[Snort-users] trying this again (UNCLASSIFIED)

beenph beenph at ...11827...
Fri Dec 14 11:12:17 EST 2012


On Thu, Dec 13, 2012 at 12:39 PM, Cass, Mark A CTR (US) <
mark.a.cass2.ctr at ...16010...> wrote:
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Jon (and others),
>
> First let me thank you for your reply.  I'll try to do the best I can on
providing information needed, but I'm by no means a Linux master, nor
knowledgeable with IDS/IPS systems (but have a feeling I'm going to be by
the end of this).  This has been a process of mixed guides for various
OS's/versions of the software trying to get things installed/configured for
the last few months!  With that said, I don't honestly remember a lot of
specifics out of this over that time period, but did happen to capture a
few terminal windows, which I hope will help.
>
> To answer your questions:
> 1. Right now, everything has been compiled from source.  For snort it was
>         419  ./configure --with-mysql --enable-dynamicplugin
--enable-perfprofiling --enable-ipv6 --enable-zlib --enable-gre
--enable-reload --enable-linux-smp-stats
>
> 2.  It is not running right now, but has successfully.  I've tried it by
itself, and with barnyard2 (barnyard2 errors out):
>         630  snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
& /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort
-f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map \ -C /etc/snort/classification.config &
>         And
>         493  /usr/local/bin/snort -A console -q -u snort -g snort -c
/etc/snort/snort.conf -i eth1
>
> Barnyard2 errors:
>         When ran by itself with:
> [root at ...2306... bin]# barnyard2 -c /etc/snort/barnyard2.conf -d
/var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
>
>         Produces:
> Using waldo file '/var/log/snort/barnyard2.waldo':
>     spool directory = /var/log/snort
>     spool filebase  = snort.log
>     time_stamp      = 1350485740
>     record_idx      = 1
> Opened spool file '/var/log/snort/snort.log.1350485740'
> barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion
`data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed.
> Aborted (core dumped)
>

Well a little more information in a post can help, and i can't say this
post lacked some info ;)

As for barnyard2
the -d command line argument is needed if you want specifiy it a directory
to monitor for spool file.
If you monitor a directory you will also want to give it a -f (spool
prefix)
spool prefix is the file name that prefix the timestamp of the snort
generated unified2 file. for example, snort.log.<timestamp>
So according to your previously defined command line argument and some
information you posted,
by2 should be run like you tried at first.

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard2.waldo, so it is correct.
The reason why you hit an assert is probably because you created a test
rule without a revision.

so in your test rule you allways want to have at least rev:xxx; where xxx
is an integer >= 1, if you want
barnyard2 to be able to output it to database. If you want it to be send
via syslog or an other output mechanism,
you do not need to do that.

Unfortunatly if you absolutely want to log to database  you will need to
delete that unified2 file snort.log.1350485740 and any further unified2
generated file where there is a possibility
for a signature with a revision 0 of being logged in it else you will
allways hit that condition.

(i would suggest that you upgrade to barnyard2 2-1.11 and you can download
it from github www.github.com/firnsy/barnyard2
2-1.11 print out a nicer message when this case occur, but will fail if you
try to write to a database.

This being said, you will probably be able to get events to your database
with that info i am sure.

Also a good snort ressource is the manual (snort manual)
http://manual.snort.org (allways up to date)

>         When ran with snort:
> [root at ...2306... log]# snort -q -u snort -g snort -c /etc/snort/snort.conf -i
eth1 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d
/var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G
/etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C
/etc/snort/classification.config &
>
>         Produces:
> A bunch of WARNING messages about duplicate entries in a signature file
(about 40k lines of WARNINGS), then

As for the 2nd case, the reason you where getting duplicate signature
message is that you included
the -G and -S command line argument and i assume that you also have the

configure directive

config gen_file: (equivalent of -G)
and
config sid_file:  (equivalent of -S)

configured in your barnyard2.conf.

The message are generated by the database output plugin when its creating
its local cache to synchronize
its information with the DB.

If you do not want this to happen simply remove your -G and -S argument
from the command line OR
comment both lines mentioned above  in barnyard2.conf.

I hope this will help you to get a step forward.

-elz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121214/2c5f8c29/attachment.html>


More information about the Snort-users mailing list