[Snort-users] upgrading to snort 2.6

Derek Stinchfield derek at ...13939...
Thu Sep 28 13:47:30 EDT 2006


Recently, my department was able to free up a new server that we decided to use to replace our old snort box.  I figured that this would be a good time to update to 2.6.  I saved a few of the old config files and went to work with the new box from scratch.  I loaded RHELAS 4 and after the install, I downloaded and installed 2.6.0.2, and Barnyard 0.2.0.  I then checked and copied over the config files, rulesets, and startup scripts from our old snort 2.4 box and I thought I pounded out any issues with file locations and permissions.  Both snort and barnyard are now starting and running, however I let it run last night, outputting unified files and having barnyard pointed at a remote syslog server, and I didn't have  a single rule in the remote syslog today.  

I had snort make a fast alert output to be sure that rules were being triggered, and sure enough they are, which leaves me with barnyard.  I did the fast alert for this too and it didn't even create the file for it.   This is the first time I've tried to use the barnyard startup script.   before I would just start it with <barnyard -D -n -f /var/log/snort/snort.alert>  

Now that I'm trying to use the script, the command is </usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -a /var/log/snort-proces....>  obviously, if I try to start it the old way I now get a segmentation fault.  


I have posted the barnyard script as well as what I use in the barnyard.conf      Any help I can get is appreciated.  Also if it helps, I don't absolutely have to use the barnyard script, so if there is an idea the excludes it, I would appreciate that as much as any help.

Thanks in advance,
                   
Derek



The barnyard script I used is this:

#!/bin/bash
#
# barnyard Start/Stop barnyard daemon
#
# Written by Alejandro Flores <alejandrorfloresgmail.com>
#
# chkconfig: 2345 42 62
# description: Output spool reader for Snort! This program decouples
#output overhead from # the Snort network intrusion detection system
#and allows Snort to run at full speed. It takes #input and output
#plugins and can therefore be used to convert almost any spooled fil
#

. /etc/rc.d/init.d/functions

# Barnyard binary
# Executavel do barnyard
BARNYARD=/usr/local/bin/barnyard

# Where to place processed logs
# Diretorio onde vãficar os logs járocessados
PROCESSADOS=/var/log/snort-processados

# Base dir for snort logs
# Diretó base dos logs do snort
LOG_BASE=/var/log/snort

# Unified log filename
# Nome do arquivo de log unified
LOG_FILE=snort.log

# Barnyard config
# Configuraç do barnyard
CONFIG=/etc/snort/barnyard.conf

# where is sid-msg.map
# Localizaç do arquivo sid-msg.map
SIDMAP=/etc/snort/sid-msg.map

# where is gen-msg.map
# Localizaç do arquivo gen-msg.map
GENMAP=/etc/snort/gen-msg.map

# where is classification.config
# Localizaç do arquivo classification.config
CLASSCONF=/etc/snort/classification.config

# where to place the barnyard bookmark
# Localizaç do bookmark do barnyard
WALDO=/var/log/snort/waldo

case "$1" in
    start)
        if [ -f /var/lock/subsys/barnyard ]; then
            echo "Barnyard is already running."
            exit
        fi
        echo -n "Starting Barnyard: "
        daemon $BARNYARD \
        -c $CONFIG \
        -d $LOG_BASE \
        -a $PROCESSADOS \
        -f $LOG_FILE \
        -w $WALDO \
        -s $SIDMAP \
        -g $GENMAP \
        -p $CLASSCONF \
        -D
        touch /var/lock/subsys/barnyard
        ;;

    stop)
        echo -n "Stopping Barnyard"
        killproc barnyard
        rm /var/lock/subsys/barnyard
/script



This is my barnyard.conf <some commented parts omitted>

#-------------------------------------------------------------
#   http://www.snort.org    Barnyard 0.1.0 configuration file
#          Contact: snort-barnyard at lists.sourceforge.net 
#-------------------------------------------------------------
# $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
########################################################
# Currently you want to do two things in here: turn on 
# available data processors and turn on output plugins.
# The data processors (dp's) and output plugin's (op's)
# automatically associate with each other by type and
# are automatically selected at run time depending on 
# the type of file you try to load.
########################################################

# Step 1: configuration declarations
# To keep from having a commandline that uses every letter in the alphabet
# most configuration options are set here

# enable daemon mode
 config daemon

#INSERTED BY DEREK.  Indicate which interface shall be monitored
config interface: eth1

#INSERTED BY DEREK.  Give Barnyad the information location of Meta-data.
config sid-msg-map: /etc/snort/sid-msg.map
config gen-msg-map: /etc/snort/gen-msg.map
config class-file: /etc/snort/classification.config

# set the hostname (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config hostname: snorthost

# set the interface name (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config interface: fxp0

# set the filter (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config filter: not port 22

# Step 2: setup the output plugins

# alert_fast
#-----------------------------
# Converts data from the dp_alert plugin into an approximation of Snort's 
# "fast alert" mode.  Argument: <filename>

output alert_fast: barnyard.alert

# log_dump
#-----------------------------
# Converts data from the dp_log plugin into an approximation of Snort's 
# "ASCII packet dump" mode.  Argument: <filename>

#COMMENTED OUT BY DEREK. output log_dump


# alert_syslog2
#-------------------------------
# Generates a syslog alert.  This supports considerably more features than
# the original syslog output plugin.
# 
output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x;


/barnyard.config

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»

Derek Stinchfield
Network Analyst
Scientific Computing Center
University of North Dakota - ÆROSPACE
derek at ...13939...

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»




More information about the Snort-users mailing list