[Snort-users] Lets talk about ....

Peter Bates peter.bates at ...15381...
Sun Oct 7 18:19:54 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 07/10/2012 22:15, AllowOverride wrote:
> Rule manager -> IDS -> Output processor -> Alert front-end pp.pl >
> snort > barnyard2 > base-1.4.5 / snortreport 1.3.3 / 
> jpgraph-1.27.1
> 
> 1.  what am i missing to get unified2 or alerts to mysql db.

Okay, let's take some quick steps that are useful when debugging

/usr/local/bin/snort -i eth0 -c /etc/snort/etc/snort.conf -T >
/tmp/snort.out 2>&1
grep 'rules read' /tmp/snort.out

You should see something like

xxx Snort rules read

This shows your Snort is reading the configuration okay (-T)
and also reading some rules

Now

/usr/local/bin/snort -A console -u snort -g snort -c
/etc/snort/etc/snort.conf -i eth0

This runs Snort and in the foreground and then alerts will show
on the console - generate some ICMP traffic and you should see hits

Finally

/usr/local/bin/snort -i eth0 -D -c /etc/snort/etc/snort.conf -l
/var/log/snort

(Note you can see user and group in snort.conf with
config set_gid: snort
config set_uid: snort
- - to avoid -u and -g on the command line)

In snort.conf we have

output unified2: filename snort.log, limit 128

Snort will then be running daemonized and you should see
snort.log appear in /var/log/snort
- - you might have to chown snort:snort /var/log/snort

Then

/usr/local/bin/barnyard2 -D -c /etc/snort/etc/barnyard2.conf -d
/var/log/snort -w /var/log/snort/bylog.waldo -f snort.log
- -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map

The -G and -S should be unnecessary as they are defined in
barnyard2.conf but I've sometimes found it doesn't read them but that
might be a bug in the version I'm running - a new one was released
recently.

After that, you can try

mysql> select count(*) from event;

and it should be increasing when you generate traffic that hits rules.

The MySQL file permissions should be irrelevant - MySQL runs as the
MySQL user and barnyard2 just connects to the socket on 3306 and makes
the usual INSERT calls.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQcgAJAAoJELhVoVpEMS6RYVcH/2QK5xbZasH0X5fRnxvEcq3B
DAdiIKpRsOVuyUYYW1OKa0QZlI6/Mx3ottiOnf5PsxAT8VDbr97nato8G7gCAXQY
4RjFQcu3OtSfwmQWBo63IxQB+yyeU85AEgHpe2yGdRAzp1x/xSWLeYu8GUAlVL25
2VAyUaF5etNdp2cHYottOtE9RUEDGAyPMLBZqb+5hm8UMlmfwyaN5bWGch61vJbo
vhldspeUyvoMcEnm8FASpmVOf1quZO95oo19tBL9k0UJOPwNYyeB5wXb34j8Xn/V
Qkbix7OzM+a8pNQf1++3qLmwRg94weqvVoxjZRAAi4o7ItAJSmOE8NipQsFJW6o=
=hxt2
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list