[Snort-users] upgrading to snort 2.6

Jason security at ...5028...
Fri Sep 29 09:41:55 EDT 2006


Is this a 64bit system? Did you compile from sources? Can you run
barnyard under gdb and provide a backtrace.

Thx,
Jason.

Derek Stinchfield wrote:
> Yeah, I gave it a glance.  I haven't had a lot of time to read in depth, but I know the lines that configure snort to output unified files has not changed.  I still believe that there is something bizarre happening in Barnyard, but I can't lock it down.
> 
> «««««««««««««««««««»»»»»»»»»»»»»»»»»»»
> 
> Derek Stinchfield
> Network Analyst
> Scientific Computing Center
> University of North Dakota - ÆROSPACE
> derek at ...13939...
> 
> «««««««««««««««««««»»»»»»»»»»»»»»»»»»»
> 
>>>> "info+lucretia.ca" <info at ...2282...> 9/29/2006 7:55 AM >>>
> Actually there is vast difference between 2.4 and 2.6.
> 
> Did you review the release notes or the manual?
> 
> Cheers,
> 
> James Friesen, CIO
> Lucretia Enterprises
> Our World Is Here
> info at lucretia dot ca
> http://lucretia.ca 
> 
> 
>> -----Original Message-----
>> From: snort-users-bounces at lists.sourceforge.net 
>> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf
>> Of Derek Stinchfield
>> Sent: Thursday, September 28, 2006 12:54 PM
>> Cc: snort-users at lists.sourceforge.net 
>> Subject: Re: [Snort-users] upgrading to snort 2.6
>>
>> Yes, I believe so, unless something very different between
>> 2.4 and 2.6.   Here is the excerpt from my snort.conf
>>
>>  output alert_unified: filename snort.alert, limit 128
>> output log_unified: filename snort.log, limit 128
>>
>> Thanks again,
>>
>> Derek
>>
>> «««««««««««««««««««»»»»»»»»»»»»»»»»»»»
>>
>> Derek Stinchfield
>> Network Analyst
>> Scientific Computing Center
>> University of North Dakota - ÆROSPACE
>> derek at ...13939... 
>>
>> «««««««««««««««««««»»»»»»»»»»»»»»»»»»»
>>
>>>>> Joel Esler <joel.esler at ...1935...> 9/28/2006 1:10 PM >>>
>> Just to say...  Are you sure snort is outputting in unified format?
>>
>> J
>>
>>
>> On Thu, Sep 28, 2006 at 12:47:30PM -0500, Derek Stinchfield
>> apparently sent me:
>>> Recently, my department was able to free up a new server
>> that we decided to use to replace our old snort box.  I
>> figured that this would be a good time to update to 2.6.  I
>> saved a few of the old config files and went to work with the
>> new box from scratch.  I loaded RHELAS 4 and after the
>> install, I downloaded and installed 2.6.0.2, and Barnyard
>> 0.2.0.  I then checked and copied over the config files,
>> rulesets, and startup scripts from our old snort 2.4 box and
>> I thought I pounded out any issues with file locations and
>> permissions.  Both snort and barnyard are now starting and
>> running, however I let it run last night, outputting unified
>> files and having barnyard pointed at a remote syslog server,
>> and I didn't have  a single rule in the remote syslog today.
>>> I had snort make a fast alert output to be sure that rules
>> were being triggered, and sure enough they are, which leaves
>> me with barnyard.  I did the fast alert for this too and it
>> didn't even create the file for it.   This is the first time
>> I've tried to use the barnyard startup script.   before I
>> would just start it with <barnyard -D -n -f
>> /var/log/snort/snort.alert>
>>> Now that I'm trying to use the script, the command is
>> </usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d
>> /var/log/snort -a /var/log/snort-proces....>  obviously, if I
>> try to start it the old way I now get a segmentation fault.
>>>
>>> I have posted the barnyard script as well as what I use in
>> the barnyard.conf      Any help I can get is appreciated.
>> Also if it helps, I don't absolutely have to use the barnyard
>> script, so if there is an idea the excludes it, I would
>> appreciate that as much as any help.
>>> Thanks in advance,
>>>
>>> Derek
>>>
>>>
>>>
>>> The barnyard script I used is this:
>>>
>>> #!/bin/bash
>>> #
>>> # barnyard Start/Stop barnyard daemon
>>> #
>>> # Written by Alejandro Flores <alejandrorfloresgmail.com> # #
>>> chkconfig: 2345 42 62 # description: Output spool reader for Snort!
>>> This program decouples #output overhead from # the Snort network
>>> intrusion detection system #and allows Snort to run at full
>> speed. It
>>> takes #input and output #plugins and can therefore be used
>> to convert
>>> almost any spooled fil #
>>>
>>> . /etc/rc.d/init.d/functions
>>>
>>> # Barnyard binary
>>> # Executavel do barnyard
>>> BARNYARD=/usr/local/bin/barnyard
>>>
>>> # Where to place processed logs
>>> # Diretorio onde v??ficar os logs j??rocessados
>>> PROCESSADOS=/var/log/snort-processados
>>>
>>> # Base dir for snort logs
>>> # Diret?? base dos logs do snort
>>> LOG_BASE=/var/log/snort
>>>
>>> # Unified log filename
>>> # Nome do arquivo de log unified
>>> LOG_FILE=snort.log
>>>
>>> # Barnyard config
>>> # Configura?? do barnyard
>>> CONFIG=/etc/snort/barnyard.conf
>>>
>>> # where is sid-msg.map
>>> # Localiza?? do arquivo sid-msg.map
>>> SIDMAP=/etc/snort/sid-msg.map
>>>
>>> # where is gen-msg.map
>>> # Localiza?? do arquivo gen-msg.map
>>> GENMAP=/etc/snort/gen-msg.map
>>>
>>> # where is classification.config
>>> # Localiza?? do arquivo classification.config
>>> CLASSCONF=/etc/snort/classification.config
>>>
>>> # where to place the barnyard bookmark # Localiza?? do bookmark do
>>> barnyard WALDO=/var/log/snort/waldo
>>>
>>> case "$1" in
>>>     start)
>>>         if [ -f /var/lock/subsys/barnyard ]; then
>>>             echo "Barnyard is already running."
>>>             exit
>>>         fi
>>>         echo -n "Starting Barnyard: "
>>>         daemon $BARNYARD \
>>>         -c $CONFIG \
>>>         -d $LOG_BASE \
>>>         -a $PROCESSADOS \
>>>         -f $LOG_FILE \
>>>         -w $WALDO \
>>>         -s $SIDMAP \
>>>         -g $GENMAP \
>>>         -p $CLASSCONF \
>>>         -D
>>>         touch /var/lock/subsys/barnyard
>>>         ;;
>>>
>>>     stop)
>>>         echo -n "Stopping Barnyard"
>>>         killproc barnyard
>>>         rm /var/lock/subsys/barnyard
>>> /script
>>>
>>>
>>>
>>> This is my barnyard.conf <some commented parts omitted>
>>>
>>> #-------------------------------------------------------------
>>> #   http://www.snort.org    Barnyard 0.1.0 configuration file
>>> #          Contact: snort-barnyard at lists.sourceforge.net 
>>> #-------------------------------------------------------------
>>> # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
>>> ########################################################
>>> # Currently you want to do two things in here: turn on # available
>>> data processors and turn on output plugins.
>>> # The data processors (dp's) and output plugin's (op's) #
>>> automatically associate with each other by type and # are
>>> automatically selected at run time depending on # the type
>> of file you
>>> try to load.
>>> ########################################################
>>>
>>> # Step 1: configuration declarations
>>> # To keep from having a commandline that uses every letter in the
>>> alphabet # most configuration options are set here
>>>
>>> # enable daemon mode
>>>  config daemon
>>>
>>> #INSERTED BY DEREK.  Indicate which interface shall be monitored
>>> config interface: eth1
>>>
>>> #INSERTED BY DEREK.  Give Barnyad the information location
>> of Meta-data.
>>> config sid-msg-map: /etc/snort/sid-msg.map config gen-msg-map:
>>> /etc/snort/gen-msg.map config class-file:
>>> /etc/snort/classification.config
>>>
>>> # set the hostname (currently only used for the acid db
>> output plugin)
>>> #COMMENTED OUT BY DEREK. config hostname: snorthost
>>>
>>> # set the interface name (currently only used for the acid
>> db output
>>> plugin) #COMMENTED OUT BY DEREK. config interface: fxp0
>>>
>>> # set the filter (currently only used for the acid db
>> output plugin)
>>> #COMMENTED OUT BY DEREK. config filter: not port 22
>>>
>>> # Step 2: setup the output plugins
>>>
>>> # alert_fast
>>> #-----------------------------
>>> # Converts data from the dp_alert plugin into an approximation of
>>> Snort's # "fast alert" mode.  Argument: <filename>
>>>
>>> output alert_fast: barnyard.alert
>>>
>>> # log_dump
>>> #-----------------------------
>>> # Converts data from the dp_log plugin into an approximation of
>>> Snort's # "ASCII packet dump" mode.  Argument: <filename>
>>>
>>> #COMMENTED OUT BY DEREK. output log_dump
>>>
>>>
>>> # alert_syslog2
>>> #-------------------------------
>>> # Generates a syslog alert.  This supports considerably
>> more features
>>> than # the original syslog output plugin.
>>> #
>>> output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x;
>>>
>>>
>>> /barnyard.config
>>>
>>> ??????????????????????????????????????
>>>
>>> Derek Stinchfield
>>> Network Analyst
>>> Scientific Computing Center
>>> University of North Dakota - ?ROSPACE
>>> derek at ...13939... 
>>>
>>> ??????????????????????????????????????
>>>
>>>
>> ----------------------------------------------------------------------
>>> --- Take Surveys. Earn Cash. Influence the Future of IT Join
>>> SourceForge.net's Techsay panel and you'll get the chance to share
>>> your opinions on IT & business topics through brief surveys -- and
>>> earn cash
>>>
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV 
>>> DEV _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net 
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>>>
>>
>>
>>
>> +-------------------------------------------------------------
>> --------+
>> joel esler          senior security consultant         1-706-627-2101
>> Sourcefire    Security for the /Real/ World --
>> http://www.sourcefire.com 
>>        Snort - Open Source Network IPS/IDS -- http://www.snort.org 
>>          gpg key: http://demo.sourcefire.com/jesler.pgp.key 
>>            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
>> +-------------------------------------------------------------
>> --------+
>>
>> --------------------------------------------------------------
>> -----------
>> Take Surveys. Earn Cash. Influence the Future of IT Join
>> SourceForge.net's Techsay panel and you'll get the chance to
>> share your opinions on IT & business topics through brief
>> surveys -- and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge 
> &CID=DEVDEV
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net 
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>>
>> --------------------------------------------------------------
>> -----------
>> Take Surveys. Earn Cash. Influence the Future of IT Join
>> SourceForge.net's Techsay panel and you'll get the chance to
>> share your opinions on IT & business topics through brief
>> surveys -- and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge 
> &CID=DEVDEV
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net 
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>>
>>
> 
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list