[Snort-users] Problems with Snort, Barnyard2, BASE on SUSE 11

Michael Sloan sloan at ...14851...
Thu Apr 29 09:43:57 EDT 2010


It seems the database got populated quickly after I restarted snort and 
barnyard this morning, but that leads to other questions/problems.

There are now 131 alerts in BASE, all the same: SSH Protocol Mismatch, 
which from the BASE environment seems to be ID 128-4, although this 
format doesn't match up with anything at snortid.com. I did see a thread 
in the forums about having to alter BASE to point to snortid.com instead 
of snort.org for the extended information on any given alert. All the 
alerts give my desktop as the source address (I'm connecting to the 
server via SSH). Attempting to drill down into the alert data gives:

/srv/www/htdocs/base-1.4.5/base_qry_alert.php:535: 
db->DB->MetaColumnNames('data') is NOT an array. Ignoring.

All of the alerts are from this morning, approximately a 1-minute 
timespan, (matching the time I restarted Snort from an SSH session) 
despite the 135k snort.log file with a timestamp from yesterday.

I checked the snort database to make sure it looked like it had been 
created correctly. It has 22 rows,  created  by:

cd /usr/local/src/snort-2.8.5.3/schemas
mysql -u root -p < create_mysql snort

The following in /var/log/messages is also of concern:

Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL 
server has gone away SQL=BEGIN
Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL 
server has gone away
Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL 
server has gone away SQL=INSERT INTO signature 
(sig_name,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('ssh: Protocol 
mismatch',3,1,4,128)
Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL 
server has gone away
Apr 29 08:51:42 capstest barnyard2[15828]: database: Problem inserting a 
new signature 'ssh: Protocol mismatch': INSERT INTO signature 
(sig_name,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('ssh: Protocol 
mismatch',3,1,4,128)
Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL 
server has gone away SQL=INSERT INTO event (sid,cid,signature,timestamp) 
VALUES (3, 131, 0, '2010-04-29 08:51:41')
Apr 29 08:51:42 capstest barnyard2[15828]: database: mysql_error: MySQL 
server has gone away SQL=ROLLBACK

I've seen references to this in the forums, but had not seen any 
solutions to this outside of restarting snort every 20-30 minutes. I'm 
beginning to think that maybe removing everything and starting over 
might be better, although I don't know that my results will differ a lot.

On 4/28/2010 3:35 PM, Joel Esler wrote:
> Do you have any information in the database?  Can you check that?
>
> J
>
>
> On Wed, Apr 28, 2010 at 3:04 PM, Michael Sloan <sloan at ...14851... 
> <mailto:sloan at ...14851...>> wrote:
>
>     I've tried to set up Snort on SUSE Linux Enterprise Server 11, and
>     have
>     run into troubles. I think it might have been working at one
>     point, but
>     now i think it's stopped but I'm not sure, and not entirely sure I
>     even
>     compiled and configured everything correctly.
>
>     I'm using Snort 2.8.5.3, Base 1.4.5, Barnyard2 1.8, and mySQL 5.0.67
>
>     Barnyard2: compiled with --enable-mysql
>
>     Snort: compiled with --enable-targetbased (I could not get
>     --with-mysql
>     to work, and didn't actually peruse the mailing lists until long
>     after I
>     got everything installed and possibly configured)
>
>     In snort.conf:
>       output unified2: filename snort.log, limit 128
>
>     In barnyard2.conf:
>       output database: alert, mysql, user=snort password=TopSecretPassword
>     dbname=snort host=localhost
>
>     mysql reports that the user snort at ...274... has
>       SELECT, INSERT, UPDATE, DELETE, CREATE on snort.*
>       SELECT, INSERT, UPDATE on snort.sensor
>
>     Snort is started with:
>       /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -d -D -u snort
>
>     And barnyard2 is started with:
>       /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -D -d
>     /var/log/snort
>         -f snort.log -u snort
>
>     After a couple of weeks, I see that snort.log is 133k, but no alerts
>     whatsoever have been displayed in BASE. BASE is showing the proper
>     database name, and user.
>
>     I see in /var/log/messages (after restarting snort and barnyard2
>     today)
>     that barnyard2 read 706 records from the 133k file. I do not see any
>     errors in the mysqld logs.
>
>     I've looked at installation guides for SUSE 10, Fedora Core 11,
>     and read
>     enough from different sources that now I really have no idea what
>     could
>     be wrong and after spending quite a few hours on this over the
>     course of
>     the last few weeks, I've run out of ideas on what to tweak and change.
>
>     Any suggestions or (or requests for further information needed)
>     would be
>     greatly appreciated.
>
>
>     --
>     Michael Sloan
>     Systems Administrator
>     FSU Center for Advanced Power Systems
>     sloan at ...14851... <mailto:sloan at ...14851...>
>
>
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>


-- 
Michael Sloan
Systems Administrator
FSU Center for Advanced Power Systems
sloan at ...14851...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100429/d10796d8/attachment.html>


More information about the Snort-users mailing list