[Snort-users] MySQL support for Snort 2.9.4

Kaya Saman kayasaman at ...11827...
Tue Dec 11 23:15:39 EST 2012


On 12/12/2012 04:07 AM, Jeremy Hoel wrote:
>
> And your barnyard2 is looking in the right directory for the snort.u2 
> file?  Can you run by2 and paste the output? And the command line you 
> are calling for by2
>

This is what I'm running:

# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d 
/var/log/snort -f snort.u2
Running in Continuous mode

         --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
Node unique name is: localhost:trunk0

database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = <mod>
database:           user = <mod>
database:  database name = <mod>
database:    sensor name = localhost:trunk0
database:      sensor id = 9
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "alert" facility

         --== Initialization Complete ==--

   ______   -*> Barnyard2 <*-
  / ,,_  \  Version 2.1.9 (Build 263)
  |o"  )~|  By the SecurixLive.com Team: 
http://www.securixlive.com/about.php
  + '''' +  (C) Copyright 2008-2010 SecurixLive.

            Snort by Martin Roesch & The Snort Team: 
http://www.snort.org/team.html
            (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/etc/snort/barnyard2.waldo':
     spool directory = /var/log/snort
     spool filebase  = snort.u2
     time_stamp      = 1355280273
     record_idx      = 1
Opened spool file '/var/log/snort/snort.u2.1355282592'
Bus error

> On Dec 11, 2012 8:50 PM, "Kaya Saman" <kayasaman at ...11827... 
> <mailto:kayasaman at ...11827...>> wrote:
>
>     On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
>>
>>     Yeah you!
>>
>
>     Next time someone in my house makes cookies everyone's invited :-)
>
>>     Are you outputting snort in unified2 format and reading that with
>>     barnyard2?
>>
>
>     Yep:
>
>     output unified2: filename snort.u2, limit 128
>
>>     Share your snort.conf output lines.
>>
>
>     Snort.conf is bog standard with:
>
>     top customized with details of servers and IP addresses yada yada
>     yada ..... man snort.conf {am glossing as is trivial }
>
>     I just changed:
>
>     # Path to your rules files (this can be a relative path)
>     # Note for Windows users:  You are advised to make this an
>     absolute path,
>     # such as:  c:\snort\rules
>     var RULE_PATH rules
>     var SO_RULE_PATH so_rules
>     var PREPROC_RULE_PATH preproc_rules
>
>     # If you are using reputation preprocessor set these
>     # Currently there is a bug with relative paths, they are relative
>     to where snort is
>     # not relative to snort.conf like the above variables
>     # This is completely inconsistent with how other vars work, BUG 89986
>     # Set the absolute path appropriately
>     var WHITE_LIST_PATH rules
>     var BLACK_LIST_PATH rules
>
>
>     ###################################################
>     # Step #4: Configure dynamic loaded libraries.
>     # For more information, see Snort Manual, Configuring Snort -
>     Dynamic Modules
>     ###################################################
>
>     # path to dynamic preprocessor libraries
>     dynamicpreprocessor directory
>     /usr/local/lib/snort_dynamicpreprocessor/
>
>     # path to base preprocessor engine
>     dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
>     # path to dynamic rules libraries
>     #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>
>
>
>     ###################################################
>     # Step #7: Customize your rule set
>     # For more information, see Snort Manual, Writing Snort Rules
>     #
>     # NOTE: All categories are enabled in this conf file
>     ###################################################
>
>     # site specific rules
>     #include $RULE_PATH/local.rules
>
>     #include $RULE_PATH/attack-responses.rules
>     #include $RULE_PATH/backdoor.rules
>     #include $RULE_PATH/bad-traffic.rules
>     #include $RULE_PATH/blacklist.rules
>     #include $RULE_PATH/botnet-cnc.rules
>     #include $RULE_PATH/chat.rules
>     #include $RULE_PATH/content-replace.rules
>     #include $RULE_PATH/ddos.rules
>     #include $RULE_PATH/dns.rules
>     #include $RULE_PATH/dos.rules
>     #include $RULE_PATH/exploit.rules
>     #include $RULE_PATH/file-identify.rules
>     #include $RULE_PATH/finger.rules
>     #include $RULE_PATH/ftp.rules
>     #include $RULE_PATH/icmp.rules
>     #include $RULE_PATH/icmp-info.rules
>     #include $RULE_PATH/imap.rules
>     #include $RULE_PATH/info.rules
>     #include $RULE_PATH/misc.rules
>     #include $RULE_PATH/multimedia.rules
>     #include $RULE_PATH/mysql.rules
>     #include $RULE_PATH/netbios.rules
>     #include $RULE_PATH/nntp.rules
>     #include $RULE_PATH/oracle.rules
>     #include $RULE_PATH/other-ids.rules
>     #include $RULE_PATH/p2p.rules
>     #include $RULE_PATH/phishing-spam.rules
>     #include $RULE_PATH/policy.rules
>     #include $RULE_PATH/pop2.rules
>     #include $RULE_PATH/pop3.rules
>     #include $RULE_PATH/rpc.rules
>     #include $RULE_PATH/rservices.rules
>     #include $RULE_PATH/scada.rules
>     #include $RULE_PATH/scan.rules
>     #include $RULE_PATH/shellcode.rules
>     #include $RULE_PATH/smtp.rules
>     #include $RULE_PATH/snmp.rules
>     #include $RULE_PATH/specific-threats.rules
>     #include $RULE_PATH/spyware-put.rules
>     #include $RULE_PATH/sql.rules
>     #include $RULE_PATH/telnet.rules
>     #include $RULE_PATH/tftp.rules
>     #include $RULE_PATH/virus.rules
>     #include $RULE_PATH/voip.rules
>     #include $RULE_PATH/web-activex.rules
>     #include $RULE_PATH/web-attacks.rules
>     #include $RULE_PATH/web-cgi.rules
>     #include $RULE_PATH/web-client.rules
>     #include $RULE_PATH/web-coldfusion.rules
>     #include $RULE_PATH/web-frontpage.rules
>     #include $RULE_PATH/web-iis.rules
>     #include $RULE_PATH/web-misc.rules
>     #include $RULE_PATH/web-php.rules
>     #include $RULE_PATH/x11.rules
>
>
>
>     I also wrote a custom script'ish section to produce the file:
>
>     #include $RULE_PATH/rule.set
>
>     Basically:
>
>     ls -l rules | cut -c 50-100 > rule.list
>     sed 's/^/include $RULE_PATH\//' rule.list > rule.set
>
>
>     This would be fine for adding any *.rules files to rule.list which
>     then gets transformed to rule.set; saves having to write out each
>     line manually!
>
>
>     That's about it.......
>
>
>     # ls -lh /var/log/snort
>     total 837292
>     -rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
>     -rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
>     -rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
>     -rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
>     -rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
>     -rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
>     -rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
>     -rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668
>
>
>
>     Now all I need to do is get Barnyard2 working and with a bit of
>     luck will start being able to see alerts back on Base.
>
>     Few, that was a trek and half!
>
>>     On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman at ...11827...
>>     <mailto:kayasaman at ...11827...>> wrote:
>>
>>         On 12/11/2012 09:54 PM, Joel Esler wrote:
>>>
>>>         Doesn't sound like that was the problem.  Looks like you
>>>         have a larger problem.  Traffic not being received or
>>>         analyzed correctly.  You said that all you were getting was
>>>         icmp alerts, and that doesn't sound right (unless that's all
>>>         you have)
>>>
>>>         --
>>>         *Joel Esler*
>>>         Senior Research Engineer, VRT
>>>         OpenSource Community Manager
>>>         Sourcefire
>>>
>>
>>         Finally I got this working!!!! :-)
>>
>>         Basically all I needed to do was to add the paths for these
>>         in and take out all the other obsolete rules which weren't
>>         working:
>>
>>         include $RULE_PATH/decoder.rules
>>         include $RULE_PATH/preprocessor.rules
>>         include $RULE_PATH/sensitive-data.rules
>>
>>         Now I get alerts even!
>>
>>         The only issue is that Barnyard2 is now segfaulting when
>>         reading the Snort log files? :-( I keep getting "bus error" -
>>         which I've been having too much of lately!
>>
>>
>>         Thanks for all the help!
>>
>>
>>         Regards,
>>
>>
>>         Kaya
>>
>>         ------------------------------------------------------------------------------
>>         LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
>>         Trial
>>         Remotely access PCs and mobile devices and provide instant
>>         support
>>         Improve your efficiency, and focus on delivering more
>>         value-add services
>>         Discover what IT Professionals Know. Rescue delivers
>>         http://p.sf.net/sfu/logmein_12329d2d
>>         _______________________________________________
>>         Snort-users mailing list
>>         Snort-users at lists.sourceforge.net
>>         <mailto:Snort-users at lists.sourceforge.net>
>>         Go to this URL to change user options or unsubscribe:
>>         https://lists.sourceforge.net/lists/listinfo/snort-users
>>         Snort-users list archive:
>>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>>         Please visit http://blog.snort.org to stay current on all the
>>         latest Snort news!
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121212/d8e76be6/attachment.html>


More information about the Snort-users mailing list