Re: Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM

["Tawanda Purazi" <Tawanda () tsi co za>]

Dear Tomas,

 

I had the same problem and it was resolved by setting “BINARY_LOG=0” in /etc/sysconfig/snort and restarted snort.

See this article:

 

https://cyberoperations.wordpress.com/class-archives/2013-class/09-mysql-5-1-barnyard/

 

 

especially the section…..

 

 

If you include the switch -A full, snort appears to change the file name it uses for its output. The -A switch 
determines the alert mode, and can be set to full, fast, or none Interestingly, I found that no matter which of those 
choices you make, the name of the output file changes to snort.log. We can handle this problem by commenting out line 
69 in /etc/sysconfig/snort so that portion of the file reads

 

# How should Snort alert? Valid alert modes include fast, full, none, and

# unsock.  Fast writes alerts to the default "alert" file in a single-line,

# syslog style alert message.  Full writes the alert to the "alert" file

# with the full decoded header as well as the alert message.  None tu#rns off

# alerting. Unsock is an experimental mode that sends the alert information

# out over a UNIX socket to another process that attaches to that socket.

# -A {alert-mode}

# output alert_{type}: {options}

#ALERTMODE=full

This almost solves the problem. We also cannot use the -b switch to specify tcpdump format for the logs. Modify line 81 
of /etc/sysconfig/snort so that portion becomes

 

# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is

# recommended as it provides very useful information for investigations.

# -b

# output log_tcpdump: {log name}

BINARY_LOG=0

If you make these changes to /etc/sysconfig/snort then restart it, it will now correctly send its results to the files 
/var/log/snort/snort.u2

 

 

Good lucky,

 

Tawanda

 

 

From: Tomas Hajek [mailto:hajek () oakland edu] 
Sent: 14 April 2015 22:18
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM

 

Hello Everyone, 

I have barnyard2 1.13, snort 2.9.7.2, working on Red Hat Enterprise Linux 6.6 installed via rpms.

I am running both barnyard2 and snort using their typical config files snort.conf and barnyard2.conf but also with the 
RHEL way of using sysconfig and init scripts.

I had many problems initially getting unified2 logging to work but finally came to what I believe to be the underlying 
issue.  This was after running through the removal of -A and -b, for specifics I mean modifying the parameters in 
/etc/sysconfig/snort to set the following:
BINARY_LOG=0
ALERTMODE=

The larger problem for me seems to be the init scripts.  For barnyard2 it assumes a log directory of 
/var/log/snort/$INTERFACE where $INTERFACE is the name of the network interface (e.g. eth0, or eth1).  The snort init 
script seems to make a special case of running snort on a single interface and as such logs to /var/log/snort/ with a 
single interface and /var/log/snort/$INTERFACE/ when multiple interfaces are specified in the sysconfig file.  This 
means that when I have only 1 network interface configured, snort is writing the merged.log to /var/log/snort/ but 
barynard2 expects it to be in /var/log/snort/eth0/.  

I tried to change the value of LOG_FILE in /etc/sysconfig/barnyard2 to ../merged.log or /var/log/snort/merged.log but 
it appears that that variable is stripped down to just the filename so I can't seem to fix it with that.   I also noted 
that barnyard2 also expects a timestamp to be appended to the unified2 log (so unified2 logging also needs to have 
nostamp removed in /etc/snort/snort.conf default config ).

I confess that I am a new user of snort and barnyard2 and this had me stumped for a day or two and I am wondering how 
others are maintaining snort and barnyard2 on a RHEL system with RPM installs?

Has anyone experience the same that I have?  

Have I missed something obvious or is my assessment above correct?

I admit at the moment I just added a second interface to snort and now have snort and barnyard2 logging and reading 
from the same corresponding directories ( /var/log/snort/eth0 and /var/log/snort/eth1) but is there a way to get this 
to work properly with just one interface?

 

Any advice would be appreciated.

thanks,

 -Tomas

-- 

 

                Tomas Hajek

                hajek () oakland edu

                1-248-370-3505

                Senior Linux Systems Engineer

                University Technology Services

                Oakland University

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!