[Snort-users] MySQL support for Snort 2.9.4

Jeremy Hoel jthoel at ...11827...
Tue Dec 11 23:07:30 EST 2012


And your barnyard2 is looking in the right directory for the snort.u2
file?  Can you run by2 and paste the output?  And the command line you are
calling for by2
On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:

>  On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
>
> Yeah you!
>
>
> Next time someone in my house makes cookies everyone's invited :-)
>
>  Are you outputting snort in unified2 format and reading that with
> barnyard2?
>
>
> Yep:
>
> output unified2: filename snort.u2, limit 128
>
>  Share your snort.conf output lines.
>
>
> Snort.conf is bog standard with:
>
> top customized with details of servers and IP addresses yada yada yada
> ..... man snort.conf {am glossing as is trivial }
>
> I just changed:
>
> # Path to your rules files (this can be a relative path)
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\rules
> var RULE_PATH rules
> var SO_RULE_PATH so_rules
> var PREPROC_RULE_PATH preproc_rules
>
> # If you are using reputation preprocessor set these
> # Currently there is a bug with relative paths, they are relative to where
> snort is
> # not relative to snort.conf like the above variables
> # This is completely inconsistent with how other vars work, BUG 89986
> # Set the absolute path appropriately
> var WHITE_LIST_PATH rules
> var BLACK_LIST_PATH rules
>
>
> ###################################################
> # Step #4: Configure dynamic loaded libraries.
> # For more information, see Snort Manual, Configuring Snort - Dynamic
> Modules
> ###################################################
>
> # path to dynamic preprocessor libraries
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>
> # path to base preprocessor engine
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
> # path to dynamic rules libraries
> #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>
>
>
> ###################################################
> # Step #7: Customize your rule set
> # For more information, see Snort Manual, Writing Snort Rules
> #
> # NOTE: All categories are enabled in this conf file
> ###################################################
>
> # site specific rules
> #include $RULE_PATH/local.rules
>
> #include $RULE_PATH/attack-responses.rules
> #include $RULE_PATH/backdoor.rules
> #include $RULE_PATH/bad-traffic.rules
> #include $RULE_PATH/blacklist.rules
> #include $RULE_PATH/botnet-cnc.rules
> #include $RULE_PATH/chat.rules
> #include $RULE_PATH/content-replace.rules
> #include $RULE_PATH/ddos.rules
> #include $RULE_PATH/dns.rules
> #include $RULE_PATH/dos.rules
> #include $RULE_PATH/exploit.rules
> #include $RULE_PATH/file-identify.rules
> #include $RULE_PATH/finger.rules
> #include $RULE_PATH/ftp.rules
> #include $RULE_PATH/icmp.rules
> #include $RULE_PATH/icmp-info.rules
> #include $RULE_PATH/imap.rules
> #include $RULE_PATH/info.rules
> #include $RULE_PATH/misc.rules
> #include $RULE_PATH/multimedia.rules
> #include $RULE_PATH/mysql.rules
> #include $RULE_PATH/netbios.rules
> #include $RULE_PATH/nntp.rules
> #include $RULE_PATH/oracle.rules
> #include $RULE_PATH/other-ids.rules
> #include $RULE_PATH/p2p.rules
> #include $RULE_PATH/phishing-spam.rules
> #include $RULE_PATH/policy.rules
> #include $RULE_PATH/pop2.rules
> #include $RULE_PATH/pop3.rules
> #include $RULE_PATH/rpc.rules
> #include $RULE_PATH/rservices.rules
> #include $RULE_PATH/scada.rules
> #include $RULE_PATH/scan.rules
> #include $RULE_PATH/shellcode.rules
> #include $RULE_PATH/smtp.rules
> #include $RULE_PATH/snmp.rules
> #include $RULE_PATH/specific-threats.rules
> #include $RULE_PATH/spyware-put.rules
> #include $RULE_PATH/sql.rules
> #include $RULE_PATH/telnet.rules
> #include $RULE_PATH/tftp.rules
> #include $RULE_PATH/virus.rules
> #include $RULE_PATH/voip.rules
> #include $RULE_PATH/web-activex.rules
> #include $RULE_PATH/web-attacks.rules
> #include $RULE_PATH/web-cgi.rules
> #include $RULE_PATH/web-client.rules
> #include $RULE_PATH/web-coldfusion.rules
> #include $RULE_PATH/web-frontpage.rules
> #include $RULE_PATH/web-iis.rules
> #include $RULE_PATH/web-misc.rules
> #include $RULE_PATH/web-php.rules
> #include $RULE_PATH/x11.rules
>
>
>
> I also wrote a custom script'ish section to produce the file:
>
> #include $RULE_PATH/rule.set
>
> Basically:
>
> ls -l rules | cut -c 50-100 > rule.list
> sed 's/^/include $RULE_PATH\//' rule.list > rule.set
>
>
> This would be fine for adding any *.rules files to rule.list which then
> gets transformed to rule.set; saves having to write out each line manually!
>
>
> That's about it.......
>
>
> # ls -lh /var/log/snort
> total 837292
> -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
> -rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
> -rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
> -rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
> -rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
> -rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
> -rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
> -rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668
>
>
>
> Now all I need to do is get Barnyard2 working and with a bit of luck will
> start being able to see alerts back on Base.
>
> Few, that was a trek and half!
>
>  On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>
>>  On 12/11/2012 09:54 PM, Joel Esler wrote:
>>
>>
>>  Doesn't sound like that was the problem.  Looks like you have a larger
>> problem.  Traffic not being received or analyzed correctly.  You said that
>> all you were getting was icmp alerts, and that doesn't sound right (unless
>> that's all you have)
>>
>>  --
>> *Joel Esler*
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>>
>> Finally I got this working!!!! :-)
>>
>> Basically all I needed to do was to add the paths for these in and take
>> out all the other obsolete rules which weren't working:
>>
>> include $RULE_PATH/decoder.rules
>> include $RULE_PATH/preprocessor.rules
>> include $RULE_PATH/sensitive-data.rules
>>
>> Now I get alerts even!
>>
>> The only issue is that Barnyard2 is now segfaulting when reading the
>> Snort log files? :-( I keep getting "bus error" - which I've been having
>> too much of lately!
>>
>>
>> Thanks for all the help!
>>
>>
>> Regards,
>>
>>
>> Kaya
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/01a2e335/attachment.html>


More information about the Snort-users mailing list