[Snort-users] I'm having trouble configuring Snort as a Daemon

Trevor Thompson trevthom18 at ...11827...
Tue Aug 12 14:37:09 EDT 2014


Thank you for the advice! After recursively removing the original
/var/log/snort directory (whose permissions were set to a different user at
first) and recreating the directory with a new user in control I was able
to fix my problem! Thanks again for your help!

Trevor


On Tue, Aug 12, 2014 at 10:03 AM, Robert Millott <
robm at ...16885...> wrote:

> From looking at your logs, it looks like your spool file cannot be opened
> (permission denied)
>
>  Opened spool file '/var/log/snort/merged.log.1407259400'
> Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log spool
> file '/var/log/snort/merged.log.1407259400' (Permission denied)
> Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file
> '/var/log/snort/merged.log.1407259400'. Read 0 records
> Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create spooler!
>
> Check the permissions on /var/log/snort and make sure whatever user is
> running snort can write to that directory.
>
> Rob M
>
>
> On Tue, Aug 12, 2014 at 12:52 PM, Trevor Thompson <trevthom18 at ...11827...>
> wrote:
>
>> Hey Bill,
>>
>> Thanks for the reply. I would've responded sooner but I needed to access
>> my work Computer in order to be able to access the logs.
>>
>> Anyway, here is the contents of the of the log beginning after I
>> attempted to run Snort and Barnyard2 today:
>>
>> Aug 12 09:14:06 localhost barnyard2[8140]: Running in Continuous mode
>> Aug 12 09:14:06 localhost barnyard2[8140]:
>> Aug 12 09:14:06 localhost barnyard2[8140]:         --== Initializing
>> Barnyard2 ==--
>> Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Input Plugins!
>> Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Output Plugins!
>> Aug 12 09:14:06 localhost barnyard2[8140]: Parsing config file
>> "/etc/snort/barnyard2.conf"
>> Aug 12 09:14:06 localhost barnyard2[8140]: #012#012+[ Signature Suppress
>> list ]+#012----------------------------
>> Aug 12 09:14:06 localhost barnyard2[8140]: +[No entry in Signature
>> Suppress List]+
>> Aug 12 09:14:06 localhost barnyard2[8140]:
>> ----------------------------#012+[ Signature Suppress list ]+#012
>> Aug 12 09:14:22 localhost barnyard2[8140]: Barnyard2 spooler: Event cache
>> size set to [2048]
>> Aug 12 09:14:22 localhost barnyard2[8140]: Log directory =
>> /var/log/barnyard2
>> Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
>> Reconnect/Transaction Error limit to 10
>> Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting
>> Reconnect sleep time to 5 second
>> Aug 12 09:14:22 localhost barnyard2[8140]: Initializing daemon mode
>> Aug 12 09:14:22 localhost barnyard2[8140]: Daemon parent exiting
>> Aug 12 09:14:22 localhost barnyard2[8142]: Daemon initialized, signaled
>> parent pid: 8140
>> Aug 12 09:14:22 localhost barnyard2[8142]: PID path stat checked out ok,
>> PID path set to /var/run/
>> Aug 12 09:14:22 localhost barnyard2[8142]: Writing PID "8142" to file
>> "/var/run//barnyard2_eth0.pid"
>> Aug 12 09:14:33 localhost snort[8163]: Running in IDS mode
>> Aug 12 09:14:33 localhost snort[8163]:
>> Aug 12 09:14:33 localhost snort[8163]:         --== Initializing Snort
>> ==--
>> Aug 12 09:14:33 localhost snort[8163]: Initializing Output Plugins!
>> Aug 12 09:14:33 localhost snort[8163]: Initializing Preprocessors!
>> Aug 12 09:14:33 localhost snort[8163]: Initializing Plug-ins!
>> Aug 12 09:14:33 localhost snort[8163]: Parsing Rules file
>> "/etc/snort/snort.conf"
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'HTTP_PORTS' defined :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 311 383 555 591 593
>> 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381
>> 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600
>> 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014
>> 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333
>> 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
>> 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
>> 44449 50000 50002 51423 53331 55252 55555 56712 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'SHELLCODE_PORTS' defined
>> :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 0:79 81:65535 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'ORACLE_PORTS' defined :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 1024:65535 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'SSH_PORTS' defined :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 22 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'FTP_PORTS' defined :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 21 2100 3535 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'SIP_PORTS' defined :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 5060:5061 5600 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'FILE_DATA_PORTS' defined
>> :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 36 80:90 110 143 311 383 555
>> 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231
>> 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117
>> 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000
>> 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280
>> 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111
>> 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444
>> 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: PortVar 'GTP_PORTS' defined :
>> Aug 12 09:14:34 localhost snort[8163]:  [ 2123 2152 3386 ]
>> Aug 12 09:14:34 localhost snort[8163]:
>> Aug 12 09:14:34 localhost snort[8163]: Detection:
>> Aug 12 09:14:34 localhost snort[8163]:    Search-Method = AC-Full-Q
>> Aug 12 09:14:34 localhost snort[8163]:     Split Any/Any group = enabled
>> Aug 12 09:14:34 localhost snort[8163]:     Search-Method-Optimizations =
>> enabled
>> Aug 12 09:14:34 localhost snort[8163]:     Maximum pattern length = 20
>> Aug 12 09:14:34 localhost snort[8163]: Tagged Packet Limit: 256
>> Aug 12 09:14:34 localhost snort[8163]: Loading dynamic engine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]: Loading all dynamic preprocessor
>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> Aug 12 09:14:34 localhost snort[8163]: done
>> Aug 12 09:14:34 localhost snort[8163]:   Loading dynamic preprocessor
>> library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> Aug 12 09:14:35 localhost snort[8163]: done
>> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
>> Aug 12 09:14:35 localhost snort[8163]: done
>> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>> Aug 12 09:14:35 localhost snort[8163]: done
>> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
>> library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
>> Aug 12 09:14:35 localhost snort[8163]: done
>> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
>> Aug 12 09:14:35 localhost snort[8163]: done
>> Aug 12 09:14:35 localhost snort[8163]:   Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> Aug 12 09:14:35 localhost snort[8163]: done
>> Aug 12 09:14:35 localhost snort[8163]:   Finished Loading all dynamic
>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>> Aug 12 09:14:35 localhost snort[8163]: Log directory = /var/log/snort
>> Aug 12 09:14:35 localhost snort[8163]: WARNING: ip4 normalizations
>> disabled because not inline.
>> Aug 12 09:14:35 localhost snort[8163]: WARNING: tcp normalizations
>> disabled because not inline.
>> Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp4 normalizations
>> disabled because not inline.
>> Aug 12 09:14:35 localhost snort[8163]: WARNING: ip6 normalizations
>> disabled because not inline.
>> Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp6 normalizations
>> disabled because not inline.
>> Aug 12 09:14:35 localhost snort[8163]: Frag3 global config:
>> Aug 12 09:14:35 localhost snort[8163]:     Max frags: 65536
>> Aug 12 09:14:35 localhost snort[8163]:     Fragment memory cap: 4194304
>> bytes
>> Aug 12 09:14:35 localhost snort[8163]: Frag3 engine config:
>> Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
>> Aug 12 09:14:35 localhost snort[8163]:     Target-based policy: WINDOWS
>> Aug 12 09:14:35 localhost snort[8163]:     Fragment timeout: 180 seconds
>> Aug 12 09:14:35 localhost snort[8163]:     Fragment min_ttl:   1
>> Aug 12 09:14:35 localhost snort[8163]:     Fragment Anomalies: Alert
>> Aug 12 09:14:35 localhost snort[8163]:     Overlap Limit:     10
>> Aug 12 09:14:35 localhost snort[8163]:     Min fragment Length:     100
>> Aug 12 09:14:35 localhost snort[8163]: Stream5 global config:
>> Aug 12 09:14:35 localhost snort[8163]:     Track TCP sessions: ACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:     Max TCP sessions: 262144
>> Aug 12 09:14:35 localhost snort[8163]:     TCP cache pruning timeout: 30
>> seconds
>> Aug 12 09:14:35 localhost snort[8163]:     TCP cache nominal timeout:
>> 3600 seconds
>> Aug 12 09:14:35 localhost snort[8163]:     Memcap (for reassembly packet
>> storage): 8388608
>> Aug 12 09:14:35 localhost snort[8163]:     Track UDP sessions: ACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:     Max UDP sessions: 131072
>> Aug 12 09:14:35 localhost snort[8163]:     UDP cache pruning timeout: 30
>> seconds
>> Aug 12 09:14:35 localhost snort[8163]:     UDP cache nominal timeout: 180
>> seconds
>> Aug 12 09:14:35 localhost snort[8163]:     Track ICMP sessions: INACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:     Track IP sessions: INACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:     Log info if session memory
>> consumption exceeds 1048576
>> Aug 12 09:14:35 localhost snort[8163]:     Send up to 2 active responses
>> Aug 12 09:14:35 localhost snort[8163]:     Wait at least 5 seconds
>> between responses
>> Aug 12 09:14:35 localhost snort[8163]:     Protocol Aware Flushing: ACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:         Maximum Flush Point: 16000
>> Aug 12 09:14:35 localhost snort[8163]:       Max Expected Streams: 768
>> Aug 12 09:14:35 localhost snort[8163]: Stream5 TCP Policy config:
>> Aug 12 09:14:35 localhost snort[8163]:     Bound Address: default
>> Aug 12 09:14:35 localhost snort[8163]:     Reassembly Policy: WINDOWS
>> Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
>> Aug 12 09:14:35 localhost snort[8163]:     Limit on TCP Overlaps: 10
>> Aug 12 09:14:35 localhost snort[8163]:     Maximum number of bytes to
>> queue per session: 1048576
>> Aug 12 09:14:35 localhost snort[8163]:     Maximum number of segs to
>> queue per session: 2621
>> Aug 12 09:14:35 localhost snort[8163]:     Options:
>> Aug 12 09:14:35 localhost snort[8163]:         Require 3-Way Handshake:
>> YES
>> Aug 12 09:14:35 localhost snort[8163]:         3-Way Handshake Timeout:
>> 180
>> Aug 12 09:14:35 localhost snort[8163]:         Detect Anomalies: YES
>> Aug 12 09:14:35 localhost snort[8163]:     Reassembly Ports:
>> Aug 12 09:14:35 localhost snort[8163]:       21 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       22 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       23 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       25 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       36 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       42 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       53 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       70 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       79 client (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       80 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       81 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       82 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       83 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       84 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       85 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       86 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       87 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       88 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       89 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       90 client (Footprint) server
>> (Footprint)
>> Aug 12 09:14:35 localhost snort[8163]:       additional ports configured
>> but not printed.
>> Aug 12 09:14:35 localhost snort[8163]: Stream5 UDP Policy config:
>> Aug 12 09:14:35 localhost snort[8163]:     Timeout: 180 seconds
>> Aug 12 09:14:35 localhost snort[8163]: HttpInspect Config:
>> Aug 12 09:14:35 localhost snort[8163]:     GLOBAL CONFIG
>> Aug 12 09:14:35 localhost snort[8163]:       Max Pipeline Requests:    0
>> Aug 12 09:14:35 localhost snort[8163]:       Inspection Type:
>> STATELESS
>> Aug 12 09:14:35 localhost snort[8163]:       Detect Proxy Usage:       NO
>> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Filename:
>> /etc/snort/unicode.map
>> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map Codepage:
>> 1252
>> Aug 12 09:14:35 localhost snort[8163]:       Memcap used for logging URI
>> and Hostname: 150994944
>> Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Memory: 838860
>> Aug 12 09:14:35 localhost snort[8163]:       Max Gzip Sessions: 5518
>> Aug 12 09:14:35 localhost snort[8163]:       Gzip Compress Depth: 65535
>> Aug 12 09:14:35 localhost snort[8163]:       Gzip Decompress Depth: 65535
>> Aug 12 09:14:35 localhost snort[8163]:     DEFAULT SERVER CONFIG:
>> Aug 12 09:14:35 localhost snort[8163]:       Server profile: All
>> Aug 12 09:14:35 localhost snort[8163]:       Ports (PAF): 36 80 81 82 83
>> 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220
>> 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443
>> 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144
>> 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088
>> 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888
>> 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601
>> 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423
>> 53331 55252 55555 56712
>> Aug 12 09:14:35 localhost snort[8163]:       Server Flow Depth: 0
>> Aug 12 09:14:35 localhost snort[8163]:       Client Flow Depth: 0
>> Aug 12 09:14:35 localhost snort[8163]:       Max Chunk Length: 500000
>> Aug 12 09:14:35 localhost snort[8163]:       Small Chunk Length Evasion:
>> chunk size <= 10, threshold >= 5 times
>> Aug 12 09:14:35 localhost snort[8163]:       Max Header Field Length: 750
>> Aug 12 09:14:35 localhost snort[8163]:       Max Number Header Fields: 100
>> Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
>> allowed with header folding: 200
>> Aug 12 09:14:35 localhost snort[8163]:       Inspect Pipeline Requests:
>> YES
>> Aug 12 09:14:35 localhost snort[8163]:       URI Discovery Strict Mode: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Allow Proxy Usage: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Disable Alerting: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Oversize Dir Length: 500
>> Aug 12 09:14:35 localhost snort[8163]:       Only inspect URI: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Headers: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Cookies: YES
>> Aug 12 09:14:35 localhost snort[8163]:       Inspect HTTP Responses: YES
>> Aug 12 09:14:35 localhost snort[8163]:       Extract Gzip from responses:
>> YES
>> Aug 12 09:14:35 localhost snort[8163]:       Unlimited decompression of
>> gzip data from responses: YES
>> Aug 12 09:14:35 localhost snort[8163]:       Normalize Javascripts in
>> HTTP Responses: YES
>> Aug 12 09:14:35 localhost snort[8163]:       Max Number of WhiteSpaces
>> allowed with Javascript Obfuscation in HTTP responses: 200
>> Aug 12 09:14:35 localhost snort[8163]:       Normalize HTTP Cookies: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Enable XFF and True Client
>> IP: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Log HTTP URI data: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Log HTTP Hostname data: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Extended ASCII code support
>> in URI: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Ascii: YES alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Double Decoding: YES alert:
>> NO
>> Aug 12 09:14:35 localhost snort[8163]:       %U Encoding: YES alert: YES
>> Aug 12 09:14:35 localhost snort[8163]:       Bare Byte: YES alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       UTF 8: YES alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode: YES alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Multiple Slash: YES alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       IIS Backslash: YES alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Directory Traversal: YES
>> alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Web Root Traversal: YES
>> alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       Apache WhiteSpace: YES
>> alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       IIS Delimiter: YES alert: NO
>> Aug 12 09:14:35 localhost snort[8163]:       IIS Unicode Map: GLOBAL IIS
>> UNICODE MAP CONFIG
>> Aug 12 09:14:35 localhost snort[8163]:       Non-RFC Compliant
>> Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>> Aug 12 09:14:35 localhost snort[8163]:       Whitespace Characters: 0x09
>> 0x0b 0x0c 0x0d
>> Aug 12 09:14:35 localhost snort[8163]: rpc_decode arguments:
>> Aug 12 09:14:35 localhost snort[8163]:     Ports to decode RPC on: 111
>> 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
>> Aug 12 09:14:35 localhost snort[8163]:     alert_fragments: INACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:     alert_large_fragments: INACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:     alert_incomplete: INACTIVE
>> Aug 12 09:14:35 localhost snort[8163]:     alert_multiple_requests:
>> INACTIVE
>> Aug 12 09:14:35 localhost rsyslogd-2177: imuxsock begins to drop messages
>> from pid 8163 due to rate-limiting
>> Aug 12 09:14:53 localhost rsyslogd-2177: imuxsock lost 256 messages from
>> pid 8163 due to rate-limiting
>> Aug 12 09:14:53 localhost snort[8163]:
>> Aug 12 09:14:53 localhost snort[8163]: [ Port Based Pattern Matching
>> Memory ]
>> Aug 12 09:14:53 localhost snort[8163]: +- [ Aho-Corasick Summary ]
>> -------------------------------------
>> Aug 12 09:14:53 localhost snort[8163]: | Storage Format    : Full-Q
>> Aug 12 09:14:53 localhost snort[8163]: | Finite Automaton  : DFA
>> Aug 12 09:14:53 localhost snort[8163]: | Alphabet Size     : 256 Chars
>> Aug 12 09:14:53 localhost snort[8163]: | Sizeof State      : Variable
>> (1,2,4 bytes)
>> Aug 12 09:14:53 localhost snort[8163]: | Instances         : 169
>> Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 159
>> Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 10
>> Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0
>> Aug 12 09:14:53 localhost snort[8163]: | Characters        : 92288
>> Aug 12 09:14:53 localhost snort[8163]: | States            : 71178
>> Aug 12 09:14:53 localhost snort[8163]: | Transitions       : 7588084
>> Aug 12 09:14:53 localhost snort[8163]: | State Density     : 41.6%
>> Aug 12 09:14:53 localhost snort[8163]: | Patterns          : 5092
>> Aug 12 09:14:53 localhost snort[8163]: | Match States      : 5685
>> Aug 12 09:14:53 localhost snort[8163]: | Memory (MB)       : 36.73
>> Aug 12 09:14:53 localhost snort[8163]: |   Patterns        : 0.56
>> Aug 12 09:14:53 localhost snort[8163]: |   Match Lists     : 1.24
>> Aug 12 09:14:53 localhost snort[8163]: |   DFA
>> Aug 12 09:14:53 localhost snort[8163]: |     1 byte states : 0.96
>> Aug 12 09:14:53 localhost snort[8163]: |     2 byte states : 33.67
>> Aug 12 09:14:53 localhost snort[8163]: |     4 byte states : 0.00
>> Aug 12 09:14:53 localhost snort[8163]:
>> +----------------------------------------------------------------
>> Aug 12 09:14:53 localhost snort[8163]: [ Number of patterns truncated to
>> 20 bytes: 313 ]
>> Aug 12 09:14:53 localhost snort[8163]: pcap DAQ configured to passive.
>> Aug 12 09:14:53 localhost snort[8163]: Acquiring network traffic from
>> "eth0".
>> Aug 12 09:14:53 localhost snort[8163]: Initializing daemon mode
>> Aug 12 09:14:53 localhost snort[8173]: Daemon initialized, signaled
>> parent pid: 8163
>> Aug 12 09:14:53 localhost snort[8173]: Reload thread starting...
>> Aug 12 09:14:53 localhost snort[8173]: Reload thread started, thread
>> 0x7f8feee27700 (8174)
>> Aug 12 09:14:54 localhost kernel: device eth0 entered promiscuous mode
>> Aug 12 09:14:54 localhost snort[8173]: Decoding Ethernet
>> Aug 12 09:14:54 localhost snort[8173]: Checking PID path...
>> Aug 12 09:14:54 localhost snort[8173]: PID path stat checked out ok, PID
>> path set to /var/run/
>> Aug 12 09:14:54 localhost snort[8173]: Writing PID "8173" to file
>> "/var/run//snort_eth0.pid"
>> Aug 12 09:14:54 localhost snort[8173]: Set gid to 504
>> Aug 12 09:14:54 localhost kernel: device eth0 left promiscuous mode
>> Aug 12 09:14:54 localhost snort[8173]: Set uid to 496
>> Aug 12 09:14:54 localhost snort[8173]: FATAL ERROR: spo_unified2.c(320)
>> Could not open /var/log/snort/merged.log.1407860094: Permission denied
>> Aug 12 09:15:23 localhost barnyard2[8142]:
>> [SignatureReferencePullDataStore()]: No Reference found in database ...
>> Aug 12 09:15:23 localhost barnyard2[8142]: database: compiled support for
>> (mysql)
>> Aug 12 09:15:23 localhost barnyard2[8142]: database: configured to use
>> mysql
>> Aug 12 09:15:23 localhost barnyard2[8142]: database: schema version = 107
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:           host =
>> localhost
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:           user = root
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:  database name =
>> snort
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:    sensor name =
>> localhost.localdomain:eth0
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:      sensor id = 2
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:     sensor cid = 6
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:  data encoding = hex
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:   detail level = full
>> Aug 12 09:15:23 localhost barnyard2[8142]: database:     ignore_bpf = no
>> Aug 12 09:15:23 localhost barnyard2[8142]: database: using the "log"
>> facility
>> Aug 12 09:15:23 localhost barnyard2[8142]:
>> Aug 12 09:15:23 localhost barnyard2[8142]:         --== Initialization
>> Complete ==--
>> Aug 12 09:15:23 localhost barnyard2[8142]: Barnyard2 initialization
>> completed successfully (pid=8142)
>> Aug 12 09:15:23 localhost barnyard2[8142]: Using waldo file
>> '/etc/snort/barnyard2.waldo':#012    spool directory =
>> /var/log/snort#012    spool filebase  = merged.log#012    time_stamp      =
>> 1407259400#012    record_idx      = 5370
>> Aug 12 09:15:23 localhost barnyard2[8142]: Opened spool file
>> '/var/log/snort/merged.log.1407259400'
>> Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log
>> spool file '/var/log/snort/merged.log.1407259400' (Permission denied)
>> Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file
>> '/var/log/snort/merged.log.1407259400'. Read 0 records
>> Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create
>> spooler!
>> Aug 12 09:15:23 localhost barnyard2[8142]:
>> ===============================================================================
>> Aug 12 09:15:23 localhost barnyard2[8142]: Record Totals:
>> Aug 12 09:15:23 localhost barnyard2[8142]:    Records:           0
>> Aug 12 09:15:23 localhost barnyard2[8142]:    Events:           0 (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:    Packets:           0
>> (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:    Unknown:           0
>> (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:    Suppressed:           0
>> (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:
>> ===============================================================================
>> Aug 12 09:15:23 localhost barnyard2[8142]: Packet breakdown by protocol
>> (includes rebuilt packets):
>> Aug 12 09:15:23 localhost barnyard2[8142]:       ETH: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   ETHdisc: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:      VLAN: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:      IPV6: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   IP6 EXT: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   IP6opts: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   IP6disc: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:       IP4: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   IP4disc: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:     TCP 6: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:     UDP 6: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:     ICMP6: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   ICMP-IP: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:       TCP: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:       UDP: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:      ICMP: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   TCPdisc: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   UDPdisc: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   ICMPdis: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:      FRAG: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:    FRAG 6: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:       ARP: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:     EAPOL: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   ETHLOOP: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:       IPX: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:     OTHER: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:   DISCARD: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]: InvChkSum: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 1: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:    S5 G 2: 0          (0.000%)
>> Aug 12 09:15:23 localhost barnyard2[8142]:     Total: 0
>> Aug 12 09:15:23 localhost barnyard2[8142]:
>>
>>
>>
>>
>> On Fri, Aug 8, 2014 at 7:41 AM, Bill Bernsen <bill.bernsen at ...6823...>
>> wrote:
>>
>>> Hi Trevor,
>>>
>>> Can you copy and paste the details from /var/log/messages when you start
>>> up snort/barnyard2?
>>>
>>>
>>> On Wed, Aug 6, 2014 at 4:34 PM, Trevor Thompson <trevthom18 at ...11827...>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5.
>>>> They are both producing the same errors when I attempt to stop, restart, or
>>>> start the service:
>>>>
>>>> snort dead but subsys locked
>>>> barnyard dead but subsys locked
>>>>
>>>> I've been following installation instructions for the software that I
>>>> found on this website:
>>>> http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/
>>>> and
>>>> http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/.
>>>> The first link describes how to install the snort and configure it as
>>>> daemon; the second link details how to configure MySQL, install Barnyard2,
>>>> and configure Barnyard2 as a service. Through following the tutorial I
>>>> managed to log data and send it to a MySQL database of my own creation.
>>>> Everything was fine until I got to the very bottom of the second link and
>>>> attempted to install Barnyard2 as a service:
>>>>
>>>> "Starting Barnyard Automatically
>>>>
>>>> To complete the installation, we need Barnyard2 to start automatically.
>>>> To do so, Barnyard2 should run as a daemon, so uncomment line 85 of the
>>>> /etc/snort/barnyard2.conf file
>>>>
>>>> # enable daemon mode
>>>> #
>>>> config daemon
>>>>
>>>> Next, update the barnyard2.conf file with the full location of the
>>>> waldo file; modify line 134 to read
>>>>
>>>> # define the full waldo filepath.
>>>> #
>>>> config waldo_file: /etc/snort/barnyard2.waldo
>>>>
>>>> The waldo file (where is he anyway?) lets Barnyard2 track how far it
>>>> has progressed through the various output file created by snort. We
>>>> specified this precise location in the command line we have used in testing.
>>>>
>>>> We do not want Barnyard2 running as root; instead we tell Barnyard2 to
>>>> run as the user (and group) snort by modifying lines 91-97.
>>>>
>>>> # specifiy the group or GID for barnyard2 to run as after initialisation.
>>>> #
>>>> config set_gid: snort
>>>>
>>>> # specifiy the user or UID for barnyard2 to run as after initialisation.
>>>> #
>>>> config set_uid: snort
>>>>
>>>> Since we want Barnyard2 to run as the user snort, we change the
>>>> permissions on our waldo file:
>>>>
>>>> [root at ...16933... snort]# chown snort:snort /etc/snort/barnyard2.waldo
>>>>
>>>> Remember- it was automatically created the first time we ran Barnyard.
>>>> Since we ran it as root that first time, it was created with root
>>>> permissions, so we would not be able to use it as snort.
>>>>
>>>> Copy the startup script from the installation directory to /etc/init.d
>>>> and make it executable
>>>>
>>>> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/
>>>> [root at ...16933... ~]# chmod a+x /etc/init.d/barnyard2
>>>>
>>>> We need to make a few modifications to the file though. We do not need
>>>> to specify the location of ARCHIVEDIR, so line 37 can be removed.
>>>>
>>>> The location of the WALDO_FILE in line 38 should be changed. In our
>>>> setup, files are not indexed by the interface name, so we do not want to
>>>> include $INT in the path name; we also have stored the waldo file in
>>>> /etc/snort rather than in $SNORTDIR; thus these lines should become
>>>> the single line
>>>>
>>>> WALDO_FILE="/etc/snort/barnyard2.waldo"
>>>>
>>>> We also need to remove the dependencies on the interface in the
>>>> BARNYARD_OPTS line; it should become
>>>>
>>>> BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
>>>> -X $PIDFILE $EXTRA_ARGS"
>>>>
>>>> Combining these changes, we end up with a start() routine in the form
>>>>
>>>> start() {
>>>> 	echo -n $"Starting $desc ($prog): "
>>>> 	for INT in $INTERFACES; do
>>>> 		PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
>>>> 		WALDO_FILE="/etc/snort/barnyard2.waldo"
>>>> 		BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE
>>>>                          -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
>>>> 		daemon $prog $BARNYARD_OPTS
>>>> 	done
>>>> 	RETVAL=$?
>>>> 	echo
>>>> 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
>>>> 	return $RETVAL
>>>> }
>>>>
>>>> We also put a link to the binary in /usr/sbin
>>>>
>>>> [root at ...16933... ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2
>>>>
>>>> Copy the configuration file from the installation directory to
>>>> /etc/sysconfig
>>>>
>>>> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config
>>>> /etc/sysconfig/barnyard2
>>>>
>>>> We need to make a few changes to this file as well; when complete it
>>>> should look like
>>>>
>>>> # Config file for /etc/init.d/barnyard2
>>>> LOG_FILE="merged.log"
>>>>
>>>> # You probably don't want to change this, but in case you do
>>>> SNORTDIR="/var/log/snort"
>>>> INTERFACES="eth0"
>>>>
>>>> # Probably not this either
>>>> CONF=/etc/snort/barnyard2.conf
>>>>
>>>> EXTRA_ARGS=""
>>>>
>>>> In case you are wondering what got changed- both the LOG_FILE variable
>>>> as well as the CONF variables.
>>>>
>>>> Finally, we set up our start-up and shutdown scripts:
>>>>
>>>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d
>>>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d
>>>> [root at ...16934... ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d
>>>> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d
>>>>
>>>> This completes the installation. You can verify that it works by simply
>>>> rebooting the box and checking that both snort and barnyard2 run correctly."
>>>>
>>>> However, rebooting the operating system didn't fix the problem, but it
>>>> instead created the previously mentioned errors. Does anyone have any idea
>>>> what the problem could be with my system?
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Infragistics Professional
>>>> Build stunning WinForms apps today!
>>>> Reboot your WinForms applications with our WinForms controls.
>>>> Build a bridge from your legacy apps to the future.
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>>
>>> --
>>> Bill Bernsen                                                    Network
>>> Security Analyst
>>>  ITS Technology Security Services, New York University
>>> http://www.nyu.edu/its/security
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140812/dcf6ba57/attachment.html>


More information about the Snort-users mailing list