[Snort-users] I'm having trouble configuring Snort as a Daemon

Trevor Thompson trevthom18 at ...11827...
Tue Aug 12 12:52:09 EDT 2014


Hey Bill,

Thanks for the reply. I would've responded sooner but I needed to access my
work Computer in order to be able to access the logs.

Anyway, here is the contents of the of the log beginning after I attempted
to run Snort and Barnyard2 today:

Aug 12 09:14:06 localhost barnyard2[8140]: Running in Continuous mode
Aug 12 09:14:06 localhost barnyard2[8140]:
Aug 12 09:14:06 localhost barnyard2[8140]:         --== Initializing
Barnyard2 ==--
Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Input Plugins!
Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Output Plugins!
Aug 12 09:14:06 localhost barnyard2[8140]: Parsing config file
"/etc/snort/barnyard2.conf"
Aug 12 09:14:06 localhost barnyard2[8140]: #012#012+[ Signature Suppress
list ]+#012----------------------------
Aug 12 09:14:06 localhost barnyard2[8140]: +[No entry in Signature Suppress
List]+
Aug 12 09:14:06 localhost barnyard2[8140]:
----------------------------#012+[ Signature Suppress list ]+#012
Aug 12 09:14:22 localhost barnyard2[8140]: Barnyard2 spooler: Event cache
size set to [2048]
Aug 12 09:14:22 localhost barnyard2[8140]: Log directory =
/var/log/barnyard2
Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
Reconnect/Transaction Error limit to 10
Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
Reconnect sleep time to 5 second
Aug 12 09:14:22 localhost barnyard2[8140]: Initializing daemon mode
Aug 12 09:14:22 localhost barnyard2[8140]: Daemon parent exiting
Aug 12 09:14:22 localhost barnyard2[8142]: Daemon initialized, signaled
parent pid: 8140
Aug 12 09:14:22 localhost barnyard2[8142]: PID path stat checked out ok,
PID path set to /var/run/
Aug 12 09:14:22 localhost barnyard2[8142]: Writing PID "8142" to file
"/var/run//barnyard2_eth0.pid"
Aug 12 09:14:33 localhost snort[8163]: Running in IDS mode
Aug 12 09:14:33 localhost snort[8163]:
Aug 12 09:14:33 localhost snort[8163]:         --== Initializing Snort ==--
Aug 12 09:14:33 localhost snort[8163]: Initializing Output Plugins!
Aug 12 09:14:33 localhost snort[8163]: Initializing Preprocessors!
Aug 12 09:14:33 localhost snort[8163]: Initializing Plug-ins!
Aug 12 09:14:33 localhost snort[8163]: Parsing Rules file
"/etc/snort/snort.conf"
Aug 12 09:14:34 localhost snort[8163]: PortVar 'HTTP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 311 383 555 591 593 631
801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809
2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080
6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028
8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344
8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
44449 50000 50002 51423 53331 55252 55555 56712 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'SHELLCODE_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 0:79 81:65535 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'ORACLE_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 1024:65535 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'SSH_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 22 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'FTP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 21 2100 3535 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'SIP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 5060:5061 5600 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'FILE_DATA_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 110 143 311 383 555 591
593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301
2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250
5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008
8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300
8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290
9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
44449 50000 50002 51423 53331 55252 55555 56712 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: PortVar 'GTP_PORTS' defined :
Aug 12 09:14:34 localhost snort[8163]:  [ 2123 2152 3386 ]
Aug 12 09:14:34 localhost snort[8163]:
Aug 12 09:14:34 localhost snort[8163]: Detection:
Aug 12 09:14:34 localhost snort[8163]:    Search-Method = AC-Full-Q
Aug 12 09:14:34 localhost snort[8163]:     Split Any/Any group = enabled
Aug 12 09:14:34 localhost snort[8163]:     Search-Method-Optimizations =
enabled
Aug 12 09:14:34 localhost snort[8163]:     Maximum pattern length = 20
Aug 12 09:14:34 localhost snort[8163]: Tagged Packet Limit: 256
Aug 12 09:14:34 localhost snort[8163]: Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]: Loading all dynamic preprocessor
libs from /usr/local/lib/snort_dynamicpreprocessor/...
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
Aug 12 09:14:34 localhost snort[8163]: done
Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
Aug 12 09:14:35 localhost snort[8163]: done
Aug 12 09:14:35 localhost snort[8163]:   Finished Loading all dynamic
preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Aug 12 09:14:35 localhost snort[8163]: Log directory = /var/log/snort
Aug 12 09:14:35 localhost snort[8163]: WARNING: ip4 normalizations disabled
because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: tcp normalizations disabled
because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp4 normalizations
disabled because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: ip6 normalizations disabled
because not inline.
Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp6 normalizations
disabled because not inline.
Aug 12 09:14:35 localhost snort[8163]: Frag3 global config:
Aug 12 09:14:35 localhost snort[8163]:     Max frags: 65536
Aug 12 09:14:35 localhost snort[8163]:     Fragment memory cap: 4194304
bytes
Aug 12 09:14:35 localhost snort[8163]: Frag3 engine config:
Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
Aug 12 09:14:35 localhost snort[8163]:     Target-based policy: WINDOWS
Aug 12 09:14:35 localhost snort[8163]:     Fragment timeout: 180 seconds
Aug 12 09:14:35 localhost snort[8163]:     Fragment min_ttl:   1
Aug 12 09:14:35 localhost snort[8163]:     Fragment Anomalies: Alert
Aug 12 09:14:35 localhost snort[8163]:     Overlap Limit:     10
Aug 12 09:14:35 localhost snort[8163]:     Min fragment Length:     100
Aug 12 09:14:35 localhost snort[8163]: Stream5 global config:
Aug 12 09:14:35 localhost snort[8163]:     Track TCP sessions: ACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Max TCP sessions: 262144
Aug 12 09:14:35 localhost snort[8163]:     TCP cache pruning timeout: 30
seconds
Aug 12 09:14:35 localhost snort[8163]:     TCP cache nominal timeout: 3600
seconds
Aug 12 09:14:35 localhost snort[8163]:     Memcap (for reassembly packet
storage): 8388608
Aug 12 09:14:35 localhost snort[8163]:     Track UDP sessions: ACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Max UDP sessions: 131072
Aug 12 09:14:35 localhost snort[8163]:     UDP cache pruning timeout: 30
seconds
Aug 12 09:14:35 localhost snort[8163]:     UDP cache nominal timeout: 180
seconds
Aug 12 09:14:35 localhost snort[8163]:     Track ICMP sessions: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Track IP sessions: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     Log info if session memory
consumption exceeds 1048576
Aug 12 09:14:35 localhost snort[8163]:     Send up to 2 active responses
Aug 12 09:14:35 localhost snort[8163]:     Wait at least 5 seconds between
responses
Aug 12 09:14:35 localhost snort[8163]:     Protocol Aware Flushing: ACTIVE
Aug 12 09:14:35 localhost snort[8163]:         Maximum Flush Point: 16000
Aug 12 09:14:35 localhost snort[8163]:       Max Expected Streams: 768
Aug 12 09:14:35 localhost snort[8163]: Stream5 TCP Policy config:
Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
Aug 12 09:14:35 localhost snort[8163]:     Reassembly Policy: WINDOWS
Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
Aug 12 09:14:35 localhost snort[8163]:     Limit on TCP Overlaps: 10
Aug 12 09:14:35 localhost snort[8163]:     Maximum number of bytes to queue
per session: 1048576
Aug 12 09:14:35 localhost snort[8163]:     Maximum number of segs to queue
per session: 2621
Aug 12 09:14:35 localhost snort[8163]:     Options:
Aug 12 09:14:35 localhost snort[8163]:         Require 3-Way Handshake: YES
Aug 12 09:14:35 localhost snort[8163]:         3-Way Handshake Timeout: 180
Aug 12 09:14:35 localhost snort[8163]:         Detect Anomalies: YES
Aug 12 09:14:35 localhost snort[8163]:     Reassembly Ports:
Aug 12 09:14:35 localhost snort[8163]:       21 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       22 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       23 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       25 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       36 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       42 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       53 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       70 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       79 client (Footprint)
Aug 12 09:14:35 localhost snort[8163]:       80 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       81 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       82 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       83 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       84 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       85 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       86 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       87 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       88 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       89 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       90 client (Footprint) server
(Footprint)
Aug 12 09:14:35 localhost snort[8163]:       additional ports configured
but not printed.
Aug 12 09:14:35 localhost snort[8163]: Stream5 UDP Policy config:
Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
Aug 12 09:14:35 localhost snort[8163]: HttpInspect Config:
Aug 12 09:14:35 localhost snort[8163]:     GLOBAL CONFIG
Aug 12 09:14:35 localhost snort[8163]:       Max Pipeline Requests:    0
Aug 12 09:14:35 localhost snort[8163]:       Inspection Type:
STATELESS
Aug 12 09:14:35 localhost snort[8163]:       Detect Proxy Usage:       NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Filename:
/etc/snort/unicode.map
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Codepage: 1252
Aug 12 09:14:35 localhost snort[8163]:       Memcap used for logging URI
and Hostname: 150994944
Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Memory: 838860
Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Sessions: 5518
Aug 12 09:14:35 localhost snort[8163]:       Gzip Compress Depth: 65535
Aug 12 09:14:35 localhost snort[8163]:       Gzip Decompress Depth: 65535
Aug 12 09:14:35 localhost snort[8163]:     DEFAULT SERVER CONFIG:
Aug 12 09:14:35 localhost snort[8163]:       Server profile: All
Aug 12 09:14:35 localhost snort[8163]:       Ports (PAF): 36 80 81 82 83 84
85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220
1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443
3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144
7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088
8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888
8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601
13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423
53331 55252 55555 56712
Aug 12 09:14:35 localhost snort[8163]:       Server Flow Depth: 0
Aug 12 09:14:35 localhost snort[8163]:       Client Flow Depth: 0
Aug 12 09:14:35 localhost snort[8163]:       Max Chunk Length: 500000
Aug 12 09:14:35 localhost snort[8163]:       Small Chunk Length Evasion:
chunk size <= 10, threshold >= 5 times
Aug 12 09:14:35 localhost snort[8163]:       Max Header Field Length: 750
Aug 12 09:14:35 localhost snort[8163]:       Max Number Header Fields: 100
Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
allowed with header folding: 200
Aug 12 09:14:35 localhost snort[8163]:       Inspect Pipeline Requests: YES
Aug 12 09:14:35 localhost snort[8163]:       URI Discovery Strict Mode: NO
Aug 12 09:14:35 localhost snort[8163]:       Allow Proxy Usage: NO
Aug 12 09:14:35 localhost snort[8163]:       Disable Alerting: NO
Aug 12 09:14:35 localhost snort[8163]:       Oversize Dir Length: 500
Aug 12 09:14:35 localhost snort[8163]:       Only inspect URI: NO
Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Headers: NO
Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Cookies: YES
Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Responses: YES
Aug 12 09:14:35 localhost snort[8163]:       Extract Gzip from responses:
YES
Aug 12 09:14:35 localhost snort[8163]:       Unlimited decompression of
gzip data from responses: YES
Aug 12 09:14:35 localhost snort[8163]:       Normalize Javascripts in HTTP
Responses: YES
Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
allowed with Javascript Obfuscation in HTTP responses: 200
Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Cookies: NO
Aug 12 09:14:35 localhost snort[8163]:       Enable XFF and True Client IP:
NO
Aug 12 09:14:35 localhost snort[8163]:       Log HTTP URI data: NO
Aug 12 09:14:35 localhost snort[8163]:       Log HTTP Hostname data: NO
Aug 12 09:14:35 localhost snort[8163]:       Extended ASCII code support in
URI: NO
Aug 12 09:14:35 localhost snort[8163]:       Ascii: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Double Decoding: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       %U Encoding: YES alert: YES
Aug 12 09:14:35 localhost snort[8163]:       Bare Byte: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       UTF 8: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Multiple Slash: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Backslash: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Directory Traversal: YES
alert: NO
Aug 12 09:14:35 localhost snort[8163]:       Web Root Traversal: YES alert:
NO
Aug 12 09:14:35 localhost snort[8163]:       Apache WhiteSpace: YES alert:
NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Delimiter: YES alert: NO
Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map: GLOBAL IIS
UNICODE MAP CONFIG
Aug 12 09:14:35 localhost snort[8163]:       Non-RFC Compliant Characters:
0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Aug 12 09:14:35 localhost snort[8163]:       Whitespace Characters: 0x09
0x0b 0x0c 0x0d
Aug 12 09:14:35 localhost snort[8163]: rpc_decode arguments:
Aug 12 09:14:35 localhost snort[8163]:     Ports to decode RPC on: 111
32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Aug 12 09:14:35 localhost snort[8163]:     alert_fragments: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     alert_large_fragments: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     alert_incomplete: INACTIVE
Aug 12 09:14:35 localhost snort[8163]:     alert_multiple_requests: INACTIVE
Aug 12 09:14:35 localhost rsyslogd-2177: imuxsock begins to drop messages
from pid 8163 due to rate-limiting
Aug 12 09:14:53 localhost rsyslogd-2177: imuxsock lost 256 messages from
pid 8163 due to rate-limiting
Aug 12 09:14:53 localhost snort[8163]:
Aug 12 09:14:53 localhost snort[8163]: [ Port Based Pattern Matching Memory
]
Aug 12 09:14:53 localhost snort[8163]: +- [ Aho-Corasick Summary ]
-------------------------------------
Aug 12 09:14:53 localhost snort[8163]: | Storage Format    : Full-Q
Aug 12 09:14:53 localhost snort[8163]: | Finite Automaton  : DFA
Aug 12 09:14:53 localhost snort[8163]: | Alphabet Size     : 256 Chars
Aug 12 09:14:53 localhost snort[8163]: | Sizeof State      : Variable
(1,2,4 bytes)
Aug 12 09:14:53 localhost snort[8163]: | Instances         : 169
Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 159
Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 10
Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0
Aug 12 09:14:53 localhost snort[8163]: | Characters        : 92288
Aug 12 09:14:53 localhost snort[8163]: | States            : 71178
Aug 12 09:14:53 localhost snort[8163]: | Transitions       : 7588084
Aug 12 09:14:53 localhost snort[8163]: | State Density     : 41.6%
Aug 12 09:14:53 localhost snort[8163]: | Patterns          : 5092
Aug 12 09:14:53 localhost snort[8163]: | Match States      : 5685
Aug 12 09:14:53 localhost snort[8163]: | Memory (MB)       : 36.73
Aug 12 09:14:53 localhost snort[8163]: |   Patterns        : 0.56
Aug 12 09:14:53 localhost snort[8163]: |   Match Lists     : 1.24
Aug 12 09:14:53 localhost snort[8163]: |   DFA
Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 0.96
Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 33.67
Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0.00
Aug 12 09:14:53 localhost snort[8163]:
+----------------------------------------------------------------
Aug 12 09:14:53 localhost snort[8163]: [ Number of patterns truncated to 20
bytes: 313 ]
Aug 12 09:14:53 localhost snort[8163]: pcap DAQ configured to passive.
Aug 12 09:14:53 localhost snort[8163]: Acquiring network traffic from
"eth0".
Aug 12 09:14:53 localhost snort[8163]: Initializing daemon mode
Aug 12 09:14:53 localhost snort[8173]: Daemon initialized, signaled parent
pid: 8163
Aug 12 09:14:53 localhost snort[8173]: Reload thread starting...
Aug 12 09:14:53 localhost snort[8173]: Reload thread started, thread
0x7f8feee27700 (8174)
Aug 12 09:14:54 localhost kernel: device eth0 entered promiscuous mode
Aug 12 09:14:54 localhost snort[8173]: Decoding Ethernet
Aug 12 09:14:54 localhost snort[8173]: Checking PID path...
Aug 12 09:14:54 localhost snort[8173]: PID path stat checked out ok, PID
path set to /var/run/
Aug 12 09:14:54 localhost snort[8173]: Writing PID "8173" to file
"/var/run//snort_eth0.pid"
Aug 12 09:14:54 localhost snort[8173]: Set gid to 504
Aug 12 09:14:54 localhost kernel: device eth0 left promiscuous mode
Aug 12 09:14:54 localhost snort[8173]: Set uid to 496
Aug 12 09:14:54 localhost snort[8173]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort/merged.log.1407860094: Permission denied
Aug 12 09:15:23 localhost barnyard2[8142]:
[SignatureReferencePullDataStore()]: No Reference found in database ...
Aug 12 09:15:23 localhost barnyard2[8142]: database: compiled support for
(mysql)
Aug 12 09:15:23 localhost barnyard2[8142]: database: configured to use mysql
Aug 12 09:15:23 localhost barnyard2[8142]: database: schema version = 107
Aug 12 09:15:23 localhost barnyard2[8142]: database:           host =
localhost
Aug 12 09:15:23 localhost barnyard2[8142]: database:           user = root
Aug 12 09:15:23 localhost barnyard2[8142]: database:  database name = snort
Aug 12 09:15:23 localhost barnyard2[8142]: database:    sensor name =
localhost.localdomain:eth0
Aug 12 09:15:23 localhost barnyard2[8142]: database:      sensor id = 2
Aug 12 09:15:23 localhost barnyard2[8142]: database:     sensor cid = 6
Aug 12 09:15:23 localhost barnyard2[8142]: database:  data encoding = hex
Aug 12 09:15:23 localhost barnyard2[8142]: database:   detail level = full
Aug 12 09:15:23 localhost barnyard2[8142]: database:     ignore_bpf = no
Aug 12 09:15:23 localhost barnyard2[8142]: database: using the "log"
facility
Aug 12 09:15:23 localhost barnyard2[8142]:
Aug 12 09:15:23 localhost barnyard2[8142]:         --== Initialization
Complete ==--
Aug 12 09:15:23 localhost barnyard2[8142]: Barnyard2 initialization
completed successfully (pid=8142)
Aug 12 09:15:23 localhost barnyard2[8142]: Using waldo file
'/etc/snort/barnyard2.waldo':#012    spool directory =
/var/log/snort#012    spool filebase  = merged.log#012    time_stamp      =
1407259400#012    record_idx      = 5370
Aug 12 09:15:23 localhost barnyard2[8142]: Opened spool file
'/var/log/snort/merged.log.1407259400'
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log spool
file '/var/log/snort/merged.log.1407259400' (Permission denied)
Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file
'/var/log/snort/merged.log.1407259400'. Read 0 records
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create spooler!
Aug 12 09:15:23 localhost barnyard2[8142]:
===============================================================================
Aug 12 09:15:23 localhost barnyard2[8142]: Record Totals:
Aug 12 09:15:23 localhost barnyard2[8142]:    Records:           0
Aug 12 09:15:23 localhost barnyard2[8142]:    Events:           0 (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    Packets:           0 (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    Unknown:           0 (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    Suppressed:           0
(0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:
===============================================================================
Aug 12 09:15:23 localhost barnyard2[8142]: Packet breakdown by protocol
(includes rebuilt packets):
Aug 12 09:15:23 localhost barnyard2[8142]:       ETH: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ETHdisc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      VLAN: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      IPV6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP6 EXT: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP6opts: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP6disc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       IP4: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   IP4disc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     TCP 6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     UDP 6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     ICMP6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ICMP-IP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       TCP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       UDP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      ICMP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   TCPdisc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   UDPdisc: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ICMPdis: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:      FRAG: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    FRAG 6: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       ARP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     EAPOL: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   ETHLOOP: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:       IPX: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     OTHER: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:   DISCARD: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]: InvChkSum: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 1: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 2: 0          (0.000%)
Aug 12 09:15:23 localhost barnyard2[8142]:     Total: 0
Aug 12 09:15:23 localhost barnyard2[8142]:




On Fri, Aug 8, 2014 at 7:41 AM, Bill Bernsen <bill.bernsen at ...6823...> wrote:

> Hi Trevor,
>
> Can you copy and paste the details from /var/log/messages when you start
> up snort/barnyard2?
>
>
> On Wed, Aug 6, 2014 at 4:34 PM, Trevor Thompson <trevthom18 at ...11827...>
> wrote:
>
>> Hello,
>>
>> I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5. They
>> are both producing the same errors when I attempt to stop, restart, or
>> start the service:
>>
>> snort dead but subsys locked
>> barnyard dead but subsys locked
>>
>> I've been following installation instructions for the software that I
>> found on this website:
>> http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/
>> and
>> http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/.
>> The first link describes how to install the snort and configure it as
>> daemon; the second link details how to configure MySQL, install Barnyard2,
>> and configure Barnyard2 as a service. Through following the tutorial I
>> managed to log data and send it to a MySQL database of my own creation.
>> Everything was fine until I got to the very bottom of the second link and
>> attempted to install Barnyard2 as a service:
>>
>> "Starting Barnyard Automatically
>>
>> To complete the installation, we need Barnyard2 to start automatically.
>> To do so, Barnyard2 should run as a daemon, so uncomment line 85 of the
>> /etc/snort/barnyard2.conf file
>>
>> # enable daemon mode
>> #
>> config daemon
>>
>> Next, update the barnyard2.conf file with the full location of the waldo
>> file; modify line 134 to read
>>
>> # define the full waldo filepath.
>> #
>> config waldo_file: /etc/snort/barnyard2.waldo
>>
>> The waldo file (where is he anyway?) lets Barnyard2 track how far it has
>> progressed through the various output file created by snort. We specified
>> this precise location in the command line we have used in testing.
>>
>> We do not want Barnyard2 running as root; instead we tell Barnyard2 to
>> run as the user (and group) snort by modifying lines 91-97.
>>
>> # specifiy the group or GID for barnyard2 to run as after initialisation.
>> #
>> config set_gid: snort
>>
>> # specifiy the user or UID for barnyard2 to run as after initialisation.
>> #
>> config set_uid: snort
>>
>> Since we want Barnyard2 to run as the user snort, we change the
>> permissions on our waldo file:
>>
>> [root at ...16933... snort]# chown snort:snort /etc/snort/barnyard2.waldo
>>
>> Remember- it was automatically created the first time we ran Barnyard.
>> Since we ran it as root that first time, it was created with root
>> permissions, so we would not be able to use it as snort.
>>
>> Copy the startup script from the installation directory to /etc/init.d
>> and make it executable
>>
>> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/
>> [root at ...16933... ~]# chmod a+x /etc/init.d/barnyard2
>>
>> We need to make a few modifications to the file though. We do not need to
>> specify the location of ARCHIVEDIR, so line 37 can be removed.
>>
>> The location of the WALDO_FILE in line 38 should be changed. In our
>> setup, files are not indexed by the interface name, so we do not want to
>> include $INT in the path name; we also have stored the waldo file in
>> /etc/snort rather than in $SNORTDIR; thus these lines should become the
>> single line
>>
>> WALDO_FILE="/etc/snort/barnyard2.waldo"
>>
>> We also need to remove the dependencies on the interface in the
>> BARNYARD_OPTS line; it should become
>>
>> BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
>> -X $PIDFILE $EXTRA_ARGS"
>>
>> Combining these changes, we end up with a start() routine in the form
>>
>> start() {
>> 	echo -n $"Starting $desc ($prog): "
>> 	for INT in $INTERFACES; do
>> 		PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
>> 		WALDO_FILE="/etc/snort/barnyard2.waldo"
>> 		BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE
>>                          -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
>> 		daemon $prog $BARNYARD_OPTS
>> 	done
>> 	RETVAL=$?
>> 	echo
>> 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
>> 	return $RETVAL
>> }
>>
>> We also put a link to the binary in /usr/sbin
>>
>> [root at ...16933... ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2
>>
>> Copy the configuration file from the installation directory to
>> /etc/sysconfig
>>
>> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config
>> /etc/sysconfig/barnyard2
>>
>> We need to make a few changes to this file as well; when complete it
>> should look like
>>
>> # Config file for /etc/init.d/barnyard2
>> LOG_FILE="merged.log"
>>
>> # You probably don't want to change this, but in case you do
>> SNORTDIR="/var/log/snort"
>> INTERFACES="eth0"
>>
>> # Probably not this either
>> CONF=/etc/snort/barnyard2.conf
>>
>> EXTRA_ARGS=""
>>
>> In case you are wondering what got changed- both the LOG_FILE variable
>> as well as the CONF variables.
>>
>> Finally, we set up our start-up and shutdown scripts:
>>
>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d
>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d
>> [root at ...16934... ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d
>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d
>>
>> This completes the installation. You can verify that it works by simply
>> rebooting the box and checking that both snort and barnyard2 run correctly."
>>
>> However, rebooting the operating system didn't fix the problem, but it
>> instead created the previously mentioned errors. Does anyone have any idea
>> what the problem could be with my system?
>>
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls.
>> Build a bridge from your legacy apps to the future.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Bill Bernsen                                                    Network
> Security Analyst
>  ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140812/9c17a003/attachment.html>


More information about the Snort-users mailing list