[Snort-users] mysql error prevails...

AllowOverride allowoverride at ...11827...
Sat Oct 6 15:57:08 EDT 2012


snort is working for sure:

1.

# ls -alh /var/log/snort/
total 1016K
drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
-rw-r--r--  1 root  root  6.8K Oct  5 23:26 alert
-rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
-rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
-rw-------  1 snort snort    0 Oct  6 11:36 snort.log.1349548617

2. 

sudo openvasd 
All plugins loaded                     

after hitting 192.168.1.14 with openvas-client results:

# ls -alh /var/log/snort/
total 3.3M
drwxr-xr-x  2 snort snort 4.0K Oct  6 11:36 .
drwxr-xr-x 13 root  root  4.0K Oct  6 10:56 ..
-rw-r--r--  1 root  root  392K Oct  6 12:50 alert
-rw-r--r--  1 snort snort    0 Oct  4 10:26 barnyard2.waldo
-rw-------  1 snort snort 997K Oct  6 01:43 snort.log.1349504795
-rw-------  1 snort snort 2.0M Oct  6 12:50 snort.log.1349548617

I presume alert was actively logging as well as it file size grew, as
well as snort.log is now logging i use -A console option.
I wonder if -A fast does the same - makes alert and snort.log grow.
I will generate lots of traffic again with openvas and ping -f to see i
barnyard2.waldo grows at some point... little smack testing in the
network sense...


3.

here is my local.rules per howtos:

# ------------
# LOCAL RULES
# ------------
# This file intentionally does not come with signatures.  Put your local
# additions here.
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)

4. 

snort.rules is full. i wonder what happens if i cat >> snort.rules to
local.rules lol... jk

5.

what i find interesting is how after i installed pulledpork and ran it,
it works, and when i hit 192.168.1.14 with openvas-client it logs
to /var/log/snort/snort.log, so i assume local.rules AND snort.rules are
working, but i can't tell for sure, as i can not get barnyard2 to import
the info to mysql to take a look at it, since it is unified2 format.. i
think.. can't tell:

# less /var/log/snort/snort.log.1349548617 
"/var/log/snort/snort.log.1349548617" may be a binary file.  See it
anyway?

i just know the file size is growing.. good sign snort is working, and i
know it grows when i simply ping 192.168.1.14 from remote host.

6. 

I'd like to import data from snort with barnyard2 into say snortreport
or base-1.4.5.

After than I will be able to try my hand at local.rule creation. 

i am still stuck with barnyard2 > mysql insertion portion.

anything i willing try at this point, as the howtos do not really
explain more. see attached for howtos i have been using.
also, perms on some dirs were getting non-root perms like:
1210:1210 /etc/snort

7. 

suggestions anyone ??? im totally open to suggestions... 

more info to follow....

-------------- next part --------------
An embedded message was scrubbed...
From: beenph <beenph at ...11827...>
Subject: Re: [Snort-users] mysql error prevails...
Date: Sat, 6 Oct 2012 04:31:46 -0400
Size: 1451
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121006/af762201/attachment.mht>


More information about the Snort-users mailing list