[Snort-users] Snort-users Digest, Vol 76, Issue 16

c_mullins702000@yahoo.com c_mullins702000 at ...131...
Fri Sep 7 21:48:05 EDT 2012


Stop junk mail
Sent from my Virgin Mobile Android-Powered Device

----- Reply message -----
From: snort-users-request at lists.sourceforge.net
To: <snort-users at lists.sourceforge.net>
Subject: Snort-users Digest, Vol 76, Issue 16
Date: Fri, Sep 7, 2012 8:44 pm


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

   1. Re: Multiple Instances of Snort and Barnyard2 Startup	script
      (Jack)
   2. Re: Multiple Instances of Snort and Barnyard2 Startup	script
      (Jack)
   3. Re: Snort's architecture (waldo kitty)
   4. Re: Snort's architecture (Victor Roemer)
   5. Re: Snort's architecture (waldo kitty)


----------------------------------------------------------------------

Message: 1
Date: Fri, 7 Sep 2012 08:14:02 -0400
From: Jack <kingofnerds at ...11827...>
Subject: Re: [Snort-users] Multiple Instances of Snort and Barnyard2
	Startup	script
To: beenph <beenph at ...11827...>
Cc: snort-users at lists.sourceforge.net
Message-ID:
	<CAGLYKvD3cE=3yL71aucwFiedf0r0HH-gHL1QCHaYDgtBbbQyPQ at ...11828...>
Content-Type: text/plain; charset=ISO-8859-1

I am successfully using a single barnyard2 configuration by passing
the variable " -i snort$COUNTER" in the startup script, this seems to
be all that is needed to separate the different instances in the
database. I am using mysql and base for the database portion.

On Tue, Sep 4, 2012 at 5:24 PM, beenph <beenph at ...11827...> wrote:
> On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds at ...11827...> wrote:
>> In case anyone is interested, I modified a start script I found on a
>> forum somewhere to start multiple instances of snort and barnyard2. My
>> setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
>> last four cores in my 16 core system listening to a single span port
>> from two Juniper switches. I also attached the configs for snort and
>> barnyard2.
>>
>
> Make sure you have multiple by2 configuration with a different instance name
> so you do run into cocurency issue if you log to database.
>
> -elz
>
>
>> #! /bin/sh
>>  #
>> ### BEGIN INIT INFO
>>
>> #---------- begin section for chkconfig support -----
>> # chkconfig: - 93 83
>> # description: Snort and Barnyard2 Sniffer
>> # processname: snortbarn
>> # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
>> # pidfile: /var/run/snort/
>> #---------- end section for chkconfig support -----
>>
>> #---------- begin section for debian dynamic start scripts -----
>> # Provides: snortbarn
>>
>> # Required-Start: $remote_fs $syslog mysql
>>
>> # Required-Stop: $remote_fs $syslog
>> # Default-Start: 2 3 4 5
>> # Default-Stop: 0 1 6
>>
>> # X-Interactive: true
>>
>> # Short-Description: Start Snort and Barnyard
>> #--------- end section for debian dynamic start scripts -----
>> ### END INIT INFO
>>
>> #/lib/init/vars.sh
>> /lib/lsb/init-functions
>> . /etc/rc.d/init.d/functions # added to support the status function in CentOS
>>
>> do_start() {
>>         #log_daemon_msg "Starting Snort and Barnyard" ""
>>
>>         # Make sure mysql has finished starting
>>
>>         ps_alive=0
>>         while [ $ps_alive -lt 1 ];
>>         do
>>         pidfile=/var/run/mysqld/mysqld.pid
>>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
>> then ps_alive=1; fi
>>         #echo "sleeping" >&2
>>         sleep 1
>>         done
>>        # numbers in COUNTER represent the core to which snort binds itself
>>         for COUNTER in 12 13 14 15; do
>>         /usr/local/bin/snort -D -u root -g snort -c
>> /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
>> /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>> /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
>> /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
>> /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
>> -D
>>         #log_end_msg 0
>>         done
>>
>>         return 0
>> }
>>
>> do_stop() {
>>         #log_daemon_msg "Stopping Snort and Barnyard" ""
>>         kill $(pidof snort) 2> /dev/nul
>>         kill $(pidof barnyard2) 2> /dev/nul
>>         sleep 5
>>         #log_end_msg 0
>>         return 0
>> }
>>
>> #do_status() {
>> #       # some lines to display status of running snort processes
>> #
>> #}
>>
>> case "$1" in
>>   start)
>>         do_start
>>  ;;
>>   stop)
>>         do_stop
>>  ;;
>>   restart)
>>         do_stop
>>         sleep 10
>>         do_start
>>  ;;
>>   status)
>>     status snort
>>     status barnyard2
>>     RETVAL=$?
>>  ;;
>>  *)
>>       echo "Usage: snort-barn {start|stop|restart|status}" >&2
>>     exit 3
>>  ;;
>> esac
>> exit 0
>>
>>
>> --
>> _____________________________________
>>  ---- In the end Nerds will Rule the World ----
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
_____________________________________
 ---- In the end Nerds will Rule the World ----



------------------------------

Message: 2
Date: Fri, 7 Sep 2012 10:44:03 -0400
From: Jack <kingofnerds at ...11827...>
Subject: Re: [Snort-users] Multiple Instances of Snort and Barnyard2
	Startup	script
To: beenph <beenph at ...11827...>
Cc: snort-users at lists.sourceforge.net
Message-ID:
	<CAGLYKvBfTr9CBeK7kkWuajkrcovQ_q2sgpeP87edqyM8WDMqug at ...11828...>
Content-Type: text/plain; charset=ISO-8859-1

Yes, you are correct there, however I only have one interface on my
snort box which I am monitoring, so I didn't run into that issue. I
will keep it in mind for future applications.

On Fri, Sep 7, 2012 at 8:51 AM, beenph <beenph at ...11827...> wrote:
> On Fri, Sep 7, 2012 at 8:14 AM, Jack <kingofnerds at ...11827...> wrote:
>> I am successfully using a single barnyard2 configuration by passing
>> the variable " -i snort$COUNTER" in the startup script, this seems to
>> be all that is needed to separate the different instances in the
>> database. I am using mysql and base for the database portion.
>
>
> Mybad you are right on the interface argument But this will affect the way
> sensor are inserted in the sensor table, changing interface name to a
> unique identifier.
>
> I would recommend you to use -i $MONITORINTERFACENAME-$COUNTER instead,
> because if you monitor 4 interface on the same system
> then you could Still encounter $COUNTER collision.
>
> -elz
>
>
>>
>> On Tue, Sep 4, 2012 at 5:24 PM, beenph <beenph at ...11827...> wrote:
>>> On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds at ...11827...> wrote:
>>>> In case anyone is interested, I modified a start script I found on a
>>>> forum somewhere to start multiple instances of snort and barnyard2. My
>>>> setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
>>>> last four cores in my 16 core system listening to a single span port
>>>> from two Juniper switches. I also attached the configs for snort and
>>>> barnyard2.
>>>>
>>>
>>> Make sure you have multiple by2 configuration with a different instance name
>>> so you do run into cocurency issue if you log to database.
>>>
>>> -elz
>>>
>>>
>>>> #! /bin/sh
>>>>  #
>>>> ### BEGIN INIT INFO
>>>>
>>>> #---------- begin section for chkconfig support -----
>>>> # chkconfig: - 93 83
>>>> # description: Snort and Barnyard2 Sniffer
>>>> # processname: snortbarn
>>>> # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
>>>> # pidfile: /var/run/snort/
>>>> #---------- end section for chkconfig support -----
>>>>
>>>> #---------- begin section for debian dynamic start scripts -----
>>>> # Provides: snortbarn
>>>>
>>>> # Required-Start: $remote_fs $syslog mysql
>>>>
>>>> # Required-Stop: $remote_fs $syslog
>>>> # Default-Start: 2 3 4 5
>>>> # Default-Stop: 0 1 6
>>>>
>>>> # X-Interactive: true
>>>>
>>>> # Short-Description: Start Snort and Barnyard
>>>> #--------- end section for debian dynamic start scripts -----
>>>> ### END INIT INFO
>>>>
>>>> #/lib/init/vars.sh
>>>> /lib/lsb/init-functions
>>>> . /etc/rc.d/init.d/functions # added to support the status function in CentOS
>>>>
>>>> do_start() {
>>>>         #log_daemon_msg "Starting Snort and Barnyard" ""
>>>>
>>>>         # Make sure mysql has finished starting
>>>>
>>>>         ps_alive=0
>>>>         while [ $ps_alive -lt 1 ];
>>>>         do
>>>>         pidfile=/var/run/mysqld/mysqld.pid
>>>>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
>>>> then ps_alive=1; fi
>>>>         #echo "sleeping" >&2
>>>>         sleep 1
>>>>         done
>>>>        # numbers in COUNTER represent the core to which snort binds itself
>>>>         for COUNTER in 12 13 14 15; do
>>>>         /usr/local/bin/snort -D -u root -g snort -c
>>>> /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
>>>> /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
>>>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>>>> /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
>>>> /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
>>>> /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
>>>> -D
>>>>         #log_end_msg 0
>>>>         done
>>>>
>>>>         return 0
>>>> }
>>>>
>>>> do_stop() {
>>>>         #log_daemon_msg "Stopping Snort and Barnyard" ""
>>>>         kill $(pidof snort) 2> /dev/nul
>>>>         kill $(pidof barnyard2) 2> /dev/nul
>>>>         sleep 5
>>>>         #log_end_msg 0
>>>>         return 0
>>>> }
>>>>
>>>> #do_status() {
>>>> #       # some lines to display status of running snort processes
>>>> #
>>>> #}
>>>>
>>>> case "$1" in
>>>>   start)
>>>>         do_start
>>>>  ;;
>>>>   stop)
>>>>         do_stop
>>>>  ;;
>>>>   restart)
>>>>         do_stop
>>>>         sleep 10
>>>>         do_start
>>>>  ;;
>>>>   status)
>>>>     status snort
>>>>     status barnyard2
>>>>     RETVAL=$?
>>>>  ;;
>>>>  *)
>>>>       echo "Usage: snort-barn {start|stop|restart|status}" >&2
>>>>     exit 3
>>>>  ;;
>>>> esac
>>>> exit 0
>>>>
>>>>
>>>> --
>>>> _____________________________________
>>>>  ---- In the end Nerds will Rule the World ----
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond. Discussions
>>>> will include endpoint security, mobile security and the latest in malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>>
>>
>> --
>> _____________________________________
>>  ---- In the end Nerds will Rule the World ----



-- 
_____________________________________
 ---- In the end Nerds will Rule the World ----



------------------------------

Message: 3
Date: Fri, 07 Sep 2012 11:29:57 -0400
From: waldo kitty <wkitty42 at ...14940...>
Subject: Re: [Snort-users] Snort's architecture
To: snort-users at lists.sourceforge.net
Message-ID: <504A12F5.7080303 at ...14940...>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 9/6/2012 21:29, dandantheitman wrote:
> You could always argue that snort can also output to a database, as well as a
> file or an alert,

yeah, no... snort doesn't do database output any more... i forget which was the 
last version to support it but i suspect it was in the 2.8.* range... possibly 
one or two of the 2.9.0.* ones but nothing newer... for database output, you 
/have/ to run another tool to read the output files that snort does emit and 
have that tool do the output to the database...



------------------------------

Message: 4
Date: Fri, 7 Sep 2012 12:32:57 -0400
From: Victor Roemer <vroemer at ...1935...>
Subject: Re: [Snort-users] Snort's architecture
To: wkitty42 at ...14940...
Cc: snort-users at lists.sourceforge.net
Message-ID:
	<CAOneVvs4z3yT-QOEFZkcWxDdf3pUPZ30u0YnkbNG-2HK-0zD=g at ...11828...>
Content-Type: text/plain; charset="iso-8859-1"

Just to clear it up. Database output was deprecated in 2.9.2 and removed in
2.9.3.


~ Victor


On Fri, Sep 7, 2012 at 11:29 AM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 9/6/2012 21:29, dandantheitman wrote:
> > You could always argue that snort can also output to a database, as well
> as a
> > file or an alert,
>
> yeah, no... snort doesn't do database output any more... i forget which
> was the
> last version to support it but i suspect it was in the 2.8.* range...
> possibly
> one or two of the 2.9.0.* ones but nothing newer... for database output,
> you
> /have/ to run another tool to read the output files that snort does emit
> and
> have that tool do the output to the database...
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 5
Date: Fri, 07 Sep 2012 20:44:21 -0400
From: waldo kitty <wkitty42 at ...14940...>
Subject: Re: [Snort-users] Snort's architecture
To: snort-users at lists.sourceforge.net
Message-ID: <504A94E5.4090804 at ...14940...>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 9/7/2012 12:32, Victor Roemer wrote:
> Just to clear it up. Database output was deprecated in 2.9.2 and removed in 2.9.3.

thanks for that, victor... i knew it was sometime in the 2.9 era but i just 
couldn't remember it and didn't feel like hunting thru my archives to determine 
exactly when it was or what version it was... my guess of 2.9.0.* was "slightly" 
off :lol:

>
>
> ~ Victor
>
>
> On Fri, Sep 7, 2012 at 11:29 AM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>     On 9/6/2012 21:29, dandantheitman wrote:
>      > You could always argue that snort can also output to a database, as well as a
>      > file or an alert,
>
>     yeah, no... snort doesn't do database output any more... i forget which was the
>     last version to support it but i suspect it was in the 2.8.* range... possibly
>     one or two of the 2.9.0.* ones but nothing newer... for database output, you
>     /have/ to run another tool to read the output files that snort does emit and
>     have that tool do the output to the database...




------------------------------

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 76, Issue 16
*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120907/37889d2d/attachment.html>


More information about the Snort-users mailing list