[Snort-users] I'm having trouble configuring Snort as a Daemon

Bill Bernsen bill.bernsen at ...6823...
Tue Aug 12 12:58:21 EDT 2014


Hi Trevor,

These are the lines that stand out:

Aug 12 09:14:54 localhost snort[8173]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort/merged.log.
1407860094: Permission denied
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log spool
file '/var/log/snort/merged.log.
1407259400' (Permission denied)
Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file
'/var/log/snort/merged.log.1407259400'. Read 0 records
Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create spooler!

It looks like the permissions on your /var/log/snort directory aren't set
correctly.  You'll want to recursively change the owner/group  to the user
that snort and barnyard2 run as.

Cheers,

Bill


On Tue, Aug 12, 2014 at 12:52 PM, Trevor Thompson <trevthom18 at ...11827...>
wrote:

> Hey Bill,
>
> Thanks for the reply. I would've responded sooner but I needed to access
> my work Computer in order to be able to access the logs.
>
> Anyway, here is the contents of the of the log beginning after I attempted
> to run Snort and Barnyard2 today:
>
> Aug 12 09:14:06 localhost barnyard2[8140]: Running in Continuous mode
> Aug 12 09:14:06 localhost barnyard2[8140]:
> Aug 12 09:14:06 localhost barnyard2[8140]:         --== Initializing
> Barnyard2 ==--
> Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Input Plugins!
> Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Output Plugins!
> Aug 12 09:14:06 localhost barnyard2[8140]: Parsing config file
> "/etc/snort/barnyard2.conf"
> Aug 12 09:14:06 localhost barnyard2[8140]: #012#012+[ Signature Suppress
> list ]+#012----------------------------
> Aug 12 09:14:06 localhost barnyard2[8140]: +[No entry in Signature
> Suppress List]+
> Aug 12 09:14:06 localhost barnyard2[8140]:
> ----------------------------#012+[ Signature Suppress list ]+#012
> Aug 12 09:14:22 localhost barnyard2[8140]: Barnyard2 spooler: Event cache
> size set to [2048]
> Aug 12 09:14:22 localhost barnyard2[8140]: Log directory =
> /var/log/barnyard2
> Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
> Reconnect/Transaction Error limit to 10
> Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
> Reconnect sleep time to 5 second
> Aug 12 09:14:22 localhost barnyard2[8140]: Initializing daemon mode
> Aug 12 09:14:22 localhost barnyard2[8140]: Daemon parent exiting
> Aug 12 09:14:22 localhost barnyard2[8142]: Daemon initialized, signaled
> parent pid: 8140
> Aug 12 09:14:22 localhost barnyard2[8142]: PID path stat checked out ok,
> PID path set to /var/run/
> Aug 12 09:14:22 localhost barnyard2[8142]: Writing PID "8142" to file
> "/var/run//barnyard2_eth0.pid"
> Aug 12 09:14:33 localhost snort[8163]: Running in IDS mode
> Aug 12 09:14:33 localhost snort[8163]:
> Aug 12 09:14:33 localhost snort[8163]:         --== Initializing Snort ==--
> Aug 12 09:14:33 localhost snort[8163]: Initializing Output Plugins!
> Aug 12 09:14:33 localhost snort[8163]: Initializing Preprocessors!
> Aug 12 09:14:33 localhost snort[8163]: Initializing Plug-ins!
> Aug 12 09:14:33 localhost snort[8163]: Parsing Rules file
> "/etc/snort/snort.conf"
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'HTTP_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 311 383 555 591 593 631
> 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809
> 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080
> 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028
> 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344
> 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
> 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
> 44449 50000 50002 51423 53331 55252 55555 56712 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'SHELLCODE_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 0:79 81:65535 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'ORACLE_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 1024:65535 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'SSH_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 22 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'FTP_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 21 2100 3535 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'SIP_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 5060:5061 5600 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'FILE_DATA_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 110 143 311 383 555 591
> 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301
> 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250
> 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008
> 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300
> 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290
> 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
> 44449 50000 50002 51423 53331 55252 55555 56712 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: PortVar 'GTP_PORTS' defined :
> Aug 12 09:14:34 localhost snort[8163]:  [ 2123 2152 3386 ]
> Aug 12 09:14:34 localhost snort[8163]:
> Aug 12 09:14:34 localhost snort[8163]: Detection:
> Aug 12 09:14:34 localhost snort[8163]:    Search-Method = AC-Full-Q
> Aug 12 09:14:34 localhost snort[8163]:     Split Any/Any group = enabled
> Aug 12 09:14:34 localhost snort[8163]:     Search-Method-Optimizations =
> enabled
> Aug 12 09:14:34 localhost snort[8163]:     Maximum pattern length = 20
> Aug 12 09:14:34 localhost snort[8163]: Tagged Packet Limit: 256
> Aug 12 09:14:34 localhost snort[8163]: Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]: Loading all dynamic preprocessor
> libs from /usr/local/lib/snort_dynamicpreprocessor/...
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> Aug 12 09:14:34 localhost snort[8163]: done
> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> Aug 12 09:14:35 localhost snort[8163]: done
> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
> Aug 12 09:14:35 localhost snort[8163]: done
> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
> Aug 12 09:14:35 localhost snort[8163]: done
> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
> Aug 12 09:14:35 localhost snort[8163]: done
> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
> Aug 12 09:14:35 localhost snort[8163]: done
> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> Aug 12 09:14:35 localhost snort[8163]: done
> Aug 12 09:14:35 localhost snort[8163]:   Finished Loading all dynamic
> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
> Aug 12 09:14:35 localhost snort[8163]: Log directory = /var/log/snort
> Aug 12 09:14:35 localhost snort[8163]: WARNING: ip4 normalizations
> disabled because not inline.
> Aug 12 09:14:35 localhost snort[8163]: WARNING: tcp normalizations
> disabled because not inline.
> Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp4 normalizations
> disabled because not inline.
> Aug 12 09:14:35 localhost snort[8163]: WARNING: ip6 normalizations
> disabled because not inline.
> Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp6 normalizations
> disabled because not inline.
> Aug 12 09:14:35 localhost snort[8163]: Frag3 global config:
> Aug 12 09:14:35 localhost snort[8163]:     Max frags: 65536
> Aug 12 09:14:35 localhost snort[8163]:     Fragment memory cap: 4194304
> bytes
> Aug 12 09:14:35 localhost snort[8163]: Frag3 engine config:
> Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
> Aug 12 09:14:35 localhost snort[8163]:     Target-based policy: WINDOWS
> Aug 12 09:14:35 localhost snort[8163]:     Fragment timeout: 180 seconds
> Aug 12 09:14:35 localhost snort[8163]:     Fragment min_ttl:   1
> Aug 12 09:14:35 localhost snort[8163]:     Fragment Anomalies: Alert
> Aug 12 09:14:35 localhost snort[8163]:     Overlap Limit:     10
> Aug 12 09:14:35 localhost snort[8163]:     Min fragment Length:     100
> Aug 12 09:14:35 localhost snort[8163]: Stream5 global config:
> Aug 12 09:14:35 localhost snort[8163]:     Track TCP sessions: ACTIVE
> Aug 12 09:14:35 localhost snort[8163]:     Max TCP sessions: 262144
> Aug 12 09:14:35 localhost snort[8163]:     TCP cache pruning timeout: 30
> seconds
> Aug 12 09:14:35 localhost snort[8163]:     TCP cache nominal timeout: 3600
> seconds
> Aug 12 09:14:35 localhost snort[8163]:     Memcap (for reassembly packet
> storage): 8388608
> Aug 12 09:14:35 localhost snort[8163]:     Track UDP sessions: ACTIVE
> Aug 12 09:14:35 localhost snort[8163]:     Max UDP sessions: 131072
> Aug 12 09:14:35 localhost snort[8163]:     UDP cache pruning timeout: 30
> seconds
> Aug 12 09:14:35 localhost snort[8163]:     UDP cache nominal timeout: 180
> seconds
> Aug 12 09:14:35 localhost snort[8163]:     Track ICMP sessions: INACTIVE
> Aug 12 09:14:35 localhost snort[8163]:     Track IP sessions: INACTIVE
> Aug 12 09:14:35 localhost snort[8163]:     Log info if session memory
> consumption exceeds 1048576
> Aug 12 09:14:35 localhost snort[8163]:     Send up to 2 active responses
> Aug 12 09:14:35 localhost snort[8163]:     Wait at least 5 seconds between
> responses
> Aug 12 09:14:35 localhost snort[8163]:     Protocol Aware Flushing: ACTIVE
> Aug 12 09:14:35 localhost snort[8163]:         Maximum Flush Point: 16000
> Aug 12 09:14:35 localhost snort[8163]:       Max Expected Streams: 768
> Aug 12 09:14:35 localhost snort[8163]: Stream5 TCP Policy config:
> Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
> Aug 12 09:14:35 localhost snort[8163]:     Reassembly Policy: WINDOWS
> Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
> Aug 12 09:14:35 localhost snort[8163]:     Limit on TCP Overlaps: 10
> Aug 12 09:14:35 localhost snort[8163]:     Maximum number of bytes to
> queue per session: 1048576
> Aug 12 09:14:35 localhost snort[8163]:     Maximum number of segs to queue
> per session: 2621
> Aug 12 09:14:35 localhost snort[8163]:     Options:
> Aug 12 09:14:35 localhost snort[8163]:         Require 3-Way Handshake: YES
> Aug 12 09:14:35 localhost snort[8163]:         3-Way Handshake Timeout: 180
> Aug 12 09:14:35 localhost snort[8163]:         Detect Anomalies: YES
> Aug 12 09:14:35 localhost snort[8163]:     Reassembly Ports:
> Aug 12 09:14:35 localhost snort[8163]:       21 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       22 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       23 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       25 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       36 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       42 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       53 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       70 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       79 client (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       80 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       81 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       82 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       83 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       84 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       85 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       86 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       87 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       88 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       89 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       90 client (Footprint) server
> (Footprint)
> Aug 12 09:14:35 localhost snort[8163]:       additional ports configured
> but not printed.
> Aug 12 09:14:35 localhost snort[8163]: Stream5 UDP Policy config:
> Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
> Aug 12 09:14:35 localhost snort[8163]: HttpInspect Config:
> Aug 12 09:14:35 localhost snort[8163]:     GLOBAL CONFIG
> Aug 12 09:14:35 localhost snort[8163]:       Max Pipeline Requests:    0
> Aug 12 09:14:35 localhost snort[8163]:       Inspection Type:
> STATELESS
> Aug 12 09:14:35 localhost snort[8163]:       Detect Proxy Usage:       NO
> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Filename:
> /etc/snort/unicode.map
> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Codepage: 1252
> Aug 12 09:14:35 localhost snort[8163]:       Memcap used for logging URI
> and Hostname: 150994944
> Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Memory: 838860
> Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Sessions: 5518
> Aug 12 09:14:35 localhost snort[8163]:       Gzip Compress Depth: 65535
> Aug 12 09:14:35 localhost snort[8163]:       Gzip Decompress Depth: 65535
> Aug 12 09:14:35 localhost snort[8163]:     DEFAULT SERVER CONFIG:
> Aug 12 09:14:35 localhost snort[8163]:       Server profile: All
> Aug 12 09:14:35 localhost snort[8163]:       Ports (PAF): 36 80 81 82 83
> 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220
> 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443
> 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144
> 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088
> 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888
> 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601
> 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423
> 53331 55252 55555 56712
> Aug 12 09:14:35 localhost snort[8163]:       Server Flow Depth: 0
> Aug 12 09:14:35 localhost snort[8163]:       Client Flow Depth: 0
> Aug 12 09:14:35 localhost snort[8163]:       Max Chunk Length: 500000
> Aug 12 09:14:35 localhost snort[8163]:       Small Chunk Length Evasion:
> chunk size <= 10, threshold >= 5 times
> Aug 12 09:14:35 localhost snort[8163]:       Max Header Field Length: 750
> Aug 12 09:14:35 localhost snort[8163]:       Max Number Header Fields: 100
> Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
> allowed with header folding: 200
> Aug 12 09:14:35 localhost snort[8163]:       Inspect Pipeline Requests: YES
> Aug 12 09:14:35 localhost snort[8163]:       URI Discovery Strict Mode: NO
> Aug 12 09:14:35 localhost snort[8163]:       Allow Proxy Usage: NO
> Aug 12 09:14:35 localhost snort[8163]:       Disable Alerting: NO
> Aug 12 09:14:35 localhost snort[8163]:       Oversize Dir Length: 500
> Aug 12 09:14:35 localhost snort[8163]:       Only inspect URI: NO
> Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Headers: NO
> Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Cookies: YES
> Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Responses: YES
> Aug 12 09:14:35 localhost snort[8163]:       Extract Gzip from responses:
> YES
> Aug 12 09:14:35 localhost snort[8163]:       Unlimited decompression of
> gzip data from responses: YES
> Aug 12 09:14:35 localhost snort[8163]:       Normalize Javascripts in HTTP
> Responses: YES
> Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
> allowed with Javascript Obfuscation in HTTP responses: 200
> Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Cookies: NO
> Aug 12 09:14:35 localhost snort[8163]:       Enable XFF and True Client
> IP: NO
> Aug 12 09:14:35 localhost snort[8163]:       Log HTTP URI data: NO
> Aug 12 09:14:35 localhost snort[8163]:       Log HTTP Hostname data: NO
> Aug 12 09:14:35 localhost snort[8163]:       Extended ASCII code support
> in URI: NO
> Aug 12 09:14:35 localhost snort[8163]:       Ascii: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       Double Decoding: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       %U Encoding: YES alert: YES
> Aug 12 09:14:35 localhost snort[8163]:       Bare Byte: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       UTF 8: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       Multiple Slash: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       IIS Backslash: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       Directory Traversal: YES
> alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       Web Root Traversal: YES
> alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       Apache WhiteSpace: YES alert:
> NO
> Aug 12 09:14:35 localhost snort[8163]:       IIS Delimiter: YES alert: NO
> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map: GLOBAL IIS
> UNICODE MAP CONFIG
> Aug 12 09:14:35 localhost snort[8163]:       Non-RFC Compliant Characters:
> 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
> Aug 12 09:14:35 localhost snort[8163]:       Whitespace Characters: 0x09
> 0x0b 0x0c 0x0d
> Aug 12 09:14:35 localhost snort[8163]: rpc_decode arguments:
> Aug 12 09:14:35 localhost snort[8163]:     Ports to decode RPC on: 111
> 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
> Aug 12 09:14:35 localhost snort[8163]:     alert_fragments: INACTIVE
> Aug 12 09:14:35 localhost snort[8163]:     alert_large_fragments: INACTIVE
> Aug 12 09:14:35 localhost snort[8163]:     alert_incomplete: INACTIVE
> Aug 12 09:14:35 localhost snort[8163]:     alert_multiple_requests:
> INACTIVE
> Aug 12 09:14:35 localhost rsyslogd-2177: imuxsock begins to drop messages
> from pid 8163 due to rate-limiting
> Aug 12 09:14:53 localhost rsyslogd-2177: imuxsock lost 256 messages from
> pid 8163 due to rate-limiting
> Aug 12 09:14:53 localhost snort[8163]:
> Aug 12 09:14:53 localhost snort[8163]: [ Port Based Pattern Matching
> Memory ]
> Aug 12 09:14:53 localhost snort[8163]: +- [ Aho-Corasick Summary ]
> -------------------------------------
> Aug 12 09:14:53 localhost snort[8163]: | Storage Format    : Full-Q
> Aug 12 09:14:53 localhost snort[8163]: | Finite Automaton  : DFA
> Aug 12 09:14:53 localhost snort[8163]: | Alphabet Size     : 256 Chars
> Aug 12 09:14:53 localhost snort[8163]: | Sizeof State      : Variable
> (1,2,4 bytes)
> Aug 12 09:14:53 localhost snort[8163]: | Instances         : 169
> Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 159
> Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 10
> Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0
> Aug 12 09:14:53 localhost snort[8163]: | Characters        : 92288
> Aug 12 09:14:53 localhost snort[8163]: | States            : 71178
> Aug 12 09:14:53 localhost snort[8163]: | Transitions       : 7588084
> Aug 12 09:14:53 localhost snort[8163]: | State Density     : 41.6%
> Aug 12 09:14:53 localhost snort[8163]: | Patterns          : 5092
> Aug 12 09:14:53 localhost snort[8163]: | Match States      : 5685
> Aug 12 09:14:53 localhost snort[8163]: | Memory (MB)       : 36.73
> Aug 12 09:14:53 localhost snort[8163]: |   Patterns        : 0.56
> Aug 12 09:14:53 localhost snort[8163]: |   Match Lists     : 1.24
> Aug 12 09:14:53 localhost snort[8163]: |   DFA
> Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 0.96
> Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 33.67
> Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0.00
> Aug 12 09:14:53 localhost snort[8163]:
> +----------------------------------------------------------------
> Aug 12 09:14:53 localhost snort[8163]: [ Number of patterns truncated to
> 20 bytes: 313 ]
> Aug 12 09:14:53 localhost snort[8163]: pcap DAQ configured to passive.
> Aug 12 09:14:53 localhost snort[8163]: Acquiring network traffic from
> "eth0".
> Aug 12 09:14:53 localhost snort[8163]: Initializing daemon mode
> Aug 12 09:14:53 localhost snort[8173]: Daemon initialized, signaled parent
> pid: 8163
> Aug 12 09:14:53 localhost snort[8173]: Reload thread starting...
> Aug 12 09:14:53 localhost snort[8173]: Reload thread started, thread
> 0x7f8feee27700 (8174)
> Aug 12 09:14:54 localhost kernel: device eth0 entered promiscuous mode
> Aug 12 09:14:54 localhost snort[8173]: Decoding Ethernet
> Aug 12 09:14:54 localhost snort[8173]: Checking PID path...
> Aug 12 09:14:54 localhost snort[8173]: PID path stat checked out ok, PID
> path set to /var/run/
> Aug 12 09:14:54 localhost snort[8173]: Writing PID "8173" to file
> "/var/run//snort_eth0.pid"
> Aug 12 09:14:54 localhost snort[8173]: Set gid to 504
> Aug 12 09:14:54 localhost kernel: device eth0 left promiscuous mode
> Aug 12 09:14:54 localhost snort[8173]: Set uid to 496
> Aug 12 09:14:54 localhost snort[8173]: FATAL ERROR: spo_unified2.c(320)
> Could not open /var/log/snort/merged.log.1407860094: Permission denied
> Aug 12 09:15:23 localhost barnyard2[8142]:
> [SignatureReferencePullDataStore()]: No Reference found in database ...
> Aug 12 09:15:23 localhost barnyard2[8142]: database: compiled support for
> (mysql)
> Aug 12 09:15:23 localhost barnyard2[8142]: database: configured to use
> mysql
> Aug 12 09:15:23 localhost barnyard2[8142]: database: schema version = 107
> Aug 12 09:15:23 localhost barnyard2[8142]: database:           host =
> localhost
> Aug 12 09:15:23 localhost barnyard2[8142]: database:           user = root
> Aug 12 09:15:23 localhost barnyard2[8142]: database:  database name = snort
> Aug 12 09:15:23 localhost barnyard2[8142]: database:    sensor name =
> localhost.localdomain:eth0
> Aug 12 09:15:23 localhost barnyard2[8142]: database:      sensor id = 2
> Aug 12 09:15:23 localhost barnyard2[8142]: database:     sensor cid = 6
> Aug 12 09:15:23 localhost barnyard2[8142]: database:  data encoding = hex
> Aug 12 09:15:23 localhost barnyard2[8142]: database:   detail level = full
> Aug 12 09:15:23 localhost barnyard2[8142]: database:     ignore_bpf = no
> Aug 12 09:15:23 localhost barnyard2[8142]: database: using the "log"
> facility
> Aug 12 09:15:23 localhost barnyard2[8142]:
> Aug 12 09:15:23 localhost barnyard2[8142]:         --== Initialization
> Complete ==--
> Aug 12 09:15:23 localhost barnyard2[8142]: Barnyard2 initialization
> completed successfully (pid=8142)
> Aug 12 09:15:23 localhost barnyard2[8142]: Using waldo file
> '/etc/snort/barnyard2.waldo':#012    spool directory =
> /var/log/snort#012    spool filebase  = merged.log#012    time_stamp      =
> 1407259400#012    record_idx      = 5370
> Aug 12 09:15:23 localhost barnyard2[8142]: Opened spool file
> '/var/log/snort/merged.log.1407259400'
> Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log spool
> file '/var/log/snort/merged.log.1407259400' (Permission denied)
> Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file
> '/var/log/snort/merged.log.1407259400'. Read 0 records
> Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create spooler!
> Aug 12 09:15:23 localhost barnyard2[8142]:
> ===============================================================================
> Aug 12 09:15:23 localhost barnyard2[8142]: Record Totals:
> Aug 12 09:15:23 localhost barnyard2[8142]:    Records:           0
> Aug 12 09:15:23 localhost barnyard2[8142]:    Events:           0 (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:    Packets:           0 (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:    Unknown:           0 (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:    Suppressed:           0
> (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:
> ===============================================================================
> Aug 12 09:15:23 localhost barnyard2[8142]: Packet breakdown by protocol
> (includes rebuilt packets):
> Aug 12 09:15:23 localhost barnyard2[8142]:       ETH: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   ETHdisc: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:      VLAN: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:      IPV6: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   IP6 EXT: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   IP6opts: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   IP6disc: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:       IP4: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   IP4disc: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:     TCP 6: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:     UDP 6: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:     ICMP6: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   ICMP-IP: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:       TCP: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:       UDP: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:      ICMP: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   TCPdisc: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   UDPdisc: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   ICMPdis: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:      FRAG: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:    FRAG 6: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:       ARP: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:     EAPOL: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   ETHLOOP: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:       IPX: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:     OTHER: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:   DISCARD: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]: InvChkSum: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 1: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 2: 0          (0.000%)
> Aug 12 09:15:23 localhost barnyard2[8142]:     Total: 0
> Aug 12 09:15:23 localhost barnyard2[8142]:
>
>
>
>
> On Fri, Aug 8, 2014 at 7:41 AM, Bill Bernsen <bill.bernsen at ...6823...> wrote:
>
>> Hi Trevor,
>>
>> Can you copy and paste the details from /var/log/messages when you start
>> up snort/barnyard2?
>>
>>
>> On Wed, Aug 6, 2014 at 4:34 PM, Trevor Thompson <trevthom18 at ...11827...>
>> wrote:
>>
>>> Hello,
>>>
>>> I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5. They
>>> are both producing the same errors when I attempt to stop, restart, or
>>> start the service:
>>>
>>> snort dead but subsys locked
>>> barnyard dead but subsys locked
>>>
>>> I've been following installation instructions for the software that I
>>> found on this website:
>>> http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/
>>> and
>>> http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/.
>>> The first link describes how to install the snort and configure it as
>>> daemon; the second link details how to configure MySQL, install Barnyard2,
>>> and configure Barnyard2 as a service. Through following the tutorial I
>>> managed to log data and send it to a MySQL database of my own creation.
>>> Everything was fine until I got to the very bottom of the second link and
>>> attempted to install Barnyard2 as a service:
>>>
>>> "Starting Barnyard Automatically
>>>
>>> To complete the installation, we need Barnyard2 to start automatically.
>>> To do so, Barnyard2 should run as a daemon, so uncomment line 85 of the
>>> /etc/snort/barnyard2.conf file
>>>
>>> # enable daemon mode
>>> #
>>> config daemon
>>>
>>> Next, update the barnyard2.conf file with the full location of the waldo
>>> file; modify line 134 to read
>>>
>>> # define the full waldo filepath.
>>> #
>>> config waldo_file: /etc/snort/barnyard2.waldo
>>>
>>> The waldo file (where is he anyway?) lets Barnyard2 track how far it has
>>> progressed through the various output file created by snort. We specified
>>> this precise location in the command line we have used in testing.
>>>
>>> We do not want Barnyard2 running as root; instead we tell Barnyard2 to
>>> run as the user (and group) snort by modifying lines 91-97.
>>>
>>> # specifiy the group or GID for barnyard2 to run as after initialisation.
>>> #
>>> config set_gid: snort
>>>
>>> # specifiy the user or UID for barnyard2 to run as after initialisation.
>>> #
>>> config set_uid: snort
>>>
>>> Since we want Barnyard2 to run as the user snort, we change the
>>> permissions on our waldo file:
>>>
>>> [root at ...16933... snort]# chown snort:snort /etc/snort/barnyard2.waldo
>>>
>>> Remember- it was automatically created the first time we ran Barnyard.
>>> Since we ran it as root that first time, it was created with root
>>> permissions, so we would not be able to use it as snort.
>>>
>>> Copy the startup script from the installation directory to /etc/init.d
>>> and make it executable
>>>
>>> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/
>>> [root at ...16933... ~]# chmod a+x /etc/init.d/barnyard2
>>>
>>> We need to make a few modifications to the file though. We do not need
>>> to specify the location of ARCHIVEDIR, so line 37 can be removed.
>>>
>>> The location of the WALDO_FILE in line 38 should be changed. In our
>>> setup, files are not indexed by the interface name, so we do not want to
>>> include $INT in the path name; we also have stored the waldo file in
>>> /etc/snort rather than in $SNORTDIR; thus these lines should become the
>>> single line
>>>
>>> WALDO_FILE="/etc/snort/barnyard2.waldo"
>>>
>>> We also need to remove the dependencies on the interface in the
>>> BARNYARD_OPTS line; it should become
>>>
>>> BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
>>> -X $PIDFILE $EXTRA_ARGS"
>>>
>>> Combining these changes, we end up with a start() routine in the form
>>>
>>> start() {
>>> 	echo -n $"Starting $desc ($prog): "
>>> 	for INT in $INTERFACES; do
>>> 		PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
>>> 		WALDO_FILE="/etc/snort/barnyard2.waldo"
>>> 		BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE
>>>                          -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
>>> 		daemon $prog $BARNYARD_OPTS
>>> 	done
>>> 	RETVAL=$?
>>> 	echo
>>> 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
>>> 	return $RETVAL
>>> }
>>>
>>> We also put a link to the binary in /usr/sbin
>>>
>>> [root at ...16933... ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2
>>>
>>> Copy the configuration file from the installation directory to
>>> /etc/sysconfig
>>>
>>> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config
>>> /etc/sysconfig/barnyard2
>>>
>>> We need to make a few changes to this file as well; when complete it
>>> should look like
>>>
>>> # Config file for /etc/init.d/barnyard2
>>> LOG_FILE="merged.log"
>>>
>>> # You probably don't want to change this, but in case you do
>>> SNORTDIR="/var/log/snort"
>>> INTERFACES="eth0"
>>>
>>> # Probably not this either
>>> CONF=/etc/snort/barnyard2.conf
>>>
>>> EXTRA_ARGS=""
>>>
>>> In case you are wondering what got changed- both the LOG_FILE variable
>>> as well as the CONF variables.
>>>
>>> Finally, we set up our start-up and shutdown scripts:
>>>
>>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d
>>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d
>>> [root at ...16934... ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d
>>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d
>>>
>>> This completes the installation. You can verify that it works by simply
>>> rebooting the box and checking that both snort and barnyard2 run correctly."
>>>
>>> However, rebooting the operating system didn't fix the problem, but it
>>> instead created the previously mentioned errors. Does anyone have any idea
>>> what the problem could be with my system?
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Infragistics Professional
>>> Build stunning WinForms apps today!
>>> Reboot your WinForms applications with our WinForms controls.
>>> Build a bridge from your legacy apps to the future.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>
>> --
>> Bill Bernsen                                                    Network
>> Security Analyst
>>  ITS Technology Security Services, New York University
>> http://www.nyu.edu/its/security
>>
>
>


-- 
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140812/eb939340/attachment.html>


More information about the Snort-users mailing list