[Snort-users] Post Snort (Ubuntu 10.04 LTS) installation issues.

Randy Peif rpeif at ...15532...
Wed Mar 7 12:29:27 EST 2012

I have two issues that I am currently experiencing and have not found a good solution for via http://www.snort.org/docs or any other site resource. I recently installed Snort following the guide detailed by David Gullet (http://www.snort.org/assets/158/014-snortinstallguide292.pdf).

My current setup is on a physical server Dell PowerEdge R710. I installed Ubuntu 10.04 LTS as the OS and am running Snort with Barnyard 1.9.  I have 11 interfaces, but only 4 are being used. Eth0 is for management, Eth4 is for Core1, Eth5 is for the DMZ, Eth8 is for Core2, and Eth9 is for the OE.

1.)    Rc.local script is not starting barnyard.

I followed David's guide by  adding the following to /etc/rc.local

ifconfig eth4 up
ifconfig eth5 up
ifconfig eth8 up
ifconfig eth9 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth4
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth5
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth8
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth9

/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d    \  /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

               When I do a "/etc/init.d/rc.local start" it creates the child daemons for each interface and it appears all goes well, but when I look at the processes running I          do not see barnyard2 running. I confirm that barnyard2 is not functioning by reviewing the mysql snort db data table and see there is no data. I have done
some testing on my Core1 interface eth4 by killing all services for snort and starting the snort service manually. Once the unified2 log is created in /var/snort/log I manually start barnyard2 and it starts successfully. I then begin to see data in the snort db as well as alerts in snort report.

How can I get snort started for each interface and barnyard2 started all at server startup? David's guide only covers one interface so I may not have my snort.conf and barnyard2.conf configured properly for a multiple interface setup. Any feedback or direction would be appreciated.

2.)    Snort report is not loading at all (the site hangs and never displays content) / guidance on reducing amount of traffic snort reviews.

Despite issue number 1, I manually kicked off snort for all four interfaces which ultimately started creating the unified2 logs that I needed to successfully manually start barnyard2. I was going to forego the automation of those services starting and just see if by starting each interface manually as well as barnyard2 manually I would be able to simply move forward with reviewing the alerts. Well, once I started all 4 interfaces and then barnyard2 snort report no longer would load. I restarted the Apache2 service and it did not help. I believe I have so much data coming from the cores that snort report cannot load all of the alerts.

How can I overcome this? Ultimately I will be using Snorby for log review, but I would like to confirm my Snort installation is working successfully before I move forward and at this point I can't confirm that as I am unable to see the alerts via snort report anymore. I was able to uncover some information about this issue such as reduce the amount of traffic snort is reporting  via the snort.conf, but there is nothing out there that states specifically what I should modify to make my snort installation function more smoothly. Anyone have a decent guide on the snort.conf config and a breakout of performance medications to make?

I apologize for the longevity of the issues, but I was trying to get everything in there that I have attempted so I could get some valuable responses. I appreciate all assistance!

Randy Peif
Information Security Analyst

Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120307/60759f68/attachment.html>

More information about the Snort-users mailing list