Snort mailing list archives
Re: Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM
From: "Tawanda Purazi" <Tawanda () tsi co za>
Date: Wed, 15 Apr 2015 08:22:11 +0200
Dear Tomas, I had the same problem and it was resolved by setting “BINARY_LOG=0” in /etc/sysconfig/snort and restarted snort. See this article: https://cyberoperations.wordpress.com/class-archives/2013-class/09-mysql-5-1-barnyard/ especially the section….. If you include the switch -A full, snort appears to change the file name it uses for its output. The -A switch determines the alert mode, and can be set to full, fast, or none Interestingly, I found that no matter which of those choices you make, the name of the output file changes to snort.log. We can handle this problem by commenting out line 69 in /etc/sysconfig/snort so that portion of the file reads # How should Snort alert? Valid alert modes include fast, full, none, and # unsock. Fast writes alerts to the default "alert" file in a single-line, # syslog style alert message. Full writes the alert to the "alert" file # with the full decoded header as well as the alert message. None tu#rns off # alerting. Unsock is an experimental mode that sends the alert information # out over a UNIX socket to another process that attaches to that socket. # -A {alert-mode} # output alert_{type}: {options} #ALERTMODE=full This almost solves the problem. We also cannot use the -b switch to specify tcpdump format for the logs. Modify line 81 of /etc/sysconfig/snort so that portion becomes # Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is # recommended as it provides very useful information for investigations. # -b # output log_tcpdump: {log name} BINARY_LOG=0 If you make these changes to /etc/sysconfig/snort then restart it, it will now correctly send its results to the files /var/log/snort/snort.u2 Good lucky, Tawanda From: Tomas Hajek [mailto:hajek () oakland edu] Sent: 14 April 2015 22:18 To: snort-users () lists sourceforge net Subject: [Snort-users] Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM Hello Everyone, I have barnyard2 1.13, snort 2.9.7.2, working on Red Hat Enterprise Linux 6.6 installed via rpms. I am running both barnyard2 and snort using their typical config files snort.conf and barnyard2.conf but also with the RHEL way of using sysconfig and init scripts. I had many problems initially getting unified2 logging to work but finally came to what I believe to be the underlying issue. This was after running through the removal of -A and -b, for specifics I mean modifying the parameters in /etc/sysconfig/snort to set the following: BINARY_LOG=0 ALERTMODE= The larger problem for me seems to be the init scripts. For barnyard2 it assumes a log directory of /var/log/snort/$INTERFACE where $INTERFACE is the name of the network interface (e.g. eth0, or eth1). The snort init script seems to make a special case of running snort on a single interface and as such logs to /var/log/snort/ with a single interface and /var/log/snort/$INTERFACE/ when multiple interfaces are specified in the sysconfig file. This means that when I have only 1 network interface configured, snort is writing the merged.log to /var/log/snort/ but barynard2 expects it to be in /var/log/snort/eth0/. I tried to change the value of LOG_FILE in /etc/sysconfig/barnyard2 to ../merged.log or /var/log/snort/merged.log but it appears that that variable is stripped down to just the filename so I can't seem to fix it with that. I also noted that barnyard2 also expects a timestamp to be appended to the unified2 log (so unified2 logging also needs to have nostamp removed in /etc/snort/snort.conf default config ). I confess that I am a new user of snort and barnyard2 and this had me stumped for a day or two and I am wondering how others are maintaining snort and barnyard2 on a RHEL system with RPM installs? Has anyone experience the same that I have? Have I missed something obvious or is my assessment above correct? I admit at the moment I just added a second interface to snort and now have snort and barnyard2 logging and reading from the same corresponding directories ( /var/log/snort/eth0 and /var/log/snort/eth1) but is there a way to get this to work properly with just one interface? Any advice would be appreciated. thanks, -Tomas -- Tomas Hajek hajek () oakland edu 1-248-370-3505 Senior Linux Systems Engineer University Technology Services Oakland University
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM Tomas Hajek (Apr 14)
- Re: Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM Tawanda Purazi (Apr 14)
- Re: Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM Tomas Hajek (Apr 15)
- Re: Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM Tawanda Purazi (Apr 14)