[Snort-users] upgrading to snort 2.6

Derek Stinchfield derek at ...13939...
Fri Sep 29 09:38:31 EDT 2006


Yeah, I gave it a glance.  I haven't had a lot of time to read in depth, but I know the lines that configure snort to output unified files has not changed.  I still believe that there is something bizarre happening in Barnyard, but I can't lock it down.

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»

Derek Stinchfield
Network Analyst
Scientific Computing Center
University of North Dakota - ÆROSPACE
derek at ...13939...

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»

>>> "info+lucretia.ca" <info at ...2282...> 9/29/2006 7:55 AM >>>
Actually there is vast difference between 2.4 and 2.6.

Did you review the release notes or the manual?

Cheers,

James Friesen, CIO
Lucretia Enterprises
Our World Is Here
info at lucretia dot ca
http://lucretia.ca 


> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net 
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf
> Of Derek Stinchfield
> Sent: Thursday, September 28, 2006 12:54 PM
> Cc: snort-users at lists.sourceforge.net 
> Subject: Re: [Snort-users] upgrading to snort 2.6
>
> Yes, I believe so, unless something very different between
> 2.4 and 2.6.   Here is the excerpt from my snort.conf
>
>  output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
>
> Thanks again,
>
> Derek
>
> «««««««««««««««««««»»»»»»»»»»»»»»»»»»»
>
> Derek Stinchfield
> Network Analyst
> Scientific Computing Center
> University of North Dakota - ÆROSPACE
> derek at ...13939... 
>
> «««««««««««««««««««»»»»»»»»»»»»»»»»»»»
>
> >>> Joel Esler <joel.esler at ...1935...> 9/28/2006 1:10 PM >>>
> Just to say...  Are you sure snort is outputting in unified format?
>
> J
>
>
> On Thu, Sep 28, 2006 at 12:47:30PM -0500, Derek Stinchfield
> apparently sent me:
> > Recently, my department was able to free up a new server
> that we decided to use to replace our old snort box.  I
> figured that this would be a good time to update to 2.6.  I
> saved a few of the old config files and went to work with the
> new box from scratch.  I loaded RHELAS 4 and after the
> install, I downloaded and installed 2.6.0.2, and Barnyard
> 0.2.0.  I then checked and copied over the config files,
> rulesets, and startup scripts from our old snort 2.4 box and
> I thought I pounded out any issues with file locations and
> permissions.  Both snort and barnyard are now starting and
> running, however I let it run last night, outputting unified
> files and having barnyard pointed at a remote syslog server,
> and I didn't have  a single rule in the remote syslog today.
> >
> > I had snort make a fast alert output to be sure that rules
> were being triggered, and sure enough they are, which leaves
> me with barnyard.  I did the fast alert for this too and it
> didn't even create the file for it.   This is the first time
> I've tried to use the barnyard startup script.   before I
> would just start it with <barnyard -D -n -f
> /var/log/snort/snort.alert>
> >
> > Now that I'm trying to use the script, the command is
> </usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d
> /var/log/snort -a /var/log/snort-proces....>  obviously, if I
> try to start it the old way I now get a segmentation fault.
> >
> >
> > I have posted the barnyard script as well as what I use in
> the barnyard.conf      Any help I can get is appreciated.
> Also if it helps, I don't absolutely have to use the barnyard
> script, so if there is an idea the excludes it, I would
> appreciate that as much as any help.
> >
> > Thanks in advance,
> >
> > Derek
> >
> >
> >
> > The barnyard script I used is this:
> >
> > #!/bin/bash
> > #
> > # barnyard Start/Stop barnyard daemon
> > #
> > # Written by Alejandro Flores <alejandrorfloresgmail.com> # #
> > chkconfig: 2345 42 62 # description: Output spool reader for Snort!
> > This program decouples #output overhead from # the Snort network
> > intrusion detection system #and allows Snort to run at full
> speed. It
> > takes #input and output #plugins and can therefore be used
> to convert
> > almost any spooled fil #
> >
> > . /etc/rc.d/init.d/functions
> >
> > # Barnyard binary
> > # Executavel do barnyard
> > BARNYARD=/usr/local/bin/barnyard
> >
> > # Where to place processed logs
> > # Diretorio onde v??ficar os logs j??rocessados
> > PROCESSADOS=/var/log/snort-processados
> >
> > # Base dir for snort logs
> > # Diret?? base dos logs do snort
> > LOG_BASE=/var/log/snort
> >
> > # Unified log filename
> > # Nome do arquivo de log unified
> > LOG_FILE=snort.log
> >
> > # Barnyard config
> > # Configura?? do barnyard
> > CONFIG=/etc/snort/barnyard.conf
> >
> > # where is sid-msg.map
> > # Localiza?? do arquivo sid-msg.map
> > SIDMAP=/etc/snort/sid-msg.map
> >
> > # where is gen-msg.map
> > # Localiza?? do arquivo gen-msg.map
> > GENMAP=/etc/snort/gen-msg.map
> >
> > # where is classification.config
> > # Localiza?? do arquivo classification.config
> > CLASSCONF=/etc/snort/classification.config
> >
> > # where to place the barnyard bookmark # Localiza?? do bookmark do
> > barnyard WALDO=/var/log/snort/waldo
> >
> > case "$1" in
> >     start)
> >         if [ -f /var/lock/subsys/barnyard ]; then
> >             echo "Barnyard is already running."
> >             exit
> >         fi
> >         echo -n "Starting Barnyard: "
> >         daemon $BARNYARD \
> >         -c $CONFIG \
> >         -d $LOG_BASE \
> >         -a $PROCESSADOS \
> >         -f $LOG_FILE \
> >         -w $WALDO \
> >         -s $SIDMAP \
> >         -g $GENMAP \
> >         -p $CLASSCONF \
> >         -D
> >         touch /var/lock/subsys/barnyard
> >         ;;
> >
> >     stop)
> >         echo -n "Stopping Barnyard"
> >         killproc barnyard
> >         rm /var/lock/subsys/barnyard
> > /script
> >
> >
> >
> > This is my barnyard.conf <some commented parts omitted>
> >
> > #-------------------------------------------------------------
> > #   http://www.snort.org    Barnyard 0.1.0 configuration file
> > #          Contact: snort-barnyard at lists.sourceforge.net 
> > #-------------------------------------------------------------
> > # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
> > ########################################################
> > # Currently you want to do two things in here: turn on # available
> > data processors and turn on output plugins.
> > # The data processors (dp's) and output plugin's (op's) #
> > automatically associate with each other by type and # are
> > automatically selected at run time depending on # the type
> of file you
> > try to load.
> > ########################################################
> >
> > # Step 1: configuration declarations
> > # To keep from having a commandline that uses every letter in the
> > alphabet # most configuration options are set here
> >
> > # enable daemon mode
> >  config daemon
> >
> > #INSERTED BY DEREK.  Indicate which interface shall be monitored
> > config interface: eth1
> >
> > #INSERTED BY DEREK.  Give Barnyad the information location
> of Meta-data.
> > config sid-msg-map: /etc/snort/sid-msg.map config gen-msg-map:
> > /etc/snort/gen-msg.map config class-file:
> > /etc/snort/classification.config
> >
> > # set the hostname (currently only used for the acid db
> output plugin)
> > #COMMENTED OUT BY DEREK. config hostname: snorthost
> >
> > # set the interface name (currently only used for the acid
> db output
> > plugin) #COMMENTED OUT BY DEREK. config interface: fxp0
> >
> > # set the filter (currently only used for the acid db
> output plugin)
> > #COMMENTED OUT BY DEREK. config filter: not port 22
> >
> > # Step 2: setup the output plugins
> >
> > # alert_fast
> > #-----------------------------
> > # Converts data from the dp_alert plugin into an approximation of
> > Snort's # "fast alert" mode.  Argument: <filename>
> >
> > output alert_fast: barnyard.alert
> >
> > # log_dump
> > #-----------------------------
> > # Converts data from the dp_log plugin into an approximation of
> > Snort's # "ASCII packet dump" mode.  Argument: <filename>
> >
> > #COMMENTED OUT BY DEREK. output log_dump
> >
> >
> > # alert_syslog2
> > #-------------------------------
> > # Generates a syslog alert.  This supports considerably
> more features
> > than # the original syslog output plugin.
> > #
> > output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x;
> >
> >
> > /barnyard.config
> >
> > ??????????????????????????????????????
> >
> > Derek Stinchfield
> > Network Analyst
> > Scientific Computing Center
> > University of North Dakota - ?ROSPACE
> > derek at ...13939... 
> >
> > ??????????????????????????????????????
> >
> >
> ----------------------------------------------------------------------
> > --- Take Surveys. Earn Cash. Influence the Future of IT Join
> > SourceForge.net's Techsay panel and you'll get the chance to share
> > your opinions on IT & business topics through brief surveys -- and
> > earn cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV 
> > DEV _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net 
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> >
>
>
>
>
> +-------------------------------------------------------------
> --------+
> joel esler          senior security consultant         1-706-627-2101
> Sourcefire    Security for the /Real/ World --
> http://www.sourcefire.com 
>        Snort - Open Source Network IPS/IDS -- http://www.snort.org 
>          gpg key: http://demo.sourcefire.com/jesler.pgp.key 
>            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
> +-------------------------------------------------------------
> --------+
>
> --------------------------------------------------------------
> -----------
> Take Surveys. Earn Cash. Influence the Future of IT Join
> SourceForge.net's Techsay panel and you'll get the chance to
> share your opinions on IT & business topics through brief
> surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge 
&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
> --------------------------------------------------------------
> -----------
> Take Surveys. Earn Cash. Influence the Future of IT Join
> SourceForge.net's Techsay panel and you'll get the chance to
> share your opinions on IT & business topics through brief
> surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge 
&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
>






More information about the Snort-users mailing list