[Snort-users] MySQL support for Snort 2.9.4

Jeremy Hoel jthoel at ...11827...
Tue Dec 11 23:26:32 EST 2012


A better source is from the github. Securixlive hasn't been updated as
much.
On Dec 11, 2012 9:24 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:

>  On 12/12/2012 04:19 AM, Jeremy Hoel wrote:
>
> Have you tired a newer version of by2?  They are up to 2.1.11.
>
>
> Is this the development version?
>
> From the site it only shows version 1.9:
> http://www.securixlive.com/barnyard2/download.php
>
>  Let me look for the bus error and get some other ideas.
>
>
> Thanks! It could be the fact that I'm using sparc meaning something to do
> with aligned/unaligned access?
>
>
>
>  On Dec 11, 2012 9:15 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>
>>  On 12/12/2012 04:07 AM, Jeremy Hoel wrote:
>>
>> And your barnyard2 is looking in the right directory for the snort.u2
>> file?  Can you run by2 and paste the output?  And the command line you are
>> calling for by2
>>
>>
>> This is what I'm running:
>>
>> # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
>> -f snort.u2
>> Running in Continuous mode
>>
>>         --== Initializing Barnyard2 ==--
>> Initializing Input Plugins!
>> Initializing Output Plugins!
>> Parsing config file "/etc/snort/barnyard2.conf"
>> Log directory = /var/log/barnyard2
>> Node unique name is: localhost:trunk0
>>
>> database: compiled support for (mysql)
>> database: configured to use mysql
>> database: schema version = 107
>> database:           host = <mod>
>> database:           user = <mod>
>> database:  database name = <mod>
>> database:    sensor name = localhost:trunk0
>> database:      sensor id = 9
>> database:     sensor cid = 1
>> database:  data encoding = hex
>> database:   detail level = full
>> database:     ignore_bpf = no
>> database: using the "alert" facility
>>
>>         --== Initialization Complete ==--
>>
>>   ______   -*> Barnyard2 <*-
>>  / ,,_  \  Version 2.1.9 (Build 263)
>>  |o"  )~|  By the SecurixLive.com Team:
>> http://www.securixlive.com/about.php
>>  + '''' +  (C) Copyright 2008-2010 SecurixLive.
>>
>>            Snort by Martin Roesch & The Snort Team:
>> http://www.snort.org/team.html
>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>>
>> Using waldo file '/etc/snort/barnyard2.waldo':
>>     spool directory = /var/log/snort
>>     spool filebase  = snort.u2
>>     time_stamp      = 1355280273
>>     record_idx      = 1
>> Opened spool file '/var/log/snort/snort.u2.1355282592'
>> Bus error
>>
>>  On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>>
>>>  On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
>>>
>>> Yeah you!
>>>
>>>
>>> Next time someone in my house makes cookies everyone's invited :-)
>>>
>>>  Are you outputting snort in unified2 format and reading that with
>>> barnyard2?
>>>
>>>
>>> Yep:
>>>
>>> output unified2: filename snort.u2, limit 128
>>>
>>>  Share your snort.conf output lines.
>>>
>>>
>>> Snort.conf is bog standard with:
>>>
>>> top customized with details of servers and IP addresses yada yada yada
>>> ..... man snort.conf {am glossing as is trivial }
>>>
>>> I just changed:
>>>
>>> # Path to your rules files (this can be a relative path)
>>> # Note for Windows users:  You are advised to make this an absolute path,
>>> # such as:  c:\snort\rules
>>> var RULE_PATH rules
>>> var SO_RULE_PATH so_rules
>>> var PREPROC_RULE_PATH preproc_rules
>>>
>>> # If you are using reputation preprocessor set these
>>> # Currently there is a bug with relative paths, they are relative to
>>> where snort is
>>> # not relative to snort.conf like the above variables
>>> # This is completely inconsistent with how other vars work, BUG 89986
>>> # Set the absolute path appropriately
>>> var WHITE_LIST_PATH rules
>>> var BLACK_LIST_PATH rules
>>>
>>>
>>> ###################################################
>>> # Step #4: Configure dynamic loaded libraries.
>>> # For more information, see Snort Manual, Configuring Snort - Dynamic
>>> Modules
>>> ###################################################
>>>
>>> # path to dynamic preprocessor libraries
>>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>>
>>> # path to base preprocessor engine
>>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>
>>> # path to dynamic rules libraries
>>> #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>>
>>>
>>>
>>> ###################################################
>>> # Step #7: Customize your rule set
>>> # For more information, see Snort Manual, Writing Snort Rules
>>> #
>>> # NOTE: All categories are enabled in this conf file
>>> ###################################################
>>>
>>> # site specific rules
>>> #include $RULE_PATH/local.rules
>>>
>>> #include $RULE_PATH/attack-responses.rules
>>> #include $RULE_PATH/backdoor.rules
>>> #include $RULE_PATH/bad-traffic.rules
>>> #include $RULE_PATH/blacklist.rules
>>> #include $RULE_PATH/botnet-cnc.rules
>>> #include $RULE_PATH/chat.rules
>>> #include $RULE_PATH/content-replace.rules
>>> #include $RULE_PATH/ddos.rules
>>> #include $RULE_PATH/dns.rules
>>> #include $RULE_PATH/dos.rules
>>> #include $RULE_PATH/exploit.rules
>>> #include $RULE_PATH/file-identify.rules
>>> #include $RULE_PATH/finger.rules
>>> #include $RULE_PATH/ftp.rules
>>> #include $RULE_PATH/icmp.rules
>>> #include $RULE_PATH/icmp-info.rules
>>> #include $RULE_PATH/imap.rules
>>> #include $RULE_PATH/info.rules
>>> #include $RULE_PATH/misc.rules
>>> #include $RULE_PATH/multimedia.rules
>>> #include $RULE_PATH/mysql.rules
>>> #include $RULE_PATH/netbios.rules
>>> #include $RULE_PATH/nntp.rules
>>> #include $RULE_PATH/oracle.rules
>>> #include $RULE_PATH/other-ids.rules
>>> #include $RULE_PATH/p2p.rules
>>> #include $RULE_PATH/phishing-spam.rules
>>> #include $RULE_PATH/policy.rules
>>> #include $RULE_PATH/pop2.rules
>>> #include $RULE_PATH/pop3.rules
>>> #include $RULE_PATH/rpc.rules
>>> #include $RULE_PATH/rservices.rules
>>> #include $RULE_PATH/scada.rules
>>> #include $RULE_PATH/scan.rules
>>> #include $RULE_PATH/shellcode.rules
>>> #include $RULE_PATH/smtp.rules
>>> #include $RULE_PATH/snmp.rules
>>> #include $RULE_PATH/specific-threats.rules
>>> #include $RULE_PATH/spyware-put.rules
>>> #include $RULE_PATH/sql.rules
>>> #include $RULE_PATH/telnet.rules
>>> #include $RULE_PATH/tftp.rules
>>> #include $RULE_PATH/virus.rules
>>> #include $RULE_PATH/voip.rules
>>> #include $RULE_PATH/web-activex.rules
>>> #include $RULE_PATH/web-attacks.rules
>>> #include $RULE_PATH/web-cgi.rules
>>> #include $RULE_PATH/web-client.rules
>>> #include $RULE_PATH/web-coldfusion.rules
>>> #include $RULE_PATH/web-frontpage.rules
>>> #include $RULE_PATH/web-iis.rules
>>> #include $RULE_PATH/web-misc.rules
>>> #include $RULE_PATH/web-php.rules
>>> #include $RULE_PATH/x11.rules
>>>
>>>
>>>
>>> I also wrote a custom script'ish section to produce the file:
>>>
>>> #include $RULE_PATH/rule.set
>>>
>>> Basically:
>>>
>>> ls -l rules | cut -c 50-100 > rule.list
>>> sed 's/^/include $RULE_PATH\//' rule.list > rule.set
>>>
>>>
>>> This would be fine for adding any *.rules files to rule.list which then
>>> gets transformed to rule.set; saves having to write out each line manually!
>>>
>>>
>>> That's about it.......
>>>
>>>
>>> # ls -lh /var/log/snort
>>> total 837292
>>> -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
>>> -rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
>>> -rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
>>> -rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
>>> -rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
>>> -rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
>>> -rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
>>> -rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668
>>>
>>>
>>>
>>> Now all I need to do is get Barnyard2 working and with a bit of luck
>>> will start being able to see alerts back on Base.
>>>
>>> Few, that was a trek and half!
>>>
>>>  On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>>>
>>>>  On 12/11/2012 09:54 PM, Joel Esler wrote:
>>>>
>>>>
>>>>  Doesn't sound like that was the problem.  Looks like you have a
>>>> larger problem.  Traffic not being received or analyzed correctly.  You
>>>> said that all you were getting was icmp alerts, and that doesn't sound
>>>> right (unless that's all you have)
>>>>
>>>>  --
>>>> *Joel Esler*
>>>> Senior Research Engineer, VRT
>>>> OpenSource Community Manager
>>>> Sourcefire
>>>>
>>>>
>>>> Finally I got this working!!!! :-)
>>>>
>>>> Basically all I needed to do was to add the paths for these in and take
>>>> out all the other obsolete rules which weren't working:
>>>>
>>>> include $RULE_PATH/decoder.rules
>>>> include $RULE_PATH/preprocessor.rules
>>>> include $RULE_PATH/sensitive-data.rules
>>>>
>>>> Now I get alerts even!
>>>>
>>>> The only issue is that Barnyard2 is now segfaulting when reading the
>>>> Snort log files? :-( I keep getting "bus error" - which I've been having
>>>> too much of lately!
>>>>
>>>>
>>>> Thanks for all the help!
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Kaya
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>> Remotely access PCs and mobile devices and provide instant support
>>>> Improve your efficiency, and focus on delivering more value-add services
>>>> Discover what IT Professionals Know. Rescue delivers
>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121212/ca23068f/attachment.html>


More information about the Snort-users mailing list