[Snort-users] Snort & Barnyard

Ayodele Okeowo aymacro at ...11827...
Wed Jan 1 10:34:23 EST 2014


I'm glad it's working for you. You can leave -A flag out (whether you are
snorting in IDS or IPS) and use the "-b & -d" flags as you want to. I will
also recommend reading the Snort Manual; it has great stuff and lots of
information in it.

For GUI, I will recommend you start with ACID-BASE then you can jump on to
Snorby or Squert.

Happy New Year!

Ayo


On Mon, Dec 30, 2013 at 4:41 PM, James <james at ...16635...> wrote:

> Sorry for not replying sooner - holidays have meant a delay in getting
> time to test it out. That has indeed fixed it. Stuff is now appearing in
> the database, thank you! So should I leave -A off all the time and put back
> -b and -d?
>
> I'm not yet seeing alerts in the GUI, but I expect that's outside the
> scope of this mailing list, so I'll continue trying to fix that.
>
> Many thanks again.
>
> James
>
>
> On 30 December 2013 14:09, Ayodele Okeowo <aymacro at ...11827...> wrote:
>
>> Does that mean it worked?
>>
>> Ayo
>>
>>
>> On Mon, Dec 23, 2013 at 10:20 AM, James Hodge <james at ...16645...> wrote:
>>
>>> Hi,
>>>
>>> Thanks for your reply. Yes, at least I think so, I'm running snort like
>>> this:
>>> /usr/sbin/snort -A fast -b -d -D -i eth1 -u snort -g snort -c
>>> /etc/snort/snort.conf -l /usr/local/snort/var/log/eth1
>>>
>>> Starting barnyard without daemon mode shows this only:
>>>
>>> root at ...16640...:/var/www/aanval/apps# barnyard2 -c
>>> /etc/snort/barnyard.conf -d /usr/local/snort/var/log/eth1 -w
>>> /usr/local/snort/var/log/eth1/barnyard2.waldo -l
>>> /usr/local/snort/var/log/eth1 -a /usr/local/snort/var/log/eth1/archive -f
>>> snort.log -X /var/lock/barnyard2-eth1.pid
>>> Running in Continuous mode
>>>
>>>         --== Initializing Barnyard2 ==--
>>> Initializing Input Plugins!
>>> Initializing Output Plugins!
>>> Parsing config file "/etc/snort/barnyard.conf"
>>>
>>>
>>> +[ Signature Suppress list ]+
>>> ----------------------------
>>> +[No entry in Signature Suppress List]+
>>> ----------------------------
>>> +[ Signature Suppress list ]+
>>>
>>>
>>> Barnyard2 spooler: Event cache size set to [2048]
>>> Log directory = /usr/local/snort/var/log/eth1
>>> INFO database: Defaulting Reconnect/Transaction Error limit to 10
>>> INFO database: Defaulting Reconnect sleep time to 5 second
>>>
>>> [SignatureReferencePullDataStore()]: No Reference found in database ...
>>> database: compiled support for (mysql)
>>> database: configured to use mysql
>>> database: schema version = 107
>>> database:           host = localhost
>>> database:           user = snort_user
>>> database:  database name = snortdb
>>> database:    sensor name = localhost:eth1
>>> database:      sensor id = 2
>>> database:     sensor cid = 1
>>> database:  data encoding = hex
>>> database:   detail level = full
>>> database:     ignore_bpf = no
>>> database: using the "log" facility
>>>
>>>         --== Initialization Complete ==--
>>>
>>>   ______   -*> Barnyard2 <*-
>>>  / ,,_  \  Version 2.1.13 (Build 327)
>>>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>>>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
>>>
>>> Using waldo file '/usr/local/snort/var/log/eth1/barnyard2.waldo':
>>>     spool directory = /usr/local/snort/var/log/eth1
>>>     spool filebase  = snort.log
>>>     time_stamp      = 1387663189
>>>     record_idx      = 0
>>> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'
>>> Closing spool file '/usr/local/snort/var/log/eth1/snort.log.1387663189'.
>>> Read 0 records
>>> Opened spool file '/usr/local/snort/var/log/eth1/snort.log.1387811302'
>>> Waiting for new data
>>>
>>> If I then press ctrl-c it says it's seen 0 for every field.
>>>
>>> If it helps, this is the dir in question:
>>>
>>> root at ...16640...:/var/www/aanval/apps# ls -al
>>> /usr/local/snort/var/log/eth1/
>>>
>>> total 98184
>>> drwxr-xr-x 4 snort snort      4096 Dec 23 15:11 .
>>> drwxr-xr-x 4 snort snort      4096 Dec 21 22:27 ..
>>> -rw-r--r-- 1 snort snort 100383823 Dec 23 15:13 alert
>>> drwxr-xr-x 2 snort snort      4096 Dec 23 15:11 archive
>>> -rw------- 1 snort snort      2056 Dec 23 15:11 barnyard2.waldo
>>> -rw------- 1 snort snort    128173 Dec 23 15:13 snort.log.1387811302
>>>
>>>
>>>
>>>  On 22 December 2013 23:29, Ayodele Okeowo <aymacro at ...11827...> wrote:
>>>
>>>> When you ran snort did you use the ' console -A' switch? Also did you
>>>> test tour barnyard without daemon?
>>>> On Dec 22, 2013 6:04 PM, "James" <snort at ...16635...> wrote:
>>>>
>>>>>  Hi all,
>>>>>
>>>>> I've followed this guide:
>>>>> http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval
>>>>> but using the most current Snort + Barnyard and everything seems to
>>>>> have installed and start-up correctly, but I'm not seeing anything get
>>>>> logged into the MySQL database. There were a few mistakes in the guide,
>>>>> which I've managed to fix with a bit of Googling, but I can't seem to solve
>>>>> this. I realise you're probably going to need more information to be able
>>>>> to help, but don't know enough yet to guess what that might be. Can anyone
>>>>> help please? The alternative is I wipe it all and start again in the hope I
>>>>> just missed something stupid the first time, but hopefully someone could
>>>>> help me avoid that?
>>>>>
>>>>> Thanks
>>>>> James
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>>>> organizations don't have a clear picture of how application performance
>>>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>>>> your
>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>>> AppDynamics Pro!
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>> organizations don't have a clear picture of how application performance
>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>> your
>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>> AppDynamics Pro!
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140101/8cdcb3a5/attachment.html>


More information about the Snort-users mailing list