[Snort-users] trying this again (UNCLASSIFIED)
Cass, Mark A CTR (US)
mark.a.cass2.ctr at ...16010...
Fri Dec 14 11:42:53 EST 2012
Thank you for the reply.
Let me see if I got this straight...
I'll need to specify the -f option for barnyard2 and tell it the prefix naming convention of the files it needs to input to log to mysql database? The reason for the barnyard2 aborting was because the test rule did not have a "rev:xxx" at the top of the text file? So when I downloaded the new rules from pulled pork, and commented out the test rule, should the rules downloaded from pulled pork not have had a revision with it already? I'm going to have to go into a thousand files and manually add "rev:(some number)" to them all in order for it to work? That seems really ridiculous. And would I have to do this manually every time the rules are updated?
The last thing about the -G and -S options, I'm totally lost. I'm just running it how the guide told me to, with those options. You're saying that at this point, the -G -S options are not allowing barnyard2 to write the data to mysql?
Mark A. Cass
Security+ CE, RHCSA, MCTS
Systems Administrator/Network Manager (SANM)
CGI Federal Contractor
700 McNair Ave.
Suite 107 (Knox Hall)
Fort Sill, Oklahoma 73503
mark.a.cass2.ctr at ...16010...
From: beenph [mailto:beenph at ...11827...]
Sent: Friday, December 14, 2012 10:12 AM
To: Cass, Mark A CTR (US)
Cc: snort-users at lists.sourceforge.net; barnyard2-users at ...14071...
Subject: Re: [Snort-users] trying this again (UNCLASSIFIED)
On Thu, Dec 13, 2012 at 12:39 PM, Cass, Mark A CTR (US) <mark.a.cass2.ctr at ...843.....16010...> wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
> Jon (and others),
> First let me thank you for your reply. I'll try to do the best I can on providing information needed, but I'm by no means a Linux master, nor knowledgeable with IDS/IPS systems (but have a feeling I'm going to be by the end of this). This has been a process of mixed guides for various OS's/versions of the software trying to get things installed/configured for the last few months! With that said, I don't honestly remember a lot of specifics out of this over that time period, but did happen to capture a few terminal windows, which I hope will help.
> To answer your questions:
> 1. Right now, everything has been compiled from source. For snort it was
> 419 ./configure --with-mysql --enable-dynamicplugin
> --enable-perfprofiling --enable-ipv6 --enable-zlib --enable-gre
> --enable-reload --enable-linux-smp-stats
> 2. It is not running right now, but has successfully. I've tried it by itself, and with barnyard2 (barnyard2 errors out):
> 630 snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config &
> 493 /usr/local/bin/snort -A console -q -u snort -g snort -c
> /etc/snort/snort.conf -i eth1
> Barnyard2 errors:
> When ran by itself with:
> [root at ...2306... bin]# barnyard2 -c /etc/snort/barnyard2.conf -d
> /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
> Using waldo file '/var/log/snort/barnyard2.waldo':
> spool directory = /var/log/snort
> spool filebase = snort.log
> time_stamp = 1350485740
> record_idx = 1
> Opened spool file '/var/log/snort/snort.log.1350485740'
> barnyard2: spo_database.c:1485: dbProcessSignatureInformation: Assertion `data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0' failed.
> Aborted (core dumped)
Well a little more information in a post can help, and i can't say this post lacked some info ;)
As for barnyard2
the -d command line argument is needed if you want specifiy it a directory to monitor for spool file.
If you monitor a directory you will also want to give it a -f (spool prefix) spool prefix is the file name that prefix the timestamp of the snort generated unified2 file. for example, snort.log.<timestamp> So according to your previously defined command line argument and some information you posted,
by2 should be run like you tried at first.
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo, so it is correct.
The reason why you hit an assert is probably because you created a test rule without a revision.
so in your test rule you allways want to have at least rev:xxx; where xxx is an integer >= 1, if you want
barnyard2 to be able to output it to database. If you want it to be send via syslog or an other output mechanism, you do not need to do that.
Unfortunatly if you absolutely want to log to database you will need to delete that unified2 file snort.log.1350485740 and any further unified2 generated file where there is a possibility for a signature with a revision 0 of being logged in it else you will allways hit that condition.
(i would suggest that you upgrade to barnyard2 2-1.11 and you can download it from github www.github.com/firnsy/barnyard2
2-1.11 print out a nicer message when this case occur, but will fail if you try to write to a database.
This being said, you will probably be able to get events to your database with that info i am sure.
Also a good snort ressource is the manual (snort manual) http://manual.snort.org (allways up to date)
> When ran with snort:
> [root at ...2306... log]# snort -q -u snort -g snort -c /etc/snort/snort.conf
> -i eth1 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d
> /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G
> /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C
> /etc/snort/classification.config &
> A bunch of WARNING messages about duplicate entries in a signature
> file (about 40k lines of WARNINGS), then
As for the 2nd case, the reason you where getting duplicate signature message is that you included the -G and -S command line argument and i assume that you also have the
config gen_file: (equivalent of -G)
config sid_file: (equivalent of -S)
configured in your barnyard2.conf.
The message are generated by the database output plugin when its creating its local cache to synchronize its information with the DB.
If you do not want this to happen simply remove your -G and -S argument from the command line OR comment both lines mentioned above in barnyard2.conf.
I hope this will help you to get a step forward.
More information about the Snort-users