Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort report not showing any data - not sure if Snort is working

From: Tony Robinson <deusexmachina667 () gmail com>
Date: Fri, 16 Nov 2012 18:24:33 -0500
forgot to CC snort users here.

The current script I have for CentOS6/RHEL6 will, to my knowledge NOT work
on CentOS/RHEL 5. I would have to spin up a CentOS 5 VM to test that, or if
any of you would like to tackle that, be my guest, post results -- pics or
it didn't happen :)

Regards,

DA

On Fri, Nov 16, 2012 at 5:58 PM, Tony Robinson
<deusexmachina667 () gmail com>wrote:


Apologies sir,

but I do not have one for RHEL 5 unfortunately. If I have a bit of time
coming up, I can try to spin up a CentOS 5 vm to built a script with.

-Tony


On Fri, Nov 16, 2012 at 5:27 PM, k vijay sai prashanth <
vijaysaiprashanth () gmail com> wrote:


Do you have the script for RHEL 5?


On Sat, Nov 17, 2012 at 1:59 AM, Joe Nunham <jnunham () parishsoft com>wrote:


Hi all,****

** **

I ran the script and it installed and got Snort up and running. I did
have to grant the snort user permission to the MySQL database and reboot in
order for it to work though, not sure if I missed a step somewhere along
the lines. Thanks for the suggestion and the awesome script.****

** **

Joe****

** **

*From:* Tony Robinson [mailto:deusexmachina667 () gmail com]
*Sent:* Thursday, November 15, 2012 7:08 PM
*To:* Joe Nunham
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Snort report not showing any data - not
sure if Snort is working****

** **

Just wanted to post a quick update here for Joe and everyone else, the
Autosnort script I posted  for Ubuntu 12.04 is indeed compatible with
Ubuntu 12.10 and performs wonderfully. These are screen caps post-install
after throwing an armitage hail mary against an OWASP bwa virtual machine
and metasploitable 2 with exploit rank set to poor. I think it works.

Cheers,

DA****

On Thu, Nov 15, 2012 at 6:06 PM, Tony Robinson <
deusexmachina667 () gmail com> wrote:****

as much as I don't want to sound like someone selling snake oil, I have
a script called autosnort that completes the entire snort installation for
you. If you want to try it out, take a look at:
https://github.com/da667/Autosnort/tree/master/Autosnort%20-%20Ubuntu

note: the script says ubuntu 12.04. While I haven't officially tested
against 12.10 (I'm downloading it as we speak to run the script and ensure
compatibility), I have no reason to believe there would be any issues
running the script against Ubuntu 12.10.

If you're not comfortable running the script however, there are a number
of areas I would recommend checking:

1) Where are your unified files being logged to? the guide you are
referring to logs them to /var/log/snort can you verify, and also do an ls
-l and verify that the snort user and group have permissions on the
directory and ALL the files contained within? Can you confirm that barnyard
is installed and running while snort is running? what command options are
you giving to barnyard? what command options are you giving snort? are you
making it drop privilege to the snort user and group?

2) Regarding the database install, check
/var/www/snortreport-1.3.3/srconf.php -- there are lines that need to know
the password of the snort database user to read from the database. Confirm
that you input the correct credentials by logging into the database as the
snort user? (mysql -u[snort user] -p[snort user pass] [database name,
usually snort] ) try performing a select and/or a show tables with the
snort user.

3) you indicate the data isn't in the database at all. Did you install
the snort database schema for barnyard? the show tables command above
should more than confirm that. Was barnyard 2 compiled with --with-mysql
(or the database you are using as a backend?) was it compiled to point to
the proper folder for the libmysqlclient library
(--with-mysql-libraries=/usr/lib/x86_64-linux-gnu)? what does your
barnyard2.conf look like? specifically check your output database line to
make sure that the snort database user and the same database password used
for srconf.php are exactly the same.

4) is there anything in /var/log/messages or syslog that indicate a
problem with snort OR barnyard running?

I hope this gives you enough to chew on. Message me on or offlist if you
have questions -- I can't always guarantee a fast response, though.

DA


****

On Thu, Nov 15, 2012 at 3:53 PM, Joe Nunham <jnunham () parishsoft com>
wrote:****

Hello,****

 ****

I recently installed Snort 2.9.3.1 on Ubuntu 12.10 x86_64. I followed
the guide here (http://www.snort.org/assets/158/snortinstallguide293.pdf)
and didn’t have any issues when installing packages/configuring
configuration files. I can see that the interface I have Snort configured
to listen on is receiving data and a few of the snort.u2 logs are not 0
bytes. There are 4 of them that are and the barnyard2.waldo file is 0 bytes
as well. When I go in to the snort database and do a SELECT * FROM on any
of the tables they all return Empty set (0.00 sec). So when I go to look on
Snort report I do not see any data because as I understand it, Snort report
is reading data from the MySQL database.****

 ****

I’m not sure what I may have misconfigured, any assistance would be
appreciate. If you need any additional information please let me know.**
**

 ****

Thanks****

** **


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!****




--
when does reality end? when does fantasy begin?****




--
when does reality end? when does fantasy begin?****


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







--
when does reality end? when does fantasy begin?





-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: