Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I'm having trouble configuring Snort as a Daemon

From: Trevor Thompson <trevthom18 () gmail com>
Date: Tue, 12 Aug 2014 11:37:09 -0700
Thank you for the advice! After recursively removing the original
/var/log/snort directory (whose permissions were set to a different user at
first) and recreating the directory with a new user in control I was able
to fix my problem! Thanks again for your help!

Trevor


On Tue, Aug 12, 2014 at 10:03 AM, Robert Millott <
robm () millottandassociates com> wrote:


From looking at your logs, it looks like your spool file cannot be opened
(permission denied)

 Opened spool file '/var/log/snort/merged.log.1407259400'
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log spool
file '/var/log/snort/merged.log.1407259400' (Permission denied)
Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file
'/var/log/snort/merged.log.1407259400'. Read 0 records
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create spooler!

Check the permissions on /var/log/snort and make sure whatever user is
running snort can write to that directory.

Rob M


On Tue, Aug 12, 2014 at 12:52 PM, Trevor Thompson <trevthom18 () gmail com>
wrote:


Hey Bill,

Thanks for the reply. I would've responded sooner but I needed to access
my work Computer in order to be able to access the logs.

Anyway, here is the contents of the of the log beginning after I
attempted to run Snort and Barnyard2 today:

Aug 12 09:14:06 localhost barnyard2[8140]: Running in Continuous mode
Aug 12 09:14:06 localhost barnyard2[8140]:
Aug 12 09:14:06 localhost barnyard2[8140]:         --== Initializing
Barnyard2 ==--
Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Input Plugins!
Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Output Plugins!
Aug 12 09:14:06 localhost barnyard2[8140]: Parsing config file
"/etc/snort/barnyard2.conf"
Aug 12 09:14:06 localhost barnyard2[8140]: #012#012+[ Signature Suppress
list ]+#012----------------------------
Aug 12 09:14:06 localhost barnyard2[8140]: +[No entry in Signature
Suppress List]+
Aug 12 09:14:06 localhost barnyard2[8140]:
----------------------------#012+[ Signature Suppress list ]+#012
Aug 12 09:14:22 localhost barnyard2[8140]: Barnyard2 spooler: Event cache
size set to [2048]
Aug 12 09:14:22 localhost barnyard2[8140]: Log directory =
/var/log/barnyard2
Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
Reconnect/Transaction Error limit to 10
Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
Reconnect sleep time to 5 second
Aug 12 09:14:22 localhost barnyard2[8140]: Initializing daemon mode
Aug 12 09:14:22 localhost barnyard2[8140]: Daemon parent exiting
Aug 12 09:14:22 localhost barnyard2[8142]: Daemon initialized, signaled
parent pid: 8140
Aug 12 09:14:22 localhost barnyard2[8142]: PID path stat checked out ok,
PID path set to /var/run/
Aug 12 09:14:22 localhost barnyard2[8142]: Writing PID "8142" to file
"/var/run//barnyard2_eth0.pid"
Aug 12 09:14:33 localhost snort[8163]: Running in IDS mode
Aug 12 09:14:33 localhost snort[8163]:
Aug 12 09:14:33 localhost snort[8163]:         --== Initializing Snort
==--
Aug 12 09:14:33 localhost snort[8163]: Initializing Output Plugins!
Aug 12 09:14:33 localhost snort[8163]: Initializing Preprocessors!
Aug 12 09:14:33 localhost snort[8163]: Initializing Plug-ins!
Aug 12 09:14:33 localhost snort[8163]: Parsing Rules file
"/etc/snort/snort.conf"
Aug 12 09:14:34 localhost snort[8163]: PortVar 'HTTP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 311 383 555 591 593
631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381
2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600
6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014
8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333
8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
44449 50000 50002 51423 53331 55252 55555 56712 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'SHELLCODE_PORTS' defined
:
Aug 12 09:14:34 localhost snort[8163]:  [ 0:79 81:65535 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'ORACLE_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 1024:65535 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'SSH_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 22 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'FTP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 21 2100 3535 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'SIP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 5060:5061 5600 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'FILE_DATA_PORTS' defined
:
Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 110 143 311 383 555
591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231
2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117
5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000
8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280
8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111
9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444
41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'GTP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 2123 2152 3386 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: Detection:
Aug 12 09:14:34 localhost snort[8163]:    Search-Method = AC-Full-Q
Aug 12 09:14:34 localhost snort[8163]:     Split Any/Any group = enabled
Aug 12 09:14:34 localhost snort[8163]:     Search-Method-Optimizations =
enabled
Aug 12 09:14:34 localhost snort[8163]:     Maximum pattern length = 20
Aug 12 09:14:34 localhost snort[8163]: Tagged Packet Limit: 256
Aug 12 09:14:34 localhost snort[8163]: Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]: Loading all dynamic preprocessor
libs from /usr/local/lib/snort_dynamicpreprocessor/...
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Finished Loading all dynamic
preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Aug 12 09:14:35 localhost snort[8163]: Log directory = /var/log/snort
Aug 12 09:14:35 localhost snort[8163]: WARNING: ip4 normalizations
disabled because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: tcp normalizations
disabled because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp4 normalizations
disabled because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: ip6 normalizations
disabled because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp6 normalizations
disabled because not inline.
Aug 12 09:14:35 localhost snort[8163]: Frag3 global config:
Aug 12 09:14:35 localhost snort[8163]:     Max frags: 65536
Aug 12 09:14:35 localhost snort[8163]:     Fragment memory cap: 4194304
bytes
Aug 12 09:14:35 localhost snort[8163]: Frag3 engine config:
Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
Aug 12 09:14:35 localhost snort[8163]:     Target-based policy: WINDOWS
Aug 12 09:14:35 localhost snort[8163]:     Fragment timeout: 180 seconds
Aug 12 09:14:35 localhost snort[8163]:     Fragment min_ttl:   1
Aug 12 09:14:35 localhost snort[8163]:     Fragment Anomalies: Alert
Aug 12 09:14:35 localhost snort[8163]:     Overlap Limit:     10
Aug 12 09:14:35 localhost snort[8163]:     Min fragment Length:     100
Aug 12 09:14:35 localhost snort[8163]: Stream5 global config:
Aug 12 09:14:35 localhost snort[8163]:     Track TCP sessions: ACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Max TCP sessions: 262144
Aug 12 09:14:35 localhost snort[8163]:     TCP cache pruning timeout: 30
seconds
Aug 12 09:14:35 localhost snort[8163]:     TCP cache nominal timeout:
3600 seconds
Aug 12 09:14:35 localhost snort[8163]:     Memcap (for reassembly packet
storage): 8388608
Aug 12 09:14:35 localhost snort[8163]:     Track UDP sessions: ACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Max UDP sessions: 131072
Aug 12 09:14:35 localhost snort[8163]:     UDP cache pruning timeout: 30
seconds
Aug 12 09:14:35 localhost snort[8163]:     UDP cache nominal timeout: 180
seconds
Aug 12 09:14:35 localhost snort[8163]:     Track ICMP sessions: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Track IP sessions: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Log info if session memory
consumption exceeds 1048576
Aug 12 09:14:35 localhost snort[8163]:     Send up to 2 active responses
Aug 12 09:14:35 localhost snort[8163]:     Wait at least 5 seconds
between responses
Aug 12 09:14:35 localhost snort[8163]:     Protocol Aware Flushing: ACTIVE
Aug 12 09:14:35 localhost snort[8163]:         Maximum Flush Point: 16000
Aug 12 09:14:35 localhost snort[8163]:       Max Expected Streams: 768
Aug 12 09:14:35 localhost snort[8163]: Stream5 TCP Policy config:
Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
Aug 12 09:14:35 localhost snort[8163]:     Reassembly Policy: WINDOWS
Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
Aug 12 09:14:35 localhost snort[8163]:     Limit on TCP Overlaps: 10
Aug 12 09:14:35 localhost snort[8163]:     Maximum number of bytes to
queue per session: 1048576
Aug 12 09:14:35 localhost snort[8163]:     Maximum number of segs to
queue per session: 2621
Aug 12 09:14:35 localhost snort[8163]:     Options:
Aug 12 09:14:35 localhost snort[8163]:         Require 3-Way Handshake:
YES
Aug 12 09:14:35 localhost snort[8163]:         3-Way Handshake Timeout:
180
Aug 12 09:14:35 localhost snort[8163]:         Detect Anomalies: YES
Aug 12 09:14:35 localhost snort[8163]:     Reassembly Ports:
Aug 12 09:14:35 localhost snort[8163]:       21 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       22 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       23 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       25 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       36 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       42 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       53 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       70 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       79 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       80 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       81 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       82 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       83 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       84 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       85 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       86 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       87 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       88 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       89 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       90 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       additional ports configured
but not printed.
Aug 12 09:14:35 localhost snort[8163]: Stream5 UDP Policy config:
Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
Aug 12 09:14:35 localhost snort[8163]: HttpInspect Config:
Aug 12 09:14:35 localhost snort[8163]:     GLOBAL CONFIG
Aug 12 09:14:35 localhost snort[8163]:       Max Pipeline Requests:    0
Aug 12 09:14:35 localhost snort[8163]:       Inspection Type:
STATELESS
Aug 12 09:14:35 localhost snort[8163]:       Detect Proxy Usage:       NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Filename:
/etc/snort/unicode.map
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Codepage:
1252
Aug 12 09:14:35 localhost snort[8163]:       Memcap used for logging URI
and Hostname: 150994944
Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Memory: 838860
Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Sessions: 5518
Aug 12 09:14:35 localhost snort[8163]:       Gzip Compress Depth: 65535
Aug 12 09:14:35 localhost snort[8163]:       Gzip Decompress Depth: 65535
Aug 12 09:14:35 localhost snort[8163]:     DEFAULT SERVER CONFIG:
Aug 12 09:14:35 localhost snort[8163]:       Server profile: All
Aug 12 09:14:35 localhost snort[8163]:       Ports (PAF): 36 80 81 82 83
84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220
1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443
3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144
7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088
8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888
8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601
13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423
53331 55252 55555 56712
Aug 12 09:14:35 localhost snort[8163]:       Server Flow Depth: 0
Aug 12 09:14:35 localhost snort[8163]:       Client Flow Depth: 0
Aug 12 09:14:35 localhost snort[8163]:       Max Chunk Length: 500000
Aug 12 09:14:35 localhost snort[8163]:       Small Chunk Length Evasion:
chunk size <= 10, threshold >= 5 times
Aug 12 09:14:35 localhost snort[8163]:       Max Header Field Length: 750
Aug 12 09:14:35 localhost snort[8163]:       Max Number Header Fields: 100
Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
allowed with header folding: 200
Aug 12 09:14:35 localhost snort[8163]:       Inspect Pipeline Requests:
YES
Aug 12 09:14:35 localhost snort[8163]:       URI Discovery Strict Mode: NO
Aug 12 09:14:35 localhost snort[8163]:       Allow Proxy Usage: NO
Aug 12 09:14:35 localhost snort[8163]:       Disable Alerting: NO
Aug 12 09:14:35 localhost snort[8163]:       Oversize Dir Length: 500
Aug 12 09:14:35 localhost snort[8163]:       Only inspect URI: NO
Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Headers: NO
Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Cookies: YES
Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Responses: YES
Aug 12 09:14:35 localhost snort[8163]:       Extract Gzip from responses:
YES
Aug 12 09:14:35 localhost snort[8163]:       Unlimited decompression of
gzip data from responses: YES
Aug 12 09:14:35 localhost snort[8163]:       Normalize Javascripts in
HTTP Responses: YES
Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
allowed with Javascript Obfuscation in HTTP responses: 200
Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Cookies: NO
Aug 12 09:14:35 localhost snort[8163]:       Enable XFF and True Client
IP: NO
Aug 12 09:14:35 localhost snort[8163]:       Log HTTP URI data: NO
Aug 12 09:14:35 localhost snort[8163]:       Log HTTP Hostname data: NO
Aug 12 09:14:35 localhost snort[8163]:       Extended ASCII code support
in URI: NO
Aug 12 09:14:35 localhost snort[8163]:       Ascii: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Double Decoding: YES alert:
NO
Aug 12 09:14:35 localhost snort[8163]:       %U Encoding: YES alert: YES
Aug 12 09:14:35 localhost snort[8163]:       Bare Byte: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       UTF 8: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Multiple Slash: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Backslash: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Directory Traversal: YES
alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Web Root Traversal: YES
alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Apache WhiteSpace: YES
alert: NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Delimiter: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map: GLOBAL IIS
UNICODE MAP CONFIG
Aug 12 09:14:35 localhost snort[8163]:       Non-RFC Compliant
Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Aug 12 09:14:35 localhost snort[8163]:       Whitespace Characters: 0x09
0x0b 0x0c 0x0d
Aug 12 09:14:35 localhost snort[8163]: rpc_decode arguments:
Aug 12 09:14:35 localhost snort[8163]:     Ports to decode RPC on: 111
32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 12 09:14:35 localhost snort[8163]:     alert_fragments: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     alert_large_fragments: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     alert_incomplete: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     alert_multiple_requests:
INACTIVE
Aug 12 09:14:35 localhost rsyslogd-2177: imuxsock begins to drop messages
from pid 8163 due to rate-limiting
Aug 12 09:14:53 localhost rsyslogd-2177: imuxsock lost 256 messages from
pid 8163 due to rate-limiting
Aug 12 09:14:53 localhost snort[8163]:
Aug 12 09:14:53 localhost snort[8163]: [ Port Based Pattern Matching
Memory ]
Aug 12 09:14:53 localhost snort[8163]: +- [ Aho-Corasick Summary ]
-------------------------------------
Aug 12 09:14:53 localhost snort[8163]: | Storage Format    : Full-Q
Aug 12 09:14:53 localhost snort[8163]: | Finite Automaton  : DFA
Aug 12 09:14:53 localhost snort[8163]: | Alphabet Size     : 256 Chars
Aug 12 09:14:53 localhost snort[8163]: | Sizeof State      : Variable
(1,2,4 bytes)
Aug 12 09:14:53 localhost snort[8163]: | Instances         : 169
Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 159
Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 10
Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0
Aug 12 09:14:53 localhost snort[8163]: | Characters        : 92288
Aug 12 09:14:53 localhost snort[8163]: | States            : 71178
Aug 12 09:14:53 localhost snort[8163]: | Transitions       : 7588084
Aug 12 09:14:53 localhost snort[8163]: | State Density     : 41.6%
Aug 12 09:14:53 localhost snort[8163]: | Patterns          : 5092
Aug 12 09:14:53 localhost snort[8163]: | Match States      : 5685
Aug 12 09:14:53 localhost snort[8163]: | Memory (MB)       : 36.73
Aug 12 09:14:53 localhost snort[8163]: |   Patterns        : 0.56
Aug 12 09:14:53 localhost snort[8163]: |   Match Lists     : 1.24
Aug 12 09:14:53 localhost snort[8163]: |   DFA
Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 0.96
Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 33.67
Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0.00
Aug 12 09:14:53 localhost snort[8163]:
+----------------------------------------------------------------
Aug 12 09:14:53 localhost snort[8163]: [ Number of patterns truncated to
20 bytes: 313 ]
Aug 12 09:14:53 localhost snort[8163]: pcap DAQ configured to passive.
Aug 12 09:14:53 localhost snort[8163]: Acquiring network traffic from
"eth0".
Aug 12 09:14:53 localhost snort[8163]: Initializing daemon mode
Aug 12 09:14:53 localhost snort[8173]: Daemon initialized, signaled
parent pid: 8163
Aug 12 09:14:53 localhost snort[8173]: Reload thread starting...
Aug 12 09:14:53 localhost snort[8173]: Reload thread started, thread
0x7f8feee27700 (8174)
Aug 12 09:14:54 localhost kernel: device eth0 entered promiscuous mode
Aug 12 09:14:54 localhost snort[8173]: Decoding Ethernet
Aug 12 09:14:54 localhost snort[8173]: Checking PID path...
Aug 12 09:14:54 localhost snort[8173]: PID path stat checked out ok, PID
path set to /var/run/
Aug 12 09:14:54 localhost snort[8173]: Writing PID "8173" to file
"/var/run//snort_eth0.pid"
Aug 12 09:14:54 localhost snort[8173]: Set gid to 504
Aug 12 09:14:54 localhost kernel: device eth0 left promiscuous mode
Aug 12 09:14:54 localhost snort[8173]: Set uid to 496
Aug 12 09:14:54 localhost snort[8173]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort/merged.log.1407860094: Permission denied
Aug 12 09:15:23 localhost barnyard2[8142]:
[SignatureReferencePullDataStore()]: No Reference found in database ...
Aug 12 09:15:23 localhost barnyard2[8142]: database: compiled support for
(mysql)
Aug 12 09:15:23 localhost barnyard2[8142]: database: configured to use
mysql
Aug 12 09:15:23 localhost barnyard2[8142]: database: schema version = 107
Aug 12 09:15:23 localhost barnyard2[8142]: database:           host =
localhost
Aug 12 09:15:23 localhost barnyard2[8142]: database:           user = root
Aug 12 09:15:23 localhost barnyard2[8142]: database:  database name =
snort
Aug 12 09:15:23 localhost barnyard2[8142]: database:    sensor name =
localhost.localdomain:eth0
Aug 12 09:15:23 localhost barnyard2[8142]: database:      sensor id = 2
Aug 12 09:15:23 localhost barnyard2[8142]: database:     sensor cid = 6
Aug 12 09:15:23 localhost barnyard2[8142]: database:  data encoding = hex
Aug 12 09:15:23 localhost barnyard2[8142]: database:   detail level = full
Aug 12 09:15:23 localhost barnyard2[8142]: database:     ignore_bpf = no
Aug 12 09:15:23 localhost barnyard2[8142]: database: using the "log"
facility
Aug 12 09:15:23 localhost barnyard2[8142]:
Aug 12 09:15:23 localhost barnyard2[8142]:         --== Initialization
Complete ==--
Aug 12 09:15:23 localhost barnyard2[8142]: Barnyard2 initialization
completed successfully (pid=8142)
Aug 12 09:15:23 localhost barnyard2[8142]: Using waldo file
'/etc/snort/barnyard2.waldo':#012    spool directory =
/var/log/snort#012    spool filebase  = merged.log#012    time_stamp      =
1407259400#012    record_idx      = 5370
Aug 12 09:15:23 localhost barnyard2[8142]: Opened spool file
'/var/log/snort/merged.log.1407259400'
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log
spool file '/var/log/snort/merged.log.1407259400' (Permission denied)
Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file
'/var/log/snort/merged.log.1407259400'. Read 0 records
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create
spooler!
Aug 12 09:15:23 localhost barnyard2[8142]:
===============================================================================
Aug 12 09:15:23 localhost barnyard2[8142]: Record Totals:
Aug 12 09:15:23 localhost barnyard2[8142]:    Records:           0
Aug 12 09:15:23 localhost barnyard2[8142]:    Events:           0 (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    Packets:           0
(0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    Unknown:           0
(0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    Suppressed:           0
(0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:
===============================================================================
Aug 12 09:15:23 localhost barnyard2[8142]: Packet breakdown by protocol
(includes rebuilt packets):
Aug 12 09:15:23 localhost barnyard2[8142]:       ETH: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ETHdisc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      VLAN: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      IPV6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP6 EXT: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP6opts: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP6disc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       IP4: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP4disc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     TCP 6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     UDP 6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     ICMP6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ICMP-IP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       TCP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       UDP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      ICMP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   TCPdisc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   UDPdisc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ICMPdis: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      FRAG: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    FRAG 6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       ARP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     EAPOL: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ETHLOOP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       IPX: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     OTHER: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   DISCARD: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]: InvChkSum: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 1: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 2: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     Total: 0
Aug 12 09:15:23 localhost barnyard2[8142]:




On Fri, Aug 8, 2014 at 7:41 AM, Bill Bernsen <bill.bernsen () nyu edu>
wrote:


Hi Trevor,

Can you copy and paste the details from /var/log/messages when you start
up snort/barnyard2?


On Wed, Aug 6, 2014 at 4:34 PM, Trevor Thompson <trevthom18 () gmail com>
wrote:


Hello,

I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5.
They are both producing the same errors when I attempt to stop, restart, or
start the service:

snort dead but subsys locked
barnyard dead but subsys locked

I've been following installation instructions for the software that I
found on this website:
http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/
and
http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/.
The first link describes how to install the snort and configure it as
daemon; the second link details how to configure MySQL, install Barnyard2,
and configure Barnyard2 as a service. Through following the tutorial I
managed to log data and send it to a MySQL database of my own creation.
Everything was fine until I got to the very bottom of the second link and
attempted to install Barnyard2 as a service:

"Starting Barnyard Automatically

To complete the installation, we need Barnyard2 to start automatically.
To do so, Barnyard2 should run as a daemon, so uncomment line 85 of the
/etc/snort/barnyard2.conf file

# enable daemon mode
#
config daemon

Next, update the barnyard2.conf file with the full location of the
waldo file; modify line 134 to read

# define the full waldo filepath.
#
config waldo_file: /etc/snort/barnyard2.waldo

The waldo file (where is he anyway?) lets Barnyard2 track how far it
has progressed through the various output file created by snort. We
specified this precise location in the command line we have used in testing.

We do not want Barnyard2 running as root; instead we tell Barnyard2 to
run as the user (and group) snort by modifying lines 91-97.

# specifiy the group or GID for barnyard2 to run as after initialisation.
#
config set_gid: snort

# specifiy the user or UID for barnyard2 to run as after initialisation.
#
config set_uid: snort

Since we want Barnyard2 to run as the user snort, we change the
permissions on our waldo file:

[root@hydra snort]# chown snort:snort /etc/snort/barnyard2.waldo

Remember- it was automatically created the first time we ran Barnyard.
Since we ran it as root that first time, it was created with root
permissions, so we would not be able to use it as snort.

Copy the startup script from the installation directory to /etc/init.d
and make it executable

[root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/
[root@hydra ~]# chmod a+x /etc/init.d/barnyard2

We need to make a few modifications to the file though. We do not need
to specify the location of ARCHIVEDIR, so line 37 can be removed.

The location of the WALDO_FILE in line 38 should be changed. In our
setup, files are not indexed by the interface name, so we do not want to
include $INT in the path name; we also have stored the waldo file in
/etc/snort rather than in $SNORTDIR; thus these lines should become
the single line

WALDO_FILE="/etc/snort/barnyard2.waldo"

We also need to remove the dependencies on the interface in the
BARNYARD_OPTS line; it should become

BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
-X $PIDFILE $EXTRA_ARGS"

Combining these changes, we end up with a start() routine in the form

start() {
   echo -n $"Starting $desc ($prog): "
   for INT in $INTERFACES; do
           PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
           WALDO_FILE="/etc/snort/barnyard2.waldo"
           BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE
                         -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
           daemon $prog $BARNYARD_OPTS
   done
   RETVAL=$?
   echo
   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
   return $RETVAL
}

We also put a link to the binary in /usr/sbin

[root@hydra ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2

Copy the configuration file from the installation directory to
/etc/sysconfig

[root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config
/etc/sysconfig/barnyard2

We need to make a few changes to this file as well; when complete it
should look like

# Config file for /etc/init.d/barnyard2
LOG_FILE="merged.log"

# You probably don't want to change this, but in case you do
SNORTDIR="/var/log/snort"
INTERFACES="eth0"

# Probably not this either
CONF=/etc/snort/barnyard2.conf

EXTRA_ARGS=""

In case you are wondering what got changed- both the LOG_FILE variable
as well as the CONF variables.

Finally, we set up our start-up and shutdown scripts:

[root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d
[root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d
[root@hyrda ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d
[root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d

This completes the installation. You can verify that it works by simply
rebooting the box and checking that both snort and barnyard2 run correctly."

However, rebooting the operating system didn't fix the problem, but it
instead created the previously mentioned errors. Does anyone have any idea
what the problem could be with my system?


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.

http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--
Bill Bernsen                                                    Network
Security Analyst
 ITS Technology Security Services, New York University
http://www.nyu.edu/its/security





------------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--
Robert Millott
President, Millott and Associates
(443) 255-3588


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: