[Snort-users] MySQL support for Snort 2.9.4

Jeremy Hoel jthoel at ...11827...
Tue Dec 11 23:19:50 EST 2012


Have you tired a newer version of by2?  They are up to 2.1.11.

Let me look for the bus error and get some other ideas.
On Dec 11, 2012 9:15 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:

>  On 12/12/2012 04:07 AM, Jeremy Hoel wrote:
>
> And your barnyard2 is looking in the right directory for the snort.u2
> file?  Can you run by2 and paste the output?  And the command line you are
> calling for by2
>
>
> This is what I'm running:
>
> # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
> -f snort.u2
> Running in Continuous mode
>
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/snort/barnyard2.conf"
> Log directory = /var/log/barnyard2
> Node unique name is: localhost:trunk0
>
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = <mod>
> database:           user = <mod>
> database:  database name = <mod>
> database:    sensor name = localhost:trunk0
> database:      sensor id = 9
> database:     sensor cid = 1
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "alert" facility
>
>         --== Initialization Complete ==--
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.9 (Build 263)
>  |o"  )~|  By the SecurixLive.com Team:
> http://www.securixlive.com/about.php
>  + '''' +  (C) Copyright 2008-2010 SecurixLive.
>
>            Snort by Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>
> Using waldo file '/etc/snort/barnyard2.waldo':
>     spool directory = /var/log/snort
>     spool filebase  = snort.u2
>     time_stamp      = 1355280273
>     record_idx      = 1
> Opened spool file '/var/log/snort/snort.u2.1355282592'
> Bus error
>
>  On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>
>>  On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
>>
>> Yeah you!
>>
>>
>> Next time someone in my house makes cookies everyone's invited :-)
>>
>>  Are you outputting snort in unified2 format and reading that with
>> barnyard2?
>>
>>
>> Yep:
>>
>> output unified2: filename snort.u2, limit 128
>>
>>  Share your snort.conf output lines.
>>
>>
>> Snort.conf is bog standard with:
>>
>> top customized with details of servers and IP addresses yada yada yada
>> ..... man snort.conf {am glossing as is trivial }
>>
>> I just changed:
>>
>> # Path to your rules files (this can be a relative path)
>> # Note for Windows users:  You are advised to make this an absolute path,
>> # such as:  c:\snort\rules
>> var RULE_PATH rules
>> var SO_RULE_PATH so_rules
>> var PREPROC_RULE_PATH preproc_rules
>>
>> # If you are using reputation preprocessor set these
>> # Currently there is a bug with relative paths, they are relative to
>> where snort is
>> # not relative to snort.conf like the above variables
>> # This is completely inconsistent with how other vars work, BUG 89986
>> # Set the absolute path appropriately
>> var WHITE_LIST_PATH rules
>> var BLACK_LIST_PATH rules
>>
>>
>> ###################################################
>> # Step #4: Configure dynamic loaded libraries.
>> # For more information, see Snort Manual, Configuring Snort - Dynamic
>> Modules
>> ###################################################
>>
>> # path to dynamic preprocessor libraries
>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>
>> # path to base preprocessor engine
>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>
>> # path to dynamic rules libraries
>> #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>
>>
>>
>> ###################################################
>> # Step #7: Customize your rule set
>> # For more information, see Snort Manual, Writing Snort Rules
>> #
>> # NOTE: All categories are enabled in this conf file
>> ###################################################
>>
>> # site specific rules
>> #include $RULE_PATH/local.rules
>>
>> #include $RULE_PATH/attack-responses.rules
>> #include $RULE_PATH/backdoor.rules
>> #include $RULE_PATH/bad-traffic.rules
>> #include $RULE_PATH/blacklist.rules
>> #include $RULE_PATH/botnet-cnc.rules
>> #include $RULE_PATH/chat.rules
>> #include $RULE_PATH/content-replace.rules
>> #include $RULE_PATH/ddos.rules
>> #include $RULE_PATH/dns.rules
>> #include $RULE_PATH/dos.rules
>> #include $RULE_PATH/exploit.rules
>> #include $RULE_PATH/file-identify.rules
>> #include $RULE_PATH/finger.rules
>> #include $RULE_PATH/ftp.rules
>> #include $RULE_PATH/icmp.rules
>> #include $RULE_PATH/icmp-info.rules
>> #include $RULE_PATH/imap.rules
>> #include $RULE_PATH/info.rules
>> #include $RULE_PATH/misc.rules
>> #include $RULE_PATH/multimedia.rules
>> #include $RULE_PATH/mysql.rules
>> #include $RULE_PATH/netbios.rules
>> #include $RULE_PATH/nntp.rules
>> #include $RULE_PATH/oracle.rules
>> #include $RULE_PATH/other-ids.rules
>> #include $RULE_PATH/p2p.rules
>> #include $RULE_PATH/phishing-spam.rules
>> #include $RULE_PATH/policy.rules
>> #include $RULE_PATH/pop2.rules
>> #include $RULE_PATH/pop3.rules
>> #include $RULE_PATH/rpc.rules
>> #include $RULE_PATH/rservices.rules
>> #include $RULE_PATH/scada.rules
>> #include $RULE_PATH/scan.rules
>> #include $RULE_PATH/shellcode.rules
>> #include $RULE_PATH/smtp.rules
>> #include $RULE_PATH/snmp.rules
>> #include $RULE_PATH/specific-threats.rules
>> #include $RULE_PATH/spyware-put.rules
>> #include $RULE_PATH/sql.rules
>> #include $RULE_PATH/telnet.rules
>> #include $RULE_PATH/tftp.rules
>> #include $RULE_PATH/virus.rules
>> #include $RULE_PATH/voip.rules
>> #include $RULE_PATH/web-activex.rules
>> #include $RULE_PATH/web-attacks.rules
>> #include $RULE_PATH/web-cgi.rules
>> #include $RULE_PATH/web-client.rules
>> #include $RULE_PATH/web-coldfusion.rules
>> #include $RULE_PATH/web-frontpage.rules
>> #include $RULE_PATH/web-iis.rules
>> #include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-php.rules
>> #include $RULE_PATH/x11.rules
>>
>>
>>
>> I also wrote a custom script'ish section to produce the file:
>>
>> #include $RULE_PATH/rule.set
>>
>> Basically:
>>
>> ls -l rules | cut -c 50-100 > rule.list
>> sed 's/^/include $RULE_PATH\//' rule.list > rule.set
>>
>>
>> This would be fine for adding any *.rules files to rule.list which then
>> gets transformed to rule.set; saves having to write out each line manually!
>>
>>
>> That's about it.......
>>
>>
>> # ls -lh /var/log/snort
>> total 837292
>> -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
>> -rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
>> -rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
>> -rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
>> -rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
>> -rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
>> -rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
>> -rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668
>>
>>
>>
>> Now all I need to do is get Barnyard2 working and with a bit of luck will
>> start being able to see alerts back on Base.
>>
>> Few, that was a trek and half!
>>
>>  On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>>
>>>  On 12/11/2012 09:54 PM, Joel Esler wrote:
>>>
>>>
>>>  Doesn't sound like that was the problem.  Looks like you have a larger
>>> problem.  Traffic not being received or analyzed correctly.  You said that
>>> all you were getting was icmp alerts, and that doesn't sound right (unless
>>> that's all you have)
>>>
>>>  --
>>> *Joel Esler*
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>>
>>>
>>> Finally I got this working!!!! :-)
>>>
>>> Basically all I needed to do was to add the paths for these in and take
>>> out all the other obsolete rules which weren't working:
>>>
>>> include $RULE_PATH/decoder.rules
>>> include $RULE_PATH/preprocessor.rules
>>> include $RULE_PATH/sensitive-data.rules
>>>
>>> Now I get alerts even!
>>>
>>> The only issue is that Barnyard2 is now segfaulting when reading the
>>> Snort log files? :-( I keep getting "bus error" - which I've been having
>>> too much of lately!
>>>
>>>
>>> Thanks for all the help!
>>>
>>>
>>> Regards,
>>>
>>>
>>> Kaya
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue delivers
>>> http://p.sf.net/sfu/logmein_12329d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/7e0e3b32/attachment.html>


More information about the Snort-users mailing list