[Snort-users] upgrading to snort 2.6

Derek Stinchfield derek at ...13939...
Thu Sep 28 14:54:00 EDT 2006


Yes, I believe so, unless something very different between 2.4 and 2.6.   Here is the excerpt from my snort.conf

 output alert_unified: filename snort.alert, limit 128
 output log_unified: filename snort.log, limit 128

Thanks again,

Derek

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»

Derek Stinchfield
Network Analyst
Scientific Computing Center
University of North Dakota - ÆROSPACE
derek at ...13939...

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»

>>> Joel Esler <joel.esler at ...1935...> 9/28/2006 1:10 PM >>>
Just to say...  Are you sure snort is outputting in unified format?

J


On Thu, Sep 28, 2006 at 12:47:30PM -0500, Derek Stinchfield apparently sent me:
> Recently, my department was able to free up a new server that we decided to use to replace our old snort box.  I figured that this would be a good time to update to 2.6.  I saved a few of the old config files and went to work with the new box from scratch.  I loaded RHELAS 4 and after the install, I downloaded and installed 2.6.0.2, and Barnyard 0.2.0.  I then checked and copied over the config files, rulesets, and startup scripts from our old snort 2.4 box and I thought I pounded out any issues with file locations and permissions.  Both snort and barnyard are now starting and running, however I let it run last night, outputting unified files and having barnyard pointed at a remote syslog server, and I didn't have  a single rule in the remote syslog today.  
> 
> I had snort make a fast alert output to be sure that rules were being triggered, and sure enough they are, which leaves me with barnyard.  I did the fast alert for this too and it didn't even create the file for it.   This is the first time I've tried to use the barnyard startup script.   before I would just start it with <barnyard -D -n -f /var/log/snort/snort.alert>  
> 
> Now that I'm trying to use the script, the command is </usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -a /var/log/snort-proces....>  obviously, if I try to start it the old way I now get a segmentation fault.  
> 
> 
> I have posted the barnyard script as well as what I use in the barnyard.conf      Any help I can get is appreciated.  Also if it helps, I don't absolutely have to use the barnyard script, so if there is an idea the excludes it, I would appreciate that as much as any help.
> 
> Thanks in advance,
>                    
> Derek
> 
> 
> 
> The barnyard script I used is this:
> 
> #!/bin/bash
> #
> # barnyard Start/Stop barnyard daemon
> #
> # Written by Alejandro Flores <alejandrorfloresgmail.com>
> #
> # chkconfig: 2345 42 62
> # description: Output spool reader for Snort! This program decouples
> #output overhead from # the Snort network intrusion detection system
> #and allows Snort to run at full speed. It takes #input and output
> #plugins and can therefore be used to convert almost any spooled fil
> #
> 
> . /etc/rc.d/init.d/functions
> 
> # Barnyard binary
> # Executavel do barnyard
> BARNYARD=/usr/local/bin/barnyard
> 
> # Where to place processed logs
> # Diretorio onde v??ficar os logs j??rocessados
> PROCESSADOS=/var/log/snort-processados
> 
> # Base dir for snort logs
> # Diret?? base dos logs do snort
> LOG_BASE=/var/log/snort
> 
> # Unified log filename
> # Nome do arquivo de log unified
> LOG_FILE=snort.log
> 
> # Barnyard config
> # Configura?? do barnyard
> CONFIG=/etc/snort/barnyard.conf
> 
> # where is sid-msg.map
> # Localiza?? do arquivo sid-msg.map
> SIDMAP=/etc/snort/sid-msg.map
> 
> # where is gen-msg.map
> # Localiza?? do arquivo gen-msg.map
> GENMAP=/etc/snort/gen-msg.map
> 
> # where is classification.config
> # Localiza?? do arquivo classification.config
> CLASSCONF=/etc/snort/classification.config
> 
> # where to place the barnyard bookmark
> # Localiza?? do bookmark do barnyard
> WALDO=/var/log/snort/waldo
> 
> case "$1" in
>     start)
>         if [ -f /var/lock/subsys/barnyard ]; then
>             echo "Barnyard is already running."
>             exit
>         fi
>         echo -n "Starting Barnyard: "
>         daemon $BARNYARD \
>         -c $CONFIG \
>         -d $LOG_BASE \
>         -a $PROCESSADOS \
>         -f $LOG_FILE \
>         -w $WALDO \
>         -s $SIDMAP \
>         -g $GENMAP \
>         -p $CLASSCONF \
>         -D
>         touch /var/lock/subsys/barnyard
>         ;;
> 
>     stop)
>         echo -n "Stopping Barnyard"
>         killproc barnyard
>         rm /var/lock/subsys/barnyard
> /script
> 
> 
> 
> This is my barnyard.conf <some commented parts omitted>
> 
> #-------------------------------------------------------------
> #   http://www.snort.org    Barnyard 0.1.0 configuration file
> #          Contact: snort-barnyard at lists.sourceforge.net 
> #-------------------------------------------------------------
> # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
> ########################################################
> # Currently you want to do two things in here: turn on 
> # available data processors and turn on output plugins.
> # The data processors (dp's) and output plugin's (op's)
> # automatically associate with each other by type and
> # are automatically selected at run time depending on 
> # the type of file you try to load.
> ########################################################
> 
> # Step 1: configuration declarations
> # To keep from having a commandline that uses every letter in the alphabet
> # most configuration options are set here
> 
> # enable daemon mode
>  config daemon
> 
> #INSERTED BY DEREK.  Indicate which interface shall be monitored
> config interface: eth1
> 
> #INSERTED BY DEREK.  Give Barnyad the information location of Meta-data.
> config sid-msg-map: /etc/snort/sid-msg.map
> config gen-msg-map: /etc/snort/gen-msg.map
> config class-file: /etc/snort/classification.config
> 
> # set the hostname (currently only used for the acid db output plugin)
> #COMMENTED OUT BY DEREK. config hostname: snorthost
> 
> # set the interface name (currently only used for the acid db output plugin)
> #COMMENTED OUT BY DEREK. config interface: fxp0
> 
> # set the filter (currently only used for the acid db output plugin)
> #COMMENTED OUT BY DEREK. config filter: not port 22
> 
> # Step 2: setup the output plugins
> 
> # alert_fast
> #-----------------------------
> # Converts data from the dp_alert plugin into an approximation of Snort's 
> # "fast alert" mode.  Argument: <filename>
> 
> output alert_fast: barnyard.alert
> 
> # log_dump
> #-----------------------------
> # Converts data from the dp_log plugin into an approximation of Snort's 
> # "ASCII packet dump" mode.  Argument: <filename>
> 
> #COMMENTED OUT BY DEREK. output log_dump
> 
> 
> # alert_syslog2
> #-------------------------------
> # Generates a syslog alert.  This supports considerably more features than
> # the original syslog output plugin.
> # 
> output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x;
> 
> 
> /barnyard.config
> 
> ??????????????????????????????????????
> 
> Derek Stinchfield
> Network Analyst
> Scientific Computing Center
> University of North Dakota - ?ROSPACE
> derek at ...13939... 
> 
> ??????????????????????????????????????
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 




+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org 
         gpg key: http://demo.sourcefire.com/jesler.pgp.key 
           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV 
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list