[Snort-users] Snort & Barnyard

Ayodele Okeowo aymacro at ...11827...
Mon Dec 23 12:00:09 EST 2013


remove the -A fast switch from the line and let it look like this. And I
also like to run snort for database test without the  *-b -d* options.

/usr/sbin/snort -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l
/usr/local/snort/var/log/eth1

Clean the snort log folder to start seeing new log generated files. run the
below command.
rm -rf /var/log/snort/snort.*. If you are using a different name for your
unified file, replace the /snort.* with "/merged.*" or "/u2.*" or a name
you chose.

Restart barnyard this time in daemon mode then run the command above and it
should give a different result this time.

in mysql try and run "select count(*) from event" - the numbers will
increment which will help you see if alerts are getting logged.

Ayo


On Mon, Dec 23, 2013 at 10:35 AM, James <snort at ...16635...> wrote:

> Hi,
>
> Thanks for your reply. Yes, at least I think so, I'm running snort like
> this:
> /usr/sbin/snort -A fast -b -d -D -i eth1 -u snort -g snort -c
> /etc/snort/snort.conf -l /usr/local/snort/var/log/eth1
>
> Starting barnyard without daemon mode shows this only:
>
> root at ...16640...:/var/www/aanval/apps# barnyard2 -c
> /etc/snort/barnyard.conf -d /usr/local/snort/var/log/eth1 -w
> /usr/local/snort/var/log/eth1/barnyard2.waldo -l
> /usr/local/snort/var/log/eth1 -a /usr/local/snort/var/log/eth1/archive -f
> snort.log -X /var/lock/barnyard2-eth1.pid
> Running in Continuous mode
>
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/snort/barnyard.conf"
>
>
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
>
>
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /usr/local/snort/var/log/eth1
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
>
> [SignatureReferencePullDataStore()]: No Reference found in database ...
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = localhost
> database:           user = snort_user
> database:  database name = snortdb
> database:    sensor name = localhost:eth1
> database:      sensor id = 2
> database:     sensor cid = 1
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "log" facility
>
>         --== Initialization Complete ==--
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.13 (Build 327)
>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
>
> Using waldo file '/usr/local/snort/var/log/eth1/barnyard2.waldo':
>     spool directory = /usr/local/snort/var/log/eth1
>     spool filebase  = snort.log
>     time_stamp      = 1387663189
>     record_idx      = 0
> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'
> Closing spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'.
> Read 0 records
> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387811302'
> Waiting for new data
>
> If I then press ctrl-c it says it's seen 0 for every field.
>
> If it helps, this is the dir in question:
>
> root at ...16640...:/var/www/
> aanval/apps# ls -al /usr/local/snort/var/log/eth1/
> total 98184
> drwxr-xr-x 4 snort snort      4096 Dec 23 15:11 .
> drwxr-xr-x 4 snort snort      4096 Dec 21 22:27 ..
> -rw-r--r-- 1 snort snort 100383823 Dec 23 15:13 alert
> drwxr-xr-x 2 snort snort      4096 Dec 23 15:11 archive
> -rw------- 1 snort snort      2056 Dec 23 15:11 barnyard2.waldo
> -rw------- 1 snort snort    128173 Dec 23 15:13 snort.log.1387811302
>
> If I tail the "alert" file, I see plenty of them occuring.
>
> Thanks
> James
>
>
> On 22 December 2013 23:29, Ayodele Okeowo <aymacro at ...11827...> wrote:
>
>> When you ran snort did you use the ' console -A' switch? Also did you
>> test tour barnyard without daemon?
>> On Dec 22, 2013 6:04 PM, "James" <snort at ...16635...> wrote:
>>
>>>  Hi all,
>>>
>>> I've followed this guide:
>>> http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval
>>> but using the most current Snort + Barnyard and everything seems to have
>>> installed and start-up correctly, but I'm not seeing anything get logged
>>> into the MySQL database. There were a few mistakes in the guide, which I've
>>> managed to fix with a bit of Googling, but I can't seem to solve this. I
>>> realise you're probably going to need more information to be able to help,
>>> but don't know enough yet to guess what that might be. Can anyone help
>>> please? The alternative is I wipe it all and start again in the hope I just
>>> missed something stupid the first time, but hopefully someone could help me
>>> avoid that?
>>>
>>> Thanks
>>> James
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>> organizations don't have a clear picture of how application performance
>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>> your
>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>> AppDynamics Pro!
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131223/d3d1287c/attachment.html>


More information about the Snort-users mailing list