[Snort-users] Snort-users Digest, Vol 76, Issue 16

Joel Esler jesler at ...1935...
Fri Sep 7 22:26:25 EDT 2012


Good idea!  Luckily, this isn't an example.  

--
Joel Esler
Sent from my iPad 

On Sep 7, 2012, at 9:48 PM, "c_mullins702000 at ...131..." <c_mullins702000 at ...846....131...> wrote:

> 
> Stop junk mail
> Sent from my Virgin Mobile Android-Powered Device
> 
> ----- Reply message -----
> From: snort-users-request at lists.sourceforge.net
> To: <snort-users at lists.sourceforge.net>
> Subject: Snort-users Digest, Vol 76, Issue 16
> Date: Fri, Sep 7, 2012 8:44 pm
> 
> 
> Send Snort-users mailing list submissions to
> snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> snort-users-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> When responding, please don't respond with the entire Digest.  Please trim your response.
> 
> Today's Topics:
> 
>   1. Re: Multiple Instances of Snort and Barnyard2 Startup	script
>      (Jack)
>   2. Re: Multiple Instances of Snort and Barnyard2 Startup	script
>      (Jack)
>   3. Re: Snort's architecture (waldo kitty)
>   4. Re: Snort's architecture (Victor Roemer)
>   5. Re: Snort's architecture (waldo kitty)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 7 Sep 2012 08:14:02 -0400
> From: Jack <kingofnerds at ...11827...>
> Subject: Re: [Snort-users] Multiple Instances of Snort and Barnyard2
> Startup	script
> To: beenph <beenph at ...11827...>
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
> <CAGLYKvD3cE=3yL71aucwFiedf0r0HH-gHL1QCHaYDgtBbbQyPQ at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I am successfully using a single barnyard2 configuration by passing
> the variable " -i snort$COUNTER" in the startup script, this seems to
> be all that is needed to separate the different instances in the
> database. I am using mysql and base for the database portion.
> 
> On Tue, Sep 4, 2012 at 5:24 PM, beenph <beenph at ...11827...> wrote:
> > On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds at ...11827...> wrote:
> >> In case anyone is interested, I modified a start script I found on a
> >> forum somewhere to start multiple instances of snort and barnyard2. My
> >> setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
> >> last four cores in my 16 core system listening to a single span port
> >> from two Juniper switches. I also attached the configs for snort and
> >> barnyard2.
> >>
> >
> > Make sure you have multiple by2 configuration with a different instance name
> > so you do run into cocurency issue if you log to database.
> >
> > -elz
> >
> >
> >> #! /bin/sh
> >>  #
> >> ### BEGIN INIT INFO
> >>
> >> #---------- begin section for chkconfig support -----
> >> # chkconfig: - 93 83
> >> # description: Snort and Barnyard2 Sniffer
> >> # processname: snortbarn
> >> # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
> >> # pidfile: /var/run/snort/
> >> #---------- end section for chkconfig support -----
> >>
> >> #---------- begin section for debian dynamic start scripts -----
> >> # Provides: snortbarn
> >>
> >> # Required-Start: $remote_fs $syslog mysql
> >>
> >> # Required-Stop: $remote_fs $syslog
> >> # Default-Start: 2 3 4 5
> >> # Default-Stop: 0 1 6
> >>
> >> # X-Interactive: true
> >>
> >> # Short-Description: Start Snort and Barnyard
> >> #--------- end section for debian dynamic start scripts -----
> >> ### END INIT INFO
> >>
> >> #/lib/init/vars.sh
> >> /lib/lsb/init-functions
> >> . /etc/rc.d/init.d/functions # added to support the status function in CentOS
> >>
> >> do_start() {
> >>         #log_daemon_msg "Starting Snort and Barnyard" ""
> >>
> >>         # Make sure mysql has finished starting
> >>
> >>         ps_alive=0
> >>         while [ $ps_alive -lt 1 ];
> >>         do
> >>         pidfile=/var/run/mysqld/mysqld.pid
> >>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
> >> then ps_alive=1; fi
> >>         #echo "sleeping" >&2
> >>         sleep 1
> >>         done
> >>        # numbers in COUNTER represent the core to which snort binds itself
> >>         for COUNTER in 12 13 14 15; do
> >>         /usr/local/bin/snort -D -u root -g snort -c
> >> /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
> >> /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
> >>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
> >> /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
> >> /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
> >> /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
> >> -D
> >>         #log_end_msg 0
> >>         done
> >>
> >>         return 0
> >> }
> >>
> >> do_stop() {
> >>         #log_daemon_msg "Stopping Snort and Barnyard" ""
> >>         kill $(pidof snort) 2> /dev/nul
> >>         kill $(pidof barnyard2) 2> /dev/nul
> >>         sleep 5
> >>         #log_end_msg 0
> >>         return 0
> >> }
> >>
> >> #do_status() {
> >> #       # some lines to display status of running snort processes
> >> #
> >> #}
> >>
> >> case "$1" in
> >>   start)
> >>         do_start
> >>  ;;
> >>   stop)
> >>         do_stop
> >>  ;;
> >>   restart)
> >>         do_stop
> >>         sleep 10
> >>         do_start
> >>  ;;
> >>   status)
> >>     status snort
> >>     status barnyard2
> >>     RETVAL=$?
> >>  ;;
> >>  *)
> >>       echo "Usage: snort-barn {start|stop|restart|status}" >&2
> >>     exit 3
> >>  ;;
> >> esac
> >> exit 0
> >>
> >>
> >> --
> >> _____________________________________
> >>  ---- In the end Nerds will Rule the World ----
> >>
> >> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond. Discussions
> >> will include endpoint security, mobile security and the latest in malware
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> _____________________________________
> ---- In the end Nerds will Rule the World ----
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 7 Sep 2012 10:44:03 -0400
> From: Jack <kingofnerds at ...11827...>
> Subject: Re: [Snort-users] Multiple Instances of Snort and Barnyard2
> Startup	script
> To: beenph <beenph at ...11827...>
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
> <CAGLYKvBfTr9CBeK7kkWuajkrcovQ_q2sgpeP87edqyM8WDMqug at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Yes, you are correct there, however I only have one interface on my
> snort box which I am monitoring, so I didn't run into that issue. I
> will keep it in mind for future applications.
> 
> On Fri, Sep 7, 2012 at 8:51 AM, beenph <beenph at ...11827...> wrote:
> > On Fri, Sep 7, 2012 at 8:14 AM, Jack <kingofnerds at ...11827...> wrote:
> >> I am successfully using a single barnyard2 configuration by passing
> >> the variable " -i snort$COUNTER" in the startup script, this seems to
> >> be all that is needed to separate the different instances in the
> >> database. I am using mysql and base for the database portion.
> >
> >
> > Mybad you are right on the interface argument But this will affect the way
> > sensor are inserted in the sensor table, changing interface name to a
> > unique identifier.
> >
> > I would recommend you to use -i $MONITORINTERFACENAME-$COUNTER instead,
> > because if you monitor 4 interface on the same system
> > then you could Still encounter $COUNTER collision.
> >
> > -elz
> >
> >
> >>
> >> On Tue, Sep 4, 2012 at 5:24 PM, beenph <beenph at ...11827...> wrote:
> >>> On Tue, Sep 4, 2012 at 5:09 PM, Jack <kingofnerds at ...11827...> wrote:
> >>>> In case anyone is interested, I modified a start script I found on a
> >>>> forum somewhere to start multiple instances of snort and barnyard2. My
> >>>> setup is using PF_RING on a CentOS 5.8 32bit box to run snort on the
> >>>> last four cores in my 16 core system listening to a single span port
> >>>> from two Juniper switches. I also attached the configs for snort and
> >>>> barnyard2.
> >>>>
> >>>
> >>> Make sure you have multiple by2 configuration with a different instance name
> >>> so you do run into cocurency issue if you log to database.
> >>>
> >>> -elz
> >>>
> >>>
> >>>> #! /bin/sh
> >>>>  #
> >>>> ### BEGIN INIT INFO
> >>>>
> >>>> #---------- begin section for chkconfig support -----
> >>>> # chkconfig: - 93 83
> >>>> # description: Snort and Barnyard2 Sniffer
> >>>> # processname: snortbarn
> >>>> # config: /etc/snort/snort.conf /etc/snort/barnyard2.conf
> >>>> # pidfile: /var/run/snort/
> >>>> #---------- end section for chkconfig support -----
> >>>>
> >>>> #---------- begin section for debian dynamic start scripts -----
> >>>> # Provides: snortbarn
> >>>>
> >>>> # Required-Start: $remote_fs $syslog mysql
> >>>>
> >>>> # Required-Stop: $remote_fs $syslog
> >>>> # Default-Start: 2 3 4 5
> >>>> # Default-Stop: 0 1 6
> >>>>
> >>>> # X-Interactive: true
> >>>>
> >>>> # Short-Description: Start Snort and Barnyard
> >>>> #--------- end section for debian dynamic start scripts -----
> >>>> ### END INIT INFO
> >>>>
> >>>> #/lib/init/vars.sh
> >>>> /lib/lsb/init-functions
> >>>> . /etc/rc.d/init.d/functions # added to support the status function in CentOS
> >>>>
> >>>> do_start() {
> >>>>         #log_daemon_msg "Starting Snort and Barnyard" ""
> >>>>
> >>>>         # Make sure mysql has finished starting
> >>>>
> >>>>         ps_alive=0
> >>>>         while [ $ps_alive -lt 1 ];
> >>>>         do
> >>>>         pidfile=/var/run/mysqld/mysqld.pid
> >>>>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1;
> >>>> then ps_alive=1; fi
> >>>>         #echo "sleeping" >&2
> >>>>         sleep 1
> >>>>         done
> >>>>        # numbers in COUNTER represent the core to which snort binds itself
> >>>>         for COUNTER in 12 13 14 15; do
> >>>>         /usr/local/bin/snort -D -u root -g snort -c
> >>>> /etc/snort/snort.conf -i eth1 --pid-path=/var/run/snort$COUNTER -l
> >>>> /var/log/snort/$COUNTER --daq-var bindcpu=$COUNTER
> >>>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
> >>>> /var/log/snort/$COUNTER -f snort.log -i snort$COUNTER -w
> >>>> /etc/snort/bylog$COUNTER.waldo -G /etc/snort/gen-msg.map -S
> >>>> /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul
> >>>> -D
> >>>>         #log_end_msg 0
> >>>>         done
> >>>>
> >>>>         return 0
> >>>> }
> >>>>
> >>>> do_stop() {
> >>>>         #log_daemon_msg "Stopping Snort and Barnyard" ""
> >>>>         kill $(pidof snort) 2> /dev/nul
> >>>>         kill $(pidof barnyard2) 2> /dev/nul
> >>>>         sleep 5
> >>>>         #log_end_msg 0
> >>>>         return 0
> >>>> }
> >>>>
> >>>> #do_status() {
> >>>> #       # some lines to display status of running snort processes
> >>>> #
> >>>> #}
> >>>>
> >>>> case "$1" in
> >>>>   start)
> >>>>         do_start
> >>>>  ;;
> >>>>   stop)
> >>>>         do_stop
> >>>>  ;;
> >>>>   restart)
> >>>>         do_stop
> >>>>         sleep 10
> >>>>         do_start
> >>>>  ;;
> >>>>   status)
> >>>>     status snort
> >>>>     status barnyard2
> >>>>     RETVAL=$?
> >>>>  ;;
> >>>>  *)
> >>>>       echo "Usage: snort-barn {start|stop|restart|status}" >&2
> >>>>     exit 3
> >>>>  ;;
> >>>> esac
> >>>> exit 0
> >>>>
> >>>>
> >>>> --
> >>>> _____________________________________
> >>>>  ---- In the end Nerds will Rule the World ----
> >>>>
> >>>> ------------------------------------------------------------------------------
> >>>> Live Security Virtual Conference
> >>>> Exclusive live event will cover all the ways today's security and
> >>>> threat landscape has changed and how IT managers can respond. Discussions
> >>>> will include endpoint security, mobile security and the latest in malware
> >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >>>> _______________________________________________
> >>>> Snort-users mailing list
> >>>> Snort-users at lists.sourceforge.net
> >>>> Go to this URL to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >>
> >>
> >>
> >> --
> >> _____________________________________
> >>  ---- In the end Nerds will Rule the World ----
> 
> 
> 
> -- 
> _____________________________________
> ---- In the end Nerds will Rule the World ----
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 07 Sep 2012 11:29:57 -0400
> From: waldo kitty <wkitty42 at ...14940...>
> Subject: Re: [Snort-users] Snort's architecture
> To: snort-users at lists.sourceforge.net
> Message-ID: <504A12F5.7080303 at ...14940...>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> On 9/6/2012 21:29, dandantheitman wrote:
> > You could always argue that snort can also output to a database, as well as a
> > file or an alert,
> 
> yeah, no... snort doesn't do database output any more... i forget which was the 
> last version to support it but i suspect it was in the 2.8.* range... possibly 
> one or two of the 2.9.0.* ones but nothing newer... for database output, you 
> /have/ to run another tool to read the output files that snort does emit and 
> have that tool do the output to the database...
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 7 Sep 2012 12:32:57 -0400
> From: Victor Roemer <vroemer at ...1935...>
> Subject: Re: [Snort-users] Snort's architecture
> To: wkitty42 at ...14940...
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
> <CAOneVvs4z3yT-QOEFZkcWxDdf3pUPZ30u0YnkbNG-2HK-0zD=g at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Just to clear it up. Database output was deprecated in 2.9.2 and removed in
> 2.9.3.
> 
> 
> ~ Victor
> 
> 
> On Fri, Sep 7, 2012 at 11:29 AM, waldo kitty <wkitty42 at ...14940...>wrote:
> 
> > On 9/6/2012 21:29, dandantheitman wrote:
> > > You could always argue that snort can also output to a database, as well
> > as a
> > > file or an alert,
> >
> > yeah, no... snort doesn't do database output any more... i forget which
> > was the
> > last version to support it but i suspect it was in the 2.8.* range...
> > possibly
> > one or two of the 2.9.0.* ones but nothing newer... for database output,
> > you
> > /have/ to run another tool to read the output files that snort does emit
> > and
> > have that tool do the output to the database...
> >
> >
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 07 Sep 2012 20:44:21 -0400
> From: waldo kitty <wkitty42 at ...14940...>
> Subject: Re: [Snort-users] Snort's architecture
> To: snort-users at lists.sourceforge.net
> Message-ID: <504A94E5.4090804 at ...14940...>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> On 9/7/2012 12:32, Victor Roemer wrote:
> > Just to clear it up. Database output was deprecated in 2.9.2 and removed in 2.9.3.
> 
> thanks for that, victor... i knew it was sometime in the 2.9 era but i just 
> couldn't remember it and didn't feel like hunting thru my archives to determine 
> exactly when it was or what version it was... my guess of 2.9.0.* was "slightly" 
> off :lol:
> 
> >
> >
> > ~ Victor
> >
> >
> > On Fri, Sep 7, 2012 at 11:29 AM, waldo kitty <wkitty42 at ...14940...
> > <mailto:wkitty42 at ...14940...>> wrote:
> >
> >     On 9/6/2012 21:29, dandantheitman wrote:
> >      > You could always argue that snort can also output to a database, as well as a
> >      > file or an alert,
> >
> >     yeah, no... snort doesn't do database output any more... i forget which was the
> >     last version to support it but i suspect it was in the 2.8.* range... possibly
> >     one or two of the 2.9.0.* ones but nothing newer... for database output, you
> >     /have/ to run another tool to read the output files that snort does emit and
> >     have that tool do the output to the database...
> 
> 
> 
> 
> ------------------------------
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> ------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest, Vol 76, Issue 16
> *******************************************
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list