[Snort-users] Lets talk about ....

Peter Bates peter.bates at ...15381...
Mon Oct 8 05:06:17 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 08/10/2012 00:42, AllowOverride wrote:
> 1. here is stdout after starting snort: see attached: anything wrong
> there? 
> still not logging, after correcting 

> 2. in console mode - i see ping traffic from remote host pinging snort
> server

Okay - as it has been a while since I used -A console to test, I can see
that what this does is produce tcpdump/pcap output file as well as showing
the alerts to the console as expected.

The fact it isn't a u2 file explains the u2spewfoo error.

In your snort.conf, put (use the existing lines)
to shorten your command-line:

config set_gid: snort
config set_uid: snort
config logdir: /var/log/snort

output unified2: filename snort.log, limit 128

- - Your current snort.conf has

output unified2: filename snort.log limit 128

- - the comma is significant.

Start up snort with

snort -c /etc/snort/snort.conf -i eth0
 
- - you can add -D later to daemonize it

Snort should run and you will get

- -rw-------  1 snort snort    0 Oct  8 09:52 snort.log.1349686338

in /var/log/snort.

Generate some ICMP traffic, and you should see it logged

- -rw-------  1 snort snort 1164 Oct  8 09:53 snort.log.1349686338

u2spewfoo snort.log.1349686338 |grep sig
        sig id: 10000001        gen id: 1       revision: 0      classification: 0
        sig id: 10000001        gen id: 1       revision: 0      classification: 0

If that is working then it is time to look at barnyard2.

> 3. also flowbits? this is not running Inline, ill read more about that
> later, when i have 2nd nic.

I wouldn't worry about the flowbits.

> 4. -G -S are defined in barnyard2.conf. - see attached

I would define:

output alert_fast: /var/log/snort/alert

instead of what you've got if you need that output and

output database: log, mysql, dbname=snort host=localhost user=snort 
password=hidden detail=full

> 5. Reputation config: 
> WARNING: Can't find any whitelist/blacklist entries. Reputation
> Preprocessor disabled.
> what is the syntax in the snort.conf file... howtos are pissing me
> off....
> 
> I have:
> whitelist $WHITE_LIST_PATH/white_list.rules, \
>    blacklist $BLACK_LIST_PATH/black_list.rules

This is just a warning.
As you have 

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Then if you put IP addresses in 
/etc/snort/rules/white_list.rules
/etc/snort/rules/black_list.rules

The Reputation preproc will be enabled.

> 6. 
> 
> I found the problem i believe, snort.u2 vs snort.log defined in
> snort.conf.... good grief...
> made filename snort looks for as snort.log, there were no warnings in
> syslog nor snort stdout in console mode...

A wrong filename isn't really fatal so an error isn't entirely appropriate.

> 7. lastly, i dont have a 2nd nic. where would i define that, and if not
> defined, will it cause issues?

No.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQcpeJAAoJELhVoVpEMS6RqnYIAK3wWdGaZSf4fwt0fWSLq8rS
002iECeJfp+Eq/S23AgIizO18iH0Kxm0slrUF3X8uQ1abp2SY0R6wsgocrwyw+Bx
VbmWqLL3FUGFhSwr4gj07nRAbLsjfxUmvXVWQyUQSCPLdV5xJhQ4qChNNgbP+O97
cfh7JrQGfg8/Xvl//9Xma2VTshWsUiVD7xmJE+I6S/EoE4rOWGQsPP/0Nbp+WWDW
039giLXTawo1IdbDKcfKodExZ5r5SqNFNyVltYZHzKVeyqLlARZ3BoqVU4NmWzwd
QJuHE6KDeZxwMOqDTbgd1utUdnF++nJpFsaUmvkiM+1mS2YTlFUAAchmishJWzI=
=aUER
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list