[Snort-users] Lets talk about ....

AllowOverride allowoverride at ...11827...
Sun Oct 7 17:15:36 EDT 2012


Rule manager -> IDS -> Output processor -> Alert front-end
pp.pl > snort > barnyard2 > base-1.4.5 / snortreport 1.3.3 /
jpgraph-1.27.1

1.  what am i missing to get unified2 or alerts to mysql db.

here is what i have so far...


configured: barnyard2.conf currently:

# this is not hard, only unified2 is supported ;)
input unified2

#output alert_fast: stdout
output alert_fast

both snort/barnyard2 run from cmd for testing, no script involved:

configured snort:
/usr/local/bin/snort -A fast -q -u snort -g snort
-c /etc/snort/etc/snort.conf -i eth0 &

configured barnyard2:
 /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf
-d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D &

output database: log, mysql user=snort password=sorry-hidden
dbname=snort host=localhost

no errors for snort/barnyard2...

*

stop ufw operations:

# ufw disable 
Firewall stopped and disabled on system startup

# service ufw stop
ufw stop/waiting

*

ping remote snort/barnyard2 server from remote host:

vulcan:~$ ping 192.168.1.14
PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=0.403 ms
64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=0.129 ms
64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=0.133 ms

*

/var/log/snort/snort.log = increased in size
/var/log/snort/alert = increased in size

-rw-------  1 snort snort   19632 Oct  7 13:15 snort.log.1349640603
-rw-r--r--  1 root  root  1451982 Oct  7 13:15 alert

>>>

-rw-------  1 snort snort   21228 Oct  7 13:16 snort.log.1349640603
-rw-r--r--  1 root  root  1453494 Oct  7 13:16 alert

*

mysql not logging anything as snort user for snort db:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|        0 |
+----------+

* 

no change in file size:
ls -altr /var/lib/mysql/snort*
total 280
-rw-rw---- 1 mysql mysql    65 Oct  4 10:32 db.opt
-rw-rw---- 1 mysql mysql  8592 Oct  4 10:32 schema.frm
-rw-rw---- 1 mysql mysql  8666 Oct  4 10:32 event.frm
-rw-rw---- 1 mysql mysql  8802 Oct  4 10:32 signature.frm
-rw-rw---- 1 mysql mysql  8634 Oct  4 10:32 sig_reference.frm
-rw-rw---- 1 mysql mysql  8648 Oct  4 10:32 reference.frm
-rw-rw---- 1 mysql mysql  8630 Oct  4 10:32 reference_system.frm
-rw-rw---- 1 mysql mysql  8626 Oct  4 10:32 sig_class.frm
-rw-rw---- 1 mysql mysql  8780 Oct  4 10:32 sensor.frm
-rw-rw---- 1 mysql mysql  9004 Oct  4 10:32 iphdr.frm
-rw-rw---- 1 mysql mysql  8960 Oct  4 10:32 tcphdr.frm
-rw-rw---- 1 mysql mysql  8740 Oct  4 10:32 udphdr.frm
-rw-rw---- 1 mysql mysql  8780 Oct  4 10:32 icmphdr.frm
-rw-rw---- 1 mysql mysql  8770 Oct  4 10:32 opt.frm
-rw-rw---- 1 mysql mysql  8632 Oct  4 10:32 data.frm
-rw-rw---- 1 mysql mysql  8626 Oct  4 10:32 encoding.frm
-rw-rw---- 1 mysql mysql  8618 Oct  4 10:32 detail.frm
-rw-rw---- 1 mysql mysql  8710 Oct  6 19:33 acid_ag.frm
-rw-rw---- 1 mysql mysql  8630 Oct  6 19:33 acid_ag_alert.frm
-rw-rw---- 1 mysql mysql  8758 Oct  6 19:33 acid_ip_cache.frm
-rw-rw---- 1 mysql mysql 13090 Oct  6 19:33 acid_event.frm
-rw-rw---- 1 mysql mysql  8646 Oct  6 19:33 base_roles.frm
-rw-rw---- 1 mysql mysql  8758 Oct  6 19:33 base_users.frm
drwx------ 2 mysql mysql  4096 Oct  6 19:33 .
drwx------ 5 mysql mysql  4096 Oct  7 12:46 ..

perms good above? should be mysql:mysql or... snort:snort?


2. can both alert and snort.log work from schema/create_mysql?
which one, snort.log only?

3. how can i have http://192.168.1.14/base-1.4.5/base_main.php log
unified2 output
from /var/log/snort/alert or snort.log?

3. i followed the deb snort pdf howto. 2011, looking at 2012 version,
looks the same, i'll recheck 
against my script.

4. old dan farmer satan alert reader:
# ./snort_stats.pl alert 

The log begins from: 10 06 19:23:17
The log ends     at: 10 07 13:24:57
Total events: 13476
Signatures recorded: 6
Source IP recorded: 2
Destination IP recorded: 2

The number of attacks from same host to same
destination using same method
=========================================================================
  # of
 attacks  from              to                method
=========================================================================
   11898     192.168.1.35      192.168.1.14       ICMP test  [Priority:
0] {ICMP}
   809     192.168.1.14      192.168.1.35       ICMP test  [Priority: 0]
{ICMP}
   640     192.168.1.35      192.168.1.14       (spp_ssh) Protocol
mismatch   {TCP}
   64     192.168.1.35      192.168.1.14       Reset outside window
{TCP}
   43     192.168.1.14      192.168.1.35       (http_inspect) NO
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE   {TCP}
   16     192.168.1.14      192.168.1.35       Consecutive TCP small
segments exceeding threshold   {TCP}
   5      192.168.1.35      192.168.1.14       Consecutive TCP small
segments exceeding threshold   {TCP}
   1      192.168.1.14      192.168.1.35       (spp_sdf) SDF Combination
Alert   {PROTO:254}
...trunc'd

I have a reader ;) 


thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121007/f7325aac/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: face-wink.png
Type: image/png
Size: 876 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121007/f7325aac/attachment.png>
-------------- next part --------------
An embedded message was scrubbed...
From: Peter Bates <peter.bates at ...15381...>
Subject: Re: [Snort-users] Lets talk about ....
Date: Sun, 7 Oct 2012 10:23:54 +0100
Size: 5410
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121007/f7325aac/attachment.mht>


More information about the Snort-users mailing list