[Snort-users] MySQL support for Snort 2.9.4

Joel Esler jesler at ...1935...
Tue Dec 11 22:51:46 EST 2012


If you run pulledpork in it's default configuration, you can just use snort.rules

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Dec 11, 2012, at 10:50 PM, Kaya Saman <kayasaman at ...11827...> wrote:

> On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
>> Yeah you! 
>> 
> 
> Next time someone in my house makes cookies everyone's invited :-)
> 
>> Are you outputting snort in unified2 format and reading that with barnyard2?
>> 
> 
> Yep:
> 
> output unified2: filename snort.u2, limit 128
> 
>> Share your snort.conf output lines. 
>> 
> 
> Snort.conf is bog standard with:
> 
> top customized with details of servers and IP addresses yada yada yada ..... man snort.conf {am glossing as is trivial }
> 
> I just changed:
> 
> # Path to your rules files (this can be a relative path)
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\rules
> var RULE_PATH rules
> var SO_RULE_PATH so_rules
> var PREPROC_RULE_PATH preproc_rules
> 
> # If you are using reputation preprocessor set these
> # Currently there is a bug with relative paths, they are relative to where snort is
> # not relative to snort.conf like the above variables
> # This is completely inconsistent with how other vars work, BUG 89986
> # Set the absolute path appropriately
> var WHITE_LIST_PATH rules
> var BLACK_LIST_PATH rules
> 
> 
> ###################################################
> # Step #4: Configure dynamic loaded libraries.  
> # For more information, see Snort Manual, Configuring Snort - Dynamic Modules
> ###################################################
> 
> # path to dynamic preprocessor libraries
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> 
> # path to base preprocessor engine
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> 
> # path to dynamic rules libraries
> #dynamicdetection directory /usr/local/lib/snort_dynamicrules
> 
> 
> 
> ###################################################
> # Step #7: Customize your rule set
> # For more information, see Snort Manual, Writing Snort Rules
> #
> # NOTE: All categories are enabled in this conf file
> ###################################################
> 
> # site specific rules
> #include $RULE_PATH/local.rules
> 
> #include $RULE_PATH/attack-responses.rules
> #include $RULE_PATH/backdoor.rules
> #include $RULE_PATH/bad-traffic.rules
> #include $RULE_PATH/blacklist.rules
> #include $RULE_PATH/botnet-cnc.rules
> #include $RULE_PATH/chat.rules
> #include $RULE_PATH/content-replace.rules
> #include $RULE_PATH/ddos.rules
> #include $RULE_PATH/dns.rules
> #include $RULE_PATH/dos.rules
> #include $RULE_PATH/exploit.rules
> #include $RULE_PATH/file-identify.rules
> #include $RULE_PATH/finger.rules
> #include $RULE_PATH/ftp.rules
> #include $RULE_PATH/icmp.rules
> #include $RULE_PATH/icmp-info.rules
> #include $RULE_PATH/imap.rules
> #include $RULE_PATH/info.rules
> #include $RULE_PATH/misc.rules
> #include $RULE_PATH/multimedia.rules
> #include $RULE_PATH/mysql.rules
> #include $RULE_PATH/netbios.rules
> #include $RULE_PATH/nntp.rules
> #include $RULE_PATH/oracle.rules
> #include $RULE_PATH/other-ids.rules
> #include $RULE_PATH/p2p.rules
> #include $RULE_PATH/phishing-spam.rules
> #include $RULE_PATH/policy.rules
> #include $RULE_PATH/pop2.rules
> #include $RULE_PATH/pop3.rules
> #include $RULE_PATH/rpc.rules
> #include $RULE_PATH/rservices.rules
> #include $RULE_PATH/scada.rules
> #include $RULE_PATH/scan.rules
> #include $RULE_PATH/shellcode.rules
> #include $RULE_PATH/smtp.rules
> #include $RULE_PATH/snmp.rules
> #include $RULE_PATH/specific-threats.rules
> #include $RULE_PATH/spyware-put.rules
> #include $RULE_PATH/sql.rules
> #include $RULE_PATH/telnet.rules
> #include $RULE_PATH/tftp.rules
> #include $RULE_PATH/virus.rules
> #include $RULE_PATH/voip.rules
> #include $RULE_PATH/web-activex.rules
> #include $RULE_PATH/web-attacks.rules
> #include $RULE_PATH/web-cgi.rules
> #include $RULE_PATH/web-client.rules
> #include $RULE_PATH/web-coldfusion.rules
> #include $RULE_PATH/web-frontpage.rules
> #include $RULE_PATH/web-iis.rules
> #include $RULE_PATH/web-misc.rules
> #include $RULE_PATH/web-php.rules
> #include $RULE_PATH/x11.rules
> 
> 
> 
> I also wrote a custom script'ish section to produce the file:
> 
> #include $RULE_PATH/rule.set
> 
> Basically:
> 
> ls -l rules | cut -c 50-100 > rule.list
> sed 's/^/include $RULE_PATH\//' rule.list > rule.set
> 
> 
> This would be fine for adding any *.rules files to rule.list which then gets transformed to rule.set; saves having to write out each line manually!
> 
> 
> That's about it.......
> 
> 
> # ls -lh /var/log/snort
> total 837292
> -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
> -rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
> -rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
> -rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
> -rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
> -rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
> -rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
> -rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668
> 
> 
> 
> Now all I need to do is get Barnyard2 working and with a bit of luck will start being able to see alerts back on Base.
> 
> Few, that was a trek and half!
> 
>> On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>> On 12/11/2012 09:54 PM, Joel Esler wrote:
>>> 
>>> Doesn't sound like that was the problem.  Looks like you have a larger problem.  Traffic not being received or analyzed correctly.  You said that all you were getting was icmp alerts, and that doesn't sound right (unless that's all you have)
>>> 
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>> 
>> 
>> Finally I got this working!!!! :-)
>> 
>> Basically all I needed to do was to add the paths for these in and take out all the other obsolete rules which weren't working:
>> 
>> include $RULE_PATH/decoder.rules
>> include $RULE_PATH/preprocessor.rules
>> include $RULE_PATH/sensitive-data.rules
>> 
>> Now I get alerts even!
>> 
>> The only issue is that Barnyard2 is now segfaulting when reading the Snort log files? :-( I keep getting "bus error" - which I've been having too much of lately!
>> 
>> 
>> Thanks for all the help!
>> 
>> 
>> Regards,
>> 
>> 
>> Kaya
>> 
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/c146eded/attachment.html>


More information about the Snort-users mailing list