[Snort-users] MySQL support for Snort 2.9.4

Kaya Saman kayasaman at ...11827...
Tue Dec 11 23:24:15 EST 2012


On 12/12/2012 04:19 AM, Jeremy Hoel wrote:
>
> Have you tired a newer version of by2?  They are up to 2.1.11.
>

Is this the development version?

 From the site it only shows version 1.9: 
http://www.securixlive.com/barnyard2/download.php

> Let me look for the bus error and get some other ideas.
>

Thanks! It could be the fact that I'm using sparc meaning something to 
do with aligned/unaligned access?



> On Dec 11, 2012 9:15 PM, "Kaya Saman" <kayasaman at ...11827... 
> <mailto:kayasaman at ...11827...>> wrote:
>
>     On 12/12/2012 04:07 AM, Jeremy Hoel wrote:
>>
>>     And your barnyard2 is looking in the right directory for the
>>     snort.u2 file?  Can you run by2 and paste the output?  And the
>>     command line you are calling for by2
>>
>
>     This is what I'm running:
>
>     # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>     /var/log/snort -f snort.u2
>     Running in Continuous mode
>
>             --== Initializing Barnyard2 ==--
>     Initializing Input Plugins!
>     Initializing Output Plugins!
>     Parsing config file "/etc/snort/barnyard2.conf"
>     Log directory = /var/log/barnyard2
>     Node unique name is: localhost:trunk0
>
>     database: compiled support for (mysql)
>     database: configured to use mysql
>     database: schema version = 107
>     database:           host = <mod>
>     database:           user = <mod>
>     database:  database name = <mod>
>     database:    sensor name = localhost:trunk0
>     database:      sensor id = 9
>     database:     sensor cid = 1
>     database:  data encoding = hex
>     database:   detail level = full
>     database:     ignore_bpf = no
>     database: using the "alert" facility
>
>             --== Initialization Complete ==--
>
>       ______   -*> Barnyard2 <*-
>      / ,,_  \  Version 2.1.9 (Build 263)
>      |o"  )~|  By the SecurixLive.com Team:
>     http://www.securixlive.com/about.php
>      + '''' +  (C) Copyright 2008-2010 SecurixLive.
>
>                Snort by Martin Roesch & The Snort Team:
>     http://www.snort.org/team.html
>                (C) Copyright 1998-2007 Sourcefire Inc., et al.
>
>     Using waldo file '/etc/snort/barnyard2.waldo':
>         spool directory = /var/log/snort
>         spool filebase  = snort.u2
>         time_stamp      = 1355280273
>         record_idx      = 1
>     Opened spool file '/var/log/snort/snort.u2.1355282592'
>     Bus error
>
>>     On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman at ...11827...
>>     <mailto:kayasaman at ...11827...>> wrote:
>>
>>         On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
>>>
>>>         Yeah you!
>>>
>>
>>         Next time someone in my house makes cookies everyone's
>>         invited :-)
>>
>>>         Are you outputting snort in unified2 format and reading that
>>>         with barnyard2?
>>>
>>
>>         Yep:
>>
>>         output unified2: filename snort.u2, limit 128
>>
>>>         Share your snort.conf output lines.
>>>
>>
>>         Snort.conf is bog standard with:
>>
>>         top customized with details of servers and IP addresses yada
>>         yada yada ..... man snort.conf {am glossing as is trivial }
>>
>>         I just changed:
>>
>>         # Path to your rules files (this can be a relative path)
>>         # Note for Windows users:  You are advised to make this an
>>         absolute path,
>>         # such as:  c:\snort\rules
>>         var RULE_PATH rules
>>         var SO_RULE_PATH so_rules
>>         var PREPROC_RULE_PATH preproc_rules
>>
>>         # If you are using reputation preprocessor set these
>>         # Currently there is a bug with relative paths, they are
>>         relative to where snort is
>>         # not relative to snort.conf like the above variables
>>         # This is completely inconsistent with how other vars work,
>>         BUG 89986
>>         # Set the absolute path appropriately
>>         var WHITE_LIST_PATH rules
>>         var BLACK_LIST_PATH rules
>>
>>
>>         ###################################################
>>         # Step #4: Configure dynamic loaded libraries.
>>         # For more information, see Snort Manual, Configuring Snort -
>>         Dynamic Modules
>>         ###################################################
>>
>>         # path to dynamic preprocessor libraries
>>         dynamicpreprocessor directory
>>         /usr/local/lib/snort_dynamicpreprocessor/
>>
>>         # path to base preprocessor engine
>>         dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>
>>         # path to dynamic rules libraries
>>         #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>
>>
>>
>>         ###################################################
>>         # Step #7: Customize your rule set
>>         # For more information, see Snort Manual, Writing Snort Rules
>>         #
>>         # NOTE: All categories are enabled in this conf file
>>         ###################################################
>>
>>         # site specific rules
>>         #include $RULE_PATH/local.rules
>>
>>         #include $RULE_PATH/attack-responses.rules
>>         #include $RULE_PATH/backdoor.rules
>>         #include $RULE_PATH/bad-traffic.rules
>>         #include $RULE_PATH/blacklist.rules
>>         #include $RULE_PATH/botnet-cnc.rules
>>         #include $RULE_PATH/chat.rules
>>         #include $RULE_PATH/content-replace.rules
>>         #include $RULE_PATH/ddos.rules
>>         #include $RULE_PATH/dns.rules
>>         #include $RULE_PATH/dos.rules
>>         #include $RULE_PATH/exploit.rules
>>         #include $RULE_PATH/file-identify.rules
>>         #include $RULE_PATH/finger.rules
>>         #include $RULE_PATH/ftp.rules
>>         #include $RULE_PATH/icmp.rules
>>         #include $RULE_PATH/icmp-info.rules
>>         #include $RULE_PATH/imap.rules
>>         #include $RULE_PATH/info.rules
>>         #include $RULE_PATH/misc.rules
>>         #include $RULE_PATH/multimedia.rules
>>         #include $RULE_PATH/mysql.rules
>>         #include $RULE_PATH/netbios.rules
>>         #include $RULE_PATH/nntp.rules
>>         #include $RULE_PATH/oracle.rules
>>         #include $RULE_PATH/other-ids.rules
>>         #include $RULE_PATH/p2p.rules
>>         #include $RULE_PATH/phishing-spam.rules
>>         #include $RULE_PATH/policy.rules
>>         #include $RULE_PATH/pop2.rules
>>         #include $RULE_PATH/pop3.rules
>>         #include $RULE_PATH/rpc.rules
>>         #include $RULE_PATH/rservices.rules
>>         #include $RULE_PATH/scada.rules
>>         #include $RULE_PATH/scan.rules
>>         #include $RULE_PATH/shellcode.rules
>>         #include $RULE_PATH/smtp.rules
>>         #include $RULE_PATH/snmp.rules
>>         #include $RULE_PATH/specific-threats.rules
>>         #include $RULE_PATH/spyware-put.rules
>>         #include $RULE_PATH/sql.rules
>>         #include $RULE_PATH/telnet.rules
>>         #include $RULE_PATH/tftp.rules
>>         #include $RULE_PATH/virus.rules
>>         #include $RULE_PATH/voip.rules
>>         #include $RULE_PATH/web-activex.rules
>>         #include $RULE_PATH/web-attacks.rules
>>         #include $RULE_PATH/web-cgi.rules
>>         #include $RULE_PATH/web-client.rules
>>         #include $RULE_PATH/web-coldfusion.rules
>>         #include $RULE_PATH/web-frontpage.rules
>>         #include $RULE_PATH/web-iis.rules
>>         #include $RULE_PATH/web-misc.rules
>>         #include $RULE_PATH/web-php.rules
>>         #include $RULE_PATH/x11.rules
>>
>>
>>
>>         I also wrote a custom script'ish section to produce the file:
>>
>>         #include $RULE_PATH/rule.set
>>
>>         Basically:
>>
>>         ls -l rules | cut -c 50-100 > rule.list
>>         sed 's/^/include $RULE_PATH\//' rule.list > rule.set
>>
>>
>>         This would be fine for adding any *.rules files to rule.list
>>         which then gets transformed to rule.set; saves having to
>>         write out each line manually!
>>
>>
>>         That's about it.......
>>
>>
>>         # ls -lh /var/log/snort
>>         total 837292
>>         -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
>>         -rw-------  1 root    _snort   5.1K Dec 12 03:24
>>         snort.u2.1355282592
>>         -rw-------  1 root    _snort     0B Dec 12 03:26
>>         snort.u2.1355282785
>>         -rw-------  1 root    _snort  19.8M Dec 12 03:27
>>         snort.u2.1355282811
>>         -rw-------  1 root    _snort   128M Dec 12 03:32
>>         snort.u2.1355282879
>>         -rw-------  1 root    _snort   128M Dec 12 03:36
>>         snort.u2.1355283128
>>         -rw-------  1 root    _snort   128M Dec 12 03:41
>>         snort.u2.1355283410
>>         -rw-------  1 root    _snort   4.8M Dec 12 03:48
>>         snort.u2.1355283668
>>
>>
>>
>>         Now all I need to do is get Barnyard2 working and with a bit
>>         of luck will start being able to see alerts back on Base.
>>
>>         Few, that was a trek and half!
>>
>>>         On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman at ...11827...
>>>         <mailto:kayasaman at ...11827...>> wrote:
>>>
>>>             On 12/11/2012 09:54 PM, Joel Esler wrote:
>>>>
>>>>             Doesn't sound like that was the problem.  Looks like
>>>>             you have a larger problem.  Traffic not being received
>>>>             or analyzed correctly.  You said that all you were
>>>>             getting was icmp alerts, and that doesn't sound right
>>>>             (unless that's all you have)
>>>>
>>>>             --
>>>>             *Joel Esler*
>>>>             Senior Research Engineer, VRT
>>>>             OpenSource Community Manager
>>>>             Sourcefire
>>>>
>>>
>>>             Finally I got this working!!!! :-)
>>>
>>>             Basically all I needed to do was to add the paths for
>>>             these in and take out all the other obsolete rules which
>>>             weren't working:
>>>
>>>             include $RULE_PATH/decoder.rules
>>>             include $RULE_PATH/preprocessor.rules
>>>             include $RULE_PATH/sensitive-data.rules
>>>
>>>             Now I get alerts even!
>>>
>>>             The only issue is that Barnyard2 is now segfaulting when
>>>             reading the Snort log files? :-( I keep getting "bus
>>>             error" - which I've been having too much of lately!
>>>
>>>
>>>             Thanks for all the help!
>>>
>>>
>>>             Regards,
>>>
>>>
>>>             Kaya
>>>
>>>             ------------------------------------------------------------------------------
>>>             LogMeIn Rescue: Anywhere, Anytime Remote support for IT.
>>>             Free Trial
>>>             Remotely access PCs and mobile devices and provide
>>>             instant support
>>>             Improve your efficiency, and focus on delivering more
>>>             value-add services
>>>             Discover what IT Professionals Know. Rescue delivers
>>>             http://p.sf.net/sfu/logmein_12329d2d
>>>             _______________________________________________
>>>             Snort-users mailing list
>>>             Snort-users at lists.sourceforge.net
>>>             <mailto:Snort-users at lists.sourceforge.net>
>>>             Go to this URL to change user options or unsubscribe:
>>>             https://lists.sourceforge.net/lists/listinfo/snort-users
>>>             Snort-users list archive:
>>>             http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>>             Please visit http://blog.snort.org to stay current on
>>>             all the latest Snort news!
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121212/9920d0ea/attachment.html>


More information about the Snort-users mailing list