Re: Snort Install successful - Need a proper database

[k vijay sai prashanth <vijaysaiprashanth () gmail com>]

All resolved now. Each time I start barnyard2 the events count is
incremented. So barnyard2 is feeding the events from snort to the mysql
database. Thanks Ron. Appreciate the advise. Sadly I am not sure which of
the steps rectified the issue.

The following are the changes I made which caused the installation to be
successful:

1. output alert_fast to output alert_fast: stdout.
2. change is barnyard.conf
3. Did a make clean on the barnyard2 installation and then did the
./configure --with-mysql.
4. changed the variables config hostname from thor to localhost.
5. And make sure when you run barnyard2 using the below command the snort
process must already be running.

Regards,
Prashanth


On Wed, Nov 21, 2012 at 9:28 PM, Ron Sinclair <unixfool () gmail com> wrote:

> I didn't mess with the config hostname entry within barnyard2.conf, so I
> don't know...working fine for me regardless.
>
> To run snort as a background process, use -D (for daemon).  I believe the
> same applies for BY2.
>
> And congrats on now getting events.  I'm not sure about the count being
> stuck, but hopefully, you'll resolve that with a restart.
>
>
> On Wed, Nov 21, 2012 at 10:49 AM, k vijay sai prashanth <
> vijaysaiprashanth () gmail com> wrote:
>
> > I have got some events now. But the count seems to be stuck at a specific
> > value.
> >
> > Will restart snort and update the status.
> >
> > Regards,
> > Prashanth
> >
> >
> > On Wed, Nov 21, 2012 at 9:09 PM, k vijay sai prashanth <
> > vijaysaiprashanth () gmail com> wrote:
> >
> > > Is it also critical to change the below variables in  barnyard2.conf??
> > >
> > > config hostname: localhost config interface: eth2
> > >
> > > I have executed all of these configurations. Still no events in mysql
> > > database. :(
> > >
> > > Where could I be going wrong?
> > >
> > > And what is the command for having snort run as a background process
> > > [daemon] and restart when the server restarts?
> > >
> > >
> > > Regards,
> > > Prashanth
> > >
> > >
> > > On Wed, Nov 21, 2012 at 8:28 AM, Ron Sinclair <unixfool () gmail com>wrote:
> > >
> > > > I also forgot to add that snort.conf might also need some editing,
> > > > specifically the "configure output plugins" section:
> > > >
> > > > Edit the "unified2" section to your liking.  I use:
> > > >
> > > > output unified2: filename snort.u2, limit 128
> > > >
> > > > Edit the database section.  Specifically, comment out "include
> > > > database.conf" (I think it's uncommented by default).  That way, it
> > > > disables the plugin for Snort (BY2 will be configured with the database
> > > > details so that it can input the alerts into the database).
> > > >
> > > > --
> > > > Ron
> > > >
> > > >
> > > > On Tue, Nov 20, 2012 at 9:02 PM, Ron Sinclair <unixfool () gmail com>wrote:
> > > >
> > > > > Prashanth,
> > > > >
> > > > > I use the same BY2 startup command as you, so I think you're OK with
> > > > > that.
> > > > >
> > > > > In barnyard.conf, I've used the following (I edited only those, and
> > > > > left everything else as default, for now):
> > > > >
> > > > > ===
> > > > > output alert_fast: stdout
> > > > >
> > > > > output database: alert, mysql, user=snort password=xxxxxx dbname=snort
> > > > > host=localhost
> > > > > ===
> > > > >
> > > > > When I test, I usually test via browser or telnet:
> > > > >
> > > > > http://localhost/root.exe (or cmd.exe)
> > > > > telnet localhost root.exe (or cmd.exe)
> > > > >
> > > > > Those two commands will trigger CodeRed or Nimda sigs, if they're
> > > > > enabled.  If not enabled, I'll sometimes run a simple Nmap scan (nmap
> > > > > localhost) if I don't have any luck with the previous commands, which
> > > > > triggers SNMP sigs for me.  I then check the database, and I usually see
> > > > > the triggered signatures.
> > > > >
> > > > > I hope that helps.
> > > > >
> > > > > --
> > > > > Ron
> > > > >
> > > > >
> > > > > On Tue, Nov 20, 2012 at 4:57 PM, k vijay sai prashanth <
> > > > > vijaysaiprashanth () gmail com> wrote:
> > > > >
> > > > > > Yes. I've made sure that snort is functioning properly and logging
> > > > > > alerts onto the snort.log files.
> > > > > >
> > > > > > Barnyard2 is working too. When I enter the command which I got from
> > > > > > an installation guide:
> > > > > >
> > > > > > /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
> > > > > > /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G
> > > > > > /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C
> > > > > > /etc/snort/classification.config
> > > > > >
> > > > > > I get an output shown below:
> > > > > >
> > > > > >  --== Initialization Complete ==--
> > > > > >
> > > > > >   ______   -*> Barnyard2 <*-
> > > > > >  / ,,_  \  Version 2.1.9 (Build 263)
> > > > > >  |o"  )~|  By the SecurixLive.com Team:
> > > > > > http://www.securixlive.com/about.php
> > > > > >  + '''' +  (C) Copyright 2008-2010 SecurixLive.
> > > > > >
> > > > > >            Snort by Martin Roesch & The Snort Team:
> > > > > > http://www.snort.org/team.html
> > > > > >            (C) Copyright 1998-2007 Sourcefire Inc., et al.
> > > > > >
> > > > > > Using waldo file '/etc/snort/bylog.waldo':
> > > > > >     spool directory = /var/log/snort
> > > > > >     spool filebase  = snort.log
> > > > > >     time_stamp      = 1353441428
> > > > > >     record_idx      = 25592
> > > > > > Opened spool file '/var/log/snort/snort.log.1353441428'
> > > > > >
> > > > > >
> > > > > > But I see that the mysql tables are still empty. Can someone tell me
> > > > > > how to have barnyard2 log events into the tables?
> > > > > > I've compiled barnyard2 with mysql. [./configure --with-mysql]
> > > > > >
> > > > > > Regards,
> > > > > > Prashanth
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------------------------------
> > > > > > Monitor your physical, virtual and cloud infrastructure from a single
> > > > > > web console. Get in-depth insight into apps, servers, databases,
> > > > > > vmware,
> > > > > > SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> > > > > > Pricing starts from $795 for 25 servers or applications!
> > > > > > http://p.sf.net/sfu/zoho_dev2dev_nov
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists sourceforge net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > > >
> > > > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > > > Snort news!
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!