[Snort-users] Installing Snort

Martin Holste mcholste at ...11827...
Fri Jul 8 20:09:22 EDT 2011


For debugging, I recommend using output syslog along with unified2 so
you can be sure that barnyard is operating correctly.

On Fri, Jul 8, 2011 at 6:21 PM, Damien Hull <dhull at ...15333...> wrote:
> It looks like my problem is with barnyard2. If I run snort I can see port
> scans in /var/snort/sfportscan.log. If I run with barnyard2 I get nothing.
>
> I should also point out that I have OSSEC installed. It sends me emails with
> error messages. I got the following when I started snort and barnyard2.
> OSSEC HIDS Notification.
> 2011 Jul 08 23:11:00
>
> Received From: migration->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul  8 23:10:59 migration snort[28837]:         Check for Bounce Attacks:
> YES alert: YES
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2011 Jul 08 23:11:00
>
> Received From: migration->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul  8 23:10:59 migration snort[28837]:     Bad Message Direction Alert:
> DISABLED
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2011 Jul 08 23:11:00
>
> Received From: migration->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul  8 23:10:59 migration snort[28837]:     Bad Payload Size Alert: DISABLED
>
>
>
> --END OF NOTIFICATION
>
>
>
> On Jul 8, 2011, at 1:21 PM, Michael Lubinski <michael.lubinski at ...14542....>
> wrote:
>
> If the sfportscan preprocessor is configured
>
> On Jul 8, 2011 4:18 PM, "Damien Hull" <dhull at ...15333...> wrote:
>> I double checked and that's a typo in the email. Just for fun I retyped
>> everything in /etc/rc.local. Still not getting anything in the log file. I
>> even recompiled snort.
>>
>> I'm assuming a port scan will show up in a log file somewhere.
>>
>> On Jul 8, 2011, at 12:52 PM, Michael Lubinski <michael.lubinski at ...13704......>
>> wrote:
>>
>> Typo on "gen-smg.map" or copy typo?
>>
>> On Fri, Jul 8, 2011 at 3:52 PM, Damien Hull <dhull at ...15333...> wrote:
>>
>>> in /etc/rc.local I have the following...
>>>
>>> /usr/local/snort/bin/snort -D -u snort -g snort \
>>> -c /usr/local/snort/etc/snort.conf -i eth0
>>>
>>> /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
>>> -G /usr/local/snort/etc/gen-smg.map \
>>> -S /usr/local/snort/etc/sid-msg.map \
>>> -d /var/log/snort \
>>> -f snort.u2 \
>>> -w /var/log/snort/barnyard2.waldo \
>>> -D
>>>
>>> On Jul 8, 2011, at 12:43 PM, Michael Lubinski
>>> <michael.lubinski at ...11827...>
>>> wrote:
>>>
>>> what's your syntax for starting snort?
>>>
>>> On Fri, Jul 8, 2011 at 3:28 PM, Damien Hull < <dhull at ...15333...>
>>> dhull at ...15333...> wrote:
>>>
>>>> I have snort installed on a web server. It only needs to see incoming
>>>> attacks so that should be working. I double checked snort.conf rules and
>>>> found the port scan rule was commented out. Even after uncommenting that
>>>> rule it doesn't work.
>>>>
>>>> Nothing shows up in /var/log/snort/snort or the snort report database.
>>>> I'm
>>>> thinking something was left out of the instructions on
>>>> <http://snort.org>
>>>> snort.org. I double checked my configuration several times.
>>>>
>>>>
>>>> On Jul 8, 2011, at 12:11 PM, Michael Lubinski
>>>> <<michael.lubinski at ...11827...>
>>>> michael.lubinski at ...11827...> wrote:
>>>>
>>>> Is your snort sensor able to see the traffic? (span port, connected via
>>>> a
>>>> hub?)
>>>> Are the rules uncommented in snort.conf?
>>>>
>>>> On Fri, Jul 8, 2011 at 3:05 PM, Damien Hull <
>>>> <dhull at ...15333...><dhull at ...15333...>
>>>> dhull at ...15333...> wrote:
>>>>
>>>>> Here's what I have in /usr/local/snort/rules...
>>>>>
>>>>> total 10356
>>>>> -rw-r--r-- 1 1210 1210 18236 Apr 4 17:59 VRT-License.txt
>>>>> -rw-r--r-- 1 1210 1210 5463 Jun 7 16:35 attack-responses.rules
>>>>> -rw-r--r-- 1 1210 1210 312012 Jun 7 16:35 backdoor.rules
>>>>> -rw-r--r-- 1 1210 1210 1862 Jun 7 16:35 bad-traffic.rules
>>>>> -rw-r--r-- 1 1210 1210 132557 Jun 7 16:35 blacklist.rules
>>>>> -rw-r--r-- 1 1210 1210 49738 Jun 7 16:35 botnet-cnc.rules
>>>>> -rw-r--r-- 1 1210 1210 20259 Jun 7 16:35 chat.rules
>>>>> -rw-r--r-- 1 1210 1210 8642 Jun 7 16:35 content-replace.rules
>>>>> -rw-r--r-- 1 1210 1210 8237 Jun 7 16:35 ddos.rules
>>>>> -rw-r--r-- 1 1210 1210 5048660 Jun 7 16:35 deleted.rules
>>>>> -rw-r--r-- 1 1210 1210 11722 Jun 7 16:35 dns.rules
>>>>> -rw-r--r-- 1 1210 1210 25338 Jun 7 16:35 dos.rules
>>>>> -rw-r--r-- 1 1210 1210 1327 May 16 2005 experimental.rules
>>>>> -rw-r--r-- 1 1210 1210 147124 Jun 7 16:35 exploit.rules
>>>>> -rw-r--r-- 1 1210 1210 4579 Jun 7 16:35 finger.rules
>>>>> -rw-r--r-- 1 1210 1210 33901 Jun 7 16:35 ftp.rules
>>>>> -rw-r--r-- 1 1210 1210 17265 Jun 7 16:35 icmp-info.rules
>>>>> -rw-r--r-- 1 1210 1210 3756 Jun 7 16:35 icmp.rules
>>>>> -rw-r--r-- 1 1210 1210 31824 Jun 7 16:35 imap.rules
>>>>> -rw-r--r-- 1 1210 1210 1041 Jun 7 16:35 info.rules
>>>>> -rw-r--r-- 1 1210 1210 199 Jun 7 16:35 local.rules
>>>>> -rw-r--r-- 1 1210 1210 24059 Jun 7 16:35 misc.rules
>>>>> -rw-r--r-- 1 1210 1210 7166 Jun 7 16:35 multimedia.rules
>>>>> -rw-r--r-- 1 1210 1210 13845 Jun 7 16:35 mysql.rules
>>>>> -rw-r--r-- 1 1210 1210 217140 Jun 7 16:35 netbios.rules
>>>>> -rw-r--r-- 1 1210 1210 5804 Jun 7 16:35 nntp.rules
>>>>> -rw-r--r-- 1 1210 1210 1246 Jun 7 16:35 open-test.conf
>>>>> -rw-r--r-- 1 1210 1210 208849 Jun 7 16:35 oracle.rules
>>>>> -rw-r--r-- 1 1210 1210 1490 Jun 7 16:35 other-ids.rules
>>>>> -rw-r--r-- 1 1210 1210 6432 Jun 7 16:35 p2p.rules
>>>>> -rw-r--r-- 1 1210 1210 56702 Jun 7 16:35 phishing-spam.rules
>>>>> -rw-r--r-- 1 1210 1210 47381 Jun 7 16:35 policy.rules
>>>>> -rw-r--r-- 1 1210 1210 1046 Jun 7 16:35 pop2.rules
>>>>> -rw-r--r-- 1 1210 1210 15701 Jun 7 16:35 pop3.rules
>>>>> -rw-r--r-- 1 1210 1210 91675 Jun 7 16:35 rpc.rules
>>>>> -rw-r--r-- 1 1210 1210 3984 Jun 7 16:35 rservices.rules
>>>>> -rw-r--r-- 1 1210 1210 42175 Jun 7 16:35 scada.rules
>>>>> -rw-r--r-- 1 1210 1210 5307 Jun 7 16:35 scan.rules
>>>>> -rw-r--r-- 1 1210 1210 13707 Jun 7 16:35 shellcode.rules
>>>>> -rw-r--r-- 1 1210 1210 91705 Jun 7 16:35 smtp.rules
>>>>> -rw-r--r-- 1 1210 1210 7250 Jun 7 16:35 snmp.rules
>>>>> -rw-r--r-- 1 1210 1210 335177 Jun 7 16:35 specific-threats.rules
>>>>> -rw-r--r-- 1 1210 1210 546411 Jun 7 16:35 spyware-put.rules
>>>>> -rw-r--r-- 1 1210 1210 46695 Jun 7 16:35 sql.rules
>>>>> -rw-r--r-- 1 1210 1210 7904 Jun 7 16:35 telnet.rules
>>>>> -rw-r--r-- 1 1210 1210 6410 Jun 7 16:35 tftp.rules
>>>>> -rw-r--r-- 1 1210 1210 1574 Jun 7 16:35 virus.rules
>>>>> -rw-r--r-- 1 1210 1210 26552 Jun 7 16:35 voip.rules
>>>>> -rw-r--r-- 1 1210 1210 1943280 Jun 7 16:35 web-activex.rules
>>>>> -rw-r--r-- 1 1210 1210 1470 Jun 7 16:35 web-attacks.rules
>>>>> -rw-r--r-- 1 1210 1210 119084 Jun 7 16:35 web-cgi.rules
>>>>> -rw-r--r-- 1 1210 1210 264702 Jun 7 16:35 web-client.rules
>>>>> -rw-r--r-- 1 1210 1210 14403 Jun 7 16:35 web-coldfusion.rules
>>>>> -rw-r--r-- 1 1210 1210 12895 Jun 7 16:35 web-frontpage.rules
>>>>> -rw-r--r-- 1 1210 1210 53052 Jun 7 16:35 web-iis.rules
>>>>> -rw-r--r-- 1 1210 1210 221135 Jun 7 16:35 web-misc.rules
>>>>> -rw-r--r-- 1 1210 1210 51100 Jun 7 16:35 web-php.rules
>>>>> -rw-r--r-- 1 1210 1210 1891 Jun 7 16:35 x11.rules
>>>>>
>>>>> On Jul 8, 2011, at 11:18 AM, Michael Lubinski
>>>>> <<michael.lubinski at ...11827...><michael.lubinski at ...11827...>
>>>>> michael.lubinski at ...11827...> wrote:
>>>>>
>>>>> What is in the rules directory?
>>>>>
>>>>> On Fri, Jul 8, 2011 at 2:09 PM, Damien Hull <
>>>>> <dhull at ...15333...><dhull at ...15333...><dhull at ...15333...>
>>>>> dhull at ...15333...> wrote:
>>>>>
>>>>>> I compiled snort for Ubuntu 10.04 following the instructions on the
>>>>>> snort website. I installed the snort rules. Snort and barnyard2 start.
>>>>>> There are snort files in /var/log/snort. However, there's nothing in
>>>>>> the log files. The database doesn't contain any info.
>>>>>>
>>>>>> I did a port scan of the system. I'm assuming snort should pick that
>>>>>> up. Again, nothing in the log files or in the database. I'm using
>>>>>> snort report just like the documentation says.
>>>>>>
>>>>>> Can someone point me in some kind of direction? I must be missing
>>>>>> something.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> All of the data generated in your IT infrastructure is seriously
>>>>>> valuable.
>>>>>> Why? It contains a definitive record of application performance,
>>>>>> security
>>>>>> threats, fraudulent activity, and more. Splunk takes this data and
>>>>>> makes
>>>>>> sense of it. IT sense. And common sense.
>>>>>>
>>>>>> <http://p.sf.net/sfu/splunk-d2d-c2><http://p.sf.net/sfu/splunk-d2d-c2><http://p.sf.net/sfu/splunk-d2d-c2>
>>>>>> http://p.sf.net/sfu/splunk-d2d-c2
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>>
>>>>>> <Snort-users at lists.sourceforge.net><Snort-users at ...3893...t><Snort-users at lists.sourceforge.net>
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>
>>>>>> <https://lists.sourceforge.net/lists/listinfo/snort-users><https://lists.sourceforge.net/lists/listinfo/snort-users><https://lists.sourceforge.net/lists/listinfo/snort-users>
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>>
>>>>>> <http://www.geocrawler.com/redir-sf.php3?list=snort-users><http://www.geocrawler.com/redir-sf.php3?list=snort-users><http://www.geocrawler.com/redir-sf.php3?list=snort-users>
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>
>>>>>> Please see <http://www.snort.org/docs>
>>>>>> <http://www.snort.org/docs><http://www.snort.org/docs>
>>>>>> http://www.snort.org/docs for documentation
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>




More information about the Snort-users mailing list