything wrong
there? 
still not logging, after correcting

2. in console mode - i see ping traffic from remote host pinging snort
server


Okay - as it has been a while since I used -A console to test, I can see
that what this does is produce tcpdump/pcap output file as well as showing
the alerts to the console as expected.

The fact it isn't a u2 file explains the u2spewfoo error.

In your snort.conf, put (use the existing lines)
to shorten your command-line:

config set_gid: snort
config set_uid: snort
config logdir: /var/log/snort

output unified2: filename snort.log, limit 128

- - Your current snort.conf has

output unified2: filename snort.log limit 128

- - the comma is significant.

Start up snort with

snort -c /etc/snort/snort.conf -i eth0
 
- - you can add -D later to daemonize it

Snort should run and you will get

- -rw-------  1 snort snort    0 Oct  8 09:52 snort.log.1349686338

in /var/log/snort.

Generate some ICMP traffic, and you should see it logged

- -rw-------  1 snort snort 1164 Oct  8 09:53 snort.log.1349686338

u2spewfoo snort.log.1349686338 |grep sig
        sig id: 10000001        gen id: 1       revision: 0      classification: 0
        sig id: 10000001        gen id: 1       revision: 0      classification: 0

If that is working then it is time to look at barnyard2.

3. also flowbits? this is not running Inline, ill read more about that
later, when i have 2nd nic.


I wouldn't worry about the flowbits.

4. -G -S are defined in barnyard2.conf. - see attached


I would define:

output alert_fast: /var/log/snort/alert

instead of what you've got if you need that output and

output database: log, mysql, dbname=snort host=localhost user=snort 
password=hidden detail=full

5. Reputation config: 
WARNING: Can't find any whitelist/blacklist entries. Reputation
Preprocessor disabled.
what is the syntax in the snort.conf file... howtos are pissing me
off....

I have:
whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules


This is just a warning.
As you have 

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Then if you put IP addresses in 
/etc/snort/rules/white_list.rules
/etc/snort/rules/black_list.rules

The Reputation preproc will be enabled.

6. 

I found the problem i believe, snort.u2 vs snort.log defined in
snort.conf.... good grief...
made filename snort looks for as snort.log, there were no warnings in
syslog nor snort stdout in console mode...


A wrong filename isn't really fatal so an error isn't entirely appropriate.

7. lastly, i dont have a 2nd nic. where would i define that, and if not
defined, will it cause issues?


No.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQcpeJAAoJELhVoVpEMS6RqnYIAK3wWdGaZSf4fwt0fWSLq8rS
002iECeJfp+Eq/S23AgIizO18iH0Kxm0slrUF3X8uQ1abp2SY0R6wsgocrwyw+Bx
VbmWqLL3FUGFhSwr4gj07nRAbLsjfxUmvXVWQyUQSCPLdV5xJhQ4qChNNgbP+O97
cfh7JrQGfg8/Xvl//9Xma2VTshWsUiVD7xmJE+I6S/EoE4rOWGQsPP/0Nbp+WWDW
039giLXTawo1IdbDKcfKodExZ5r5SqNFNyVltYZHzKVeyqLlARZ3BoqVU4NmWzwd
QJuHE6KDeZxwMOqDTbgd1utUdnF++nJpFsaUmvkiM+1mS2YTlFUAAchmishJWzI=
=aUER
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

--- End Message ---

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Lets talk about .... PR (Oct 06)
- Re: Lets talk about .... Peter Bates (Oct 07)
  - Re: Lets talk about .... AllowOverride (Oct 07)
  - Re: Lets talk about .... AllowOverride (Oct 07)
    - Re: Lets talk about .... Peter Bates (Oct 07)
    - Re: Lets talk about .... AllowOverride (Oct 08)
    - Re: Lets talk about .... Peter Bates (Oct 08)
    - Re: Lets talk about .... AllowOverride (Oct 08)
    - Re: Lets talk about .... Peter Bates (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Re: Lets talk about .... Jeremy Hoel (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Message not available
    - Re: Lets talk about .... Peter Bates (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 09)
    - Re: Lets talk about .... AllowOverride (Oct 08)

(Thread continues...)