Re: Snort report not showing any data - not sure if Snort is working

["Joe Nunham" <jnunham () parishsoft com>]

Hi,

 

I will give your script a shot and post back with results.

 

Thanks

 

From: Tony Robinson [mailto:deusexmachina667 () gmail com] 
Sent: Thursday, November 15, 2012 7:08 PM
To: Joe Nunham
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort report not showing any data - not sure if
Snort is working

 

Just wanted to post a quick update here for Joe and everyone else, the
Autosnort script I posted  for Ubuntu 12.04 is indeed compatible with Ubuntu
12.10 and performs wonderfully. These are screen caps post-install after
throwing an armitage hail mary against an OWASP bwa virtual machine and
metasploitable 2 with exploit rank set to poor. I think it works.

Cheers,

DA

On Thu, Nov 15, 2012 at 6:06 PM, Tony Robinson <deusexmachina667 () gmail com>
wrote:

as much as I don't want to sound like someone selling snake oil, I have a
script called autosnort that completes the entire snort installation for
you. If you want to try it out, take a look at:
https://github.com/da667/Autosnort/tree/master/Autosnort%20-%20Ubuntu

note: the script says ubuntu 12.04. While I haven't officially tested
against 12.10 (I'm downloading it as we speak to run the script and ensure
compatibility), I have no reason to believe there would be any issues
running the script against Ubuntu 12.10.

If you're not comfortable running the script however, there are a number of
areas I would recommend checking:

1) Where are your unified files being logged to? the guide you are referring
to logs them to /var/log/snort can you verify, and also do an ls -l and
verify that the snort user and group have permissions on the directory and
ALL the files contained within? Can you confirm that barnyard is installed
and running while snort is running? what command options are you giving to
barnyard? what command options are you giving snort? are you making it drop
privilege to the snort user and group?

2) Regarding the database install, check
/var/www/snortreport-1.3.3/srconf.php -- there are lines that need to know
the password of the snort database user to read from the database. Confirm
that you input the correct credentials by logging into the database as the
snort user? (mysql -u[snort user] -p[snort user pass] [database name,
usually snort] ) try performing a select and/or a show tables with the snort
user.

3) you indicate the data isn't in the database at all. Did you install the
snort database schema for barnyard? the show tables command above should
more than confirm that. Was barnyard 2 compiled with --with-mysql (or the
database you are using as a backend?) was it compiled to point to the proper
folder for the libmysqlclient library
(--with-mysql-libraries=/usr/lib/x86_64-linux-gnu)? what does your
barnyard2.conf look like? specifically check your output database line to
make sure that the snort database user and the same database password used
for srconf.php are exactly the same.

4) is there anything in /var/log/messages or syslog that indicate a problem
with snort OR barnyard running?

I hope this gives you enough to chew on. Message me on or offlist if you
have questions -- I can't always guarantee a fast response, though.

DA




On Thu, Nov 15, 2012 at 3:53 PM, Joe Nunham <jnunham () parishsoft com> wrote:

Hello,

 

I recently installed Snort 2.9.3.1 on Ubuntu 12.10 x86_64. I followed the
guide here (http://www.snort.org/assets/158/snortinstallguide293.pdf) and
didn't have any issues when installing packages/configuring configuration
files. I can see that the interface I have Snort configured to listen on is
receiving data and a few of the snort.u2 logs are not 0 bytes. There are 4
of them that are and the barnyard2.waldo file is 0 bytes as well. When I go
in to the snort database and do a SELECT * FROM on any of the tables they
all return Empty set (0.00 sec). So when I go to look on Snort report I do
not see any data because as I understand it, Snort report is reading data
from the MySQL database.

 

I'm not sure what I may have misconfigured, any assistance would be
appreciate. If you need any additional information please let me know.

 

Thanks

 

----------------------------------------------------------------------------
--
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!




-- 
when does reality end? when does fantasy begin?




-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!