snort + barnyard problem; base not updating but things seem to be working

[John Huss <john.huss () thebunker net>]

Hello,

I've been playing with snort and would appreciate a bit of help.

Initially I did a simple snort+mysql+base setup which was working and
displaying alerts no problem. It was very interesting to see alerts that
were flagged on a 100MB connection.

I then integrated barnyard and made that work. I could see alerts going
up in base and could click on them for further information, just like I
could before except I could see barnyard running and output logging info
as it open and processed the snort unified log files.

However, as I now wanted to snort to look for only certain alerts, I
made some changes, taking out filters for things that I wasn't concerned
about, dropped the database and recreated the setup (including surfing
to setup.php to get base to do the final database bits of setup). I
wanted to have just a few of the 'include' filters and port scan
features rather than everything alerting me as it was too much info for
a newbie.

I've even put the vanilla snort config file back after my meddling and
still get the same results.

Currently snort, barnyard and mysql are all running but when I surf to
base, it is always saying there are 0 alerts.

I can see in /var/log/snort/ that alert and log files are being created
and selecting * from event in the mysql database shows tons of records.
i.e:

-rw------- 1 root  root  1277264 Jan 15 12:26 snort.alert.1232021175
-rw------- 1 root  root    50192 Jan 15 12:27 snort.alert.1232022387
drwxr-xr-x 2 root  root    12288 Jan 15 12:27 archive
drwxrwx--- 3 snort snort    4096 Jan 15 12:27 .
-rw------- 1 root  root  7227914 Jan 15 12:43 snort.log.1232022457
-rw------- 1 root  root   921552 Jan 15 12:43 snort.alert.1232022457
-rw-r--r-- 1 root  root       42 Jan 15 12:43 barnyard.waldo

I can't see any errors in any log files for mysql, apache, snort or
barnyard; and all applications start and stay running once they've been
started.

Given that I had this working previously I've deleted everything and
started again following the guide I created as I set it up originally
but still get the same result of 0 alerts when I surf to base. Even
after leaving it a while to get a few hundred megabytes of log files.

If I click on 'cache & status' in base I can see that it says there are
tens of thousands of events in the 'alert information cache' section.

To show that mysql is receiving data copied below is the last 3 lines
from mysql 'select * from event';  :

|   1 | 128282 |        16 | 2009-01-15 12:46:21 |
|   1 | 128283 |        16 | 2009-01-15 12:46:21 |
|   1 | 128284 |        16 | 2009-01-15 12:46:21 |
+-----+--------+-----------+---------------------+
85703 rows in set (0.41 sec)

This not working is my fault I'm sure but I really can't spot what is
going on. Very sorry for the long post but any help would be gratefully
received. I'm sure I've been silly and missed something that I had
edited before.

Please find copied below nfo about my setup:

OS: Gentoo Linux 32-bit.

Packages installed:
-------------------
net-analyzer/snort-2.6.1.3-r1
net-analyzer/barnyard-0.2.0-r1
dev-db/mysql-5.0.70-r1
net-analyzer/base-1.4.1
dev-php/adodb-5.05

Config files:
-------------
1 * /etc/snort/snort.conf - I've now swapped my version with the vanilla
config file. The only change made to the vanilla file are these two
additions:

   output alert_unified: filename snort.alert, limit 128
   output log_unified: filename snort.log, limit 128

2 * /etc/snort/barnyard.conf - The only uncommented lines in this file are:

   config hostname: localhost
   config interface: eth1
   config filter: not port 22
   output alert_fast:   /var/log/snort/snort
   output alert_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password snort
   output log_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password snort

3 * /etc/conf.d/snort
   IFACE=eth1
   PIDFILE=/var/run/snort_$IFACE.pid
   LOGDIR="/var/log/snort"
   CONF=/etc/snort/snort.conf
   SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

4 * /etc/conf.d/barnyard
   PIDFILE="/var/run/barnyard.pid"
   LOG_FILE="snort.log"
   LOGDIR="/var/log/snort"
   ARCHIVEDIR="$LOGDIR/archive"
   GENMSG_FILE="/etc/snort/gen-msg.map"
   SIDMSG_FILE="/etc/snort/sid-msg.map"
   WALDO_FILE="$LOGDIR/barnyard.waldo"
   CONF=/etc/snort/barnyard.conf
   BARNYARD_OPTS="-D -c $CONF -d $LOGDIR -g $GENMSG_FILE -s $SIDMSG_FILE
-w $WALDO_FILE -L $LOGDIR -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE"

5 * ps auxw | grep -i <app-name> # shows barnyard, mysql, apache and
snort all running.

6 * base_conf.php
    session_start();
    $BASE_VERSION = '1.4.1 (lara)';
    $BASE_Language = 'english';
    $Use_Auth_System = 0;
    $BASE_display_sig_links = 1;
    $BASE_urlpath = '';
    $BASE_installID = '';
    $base_custom_footer = '';
    $DBlib_path = '/var/www/localhost/htdocs/adodb5';
    $DBtype = 'mysql';
    $alert_dbname   = 'snort';
    $alert_host     = 'localhost';
    $alert_port     = '';
    $alert_user     = 'snort';
    $alert_password = 'snort';
    $archive_exists   = ''; # Set this to 1 if you have an archive DB
    $archive_dbname   = '';
    $archive_host     = '';
    $archive_port     = '';
    $archive_user     = '';
    $archive_password = '';
    $db_connect_method = 1;
    $use_referential_integrity = 0;
    $base_style = 'base_style.css';
    $chart_file_format = 'png';
    $chart_bg_color_default     = array(255,255,255);
    $chart_lgrid_color_default  = array(205,205,205);
    $chart_bar_color_default    = array(190, 5, 5);
    $MAX_ROWS = 10;
    $show_rows = 48;
    $last_num_alerts = 15;
    $last_num_ualerts = 15;
    $last_num_uports = 15;
    $last_num_uaddr = 15;
    $freq_num_alerts = 5;
    $freq_num_uaddr = 15;
    $freq_num_uports = 15;
    $max_scroll_buttons = 12;
    $debug_mode = 0;
    $debug_time_mode = 1;
    $html_no_cache = 1;
    $sql_trace_mode = 0;
    $sql_trace_file = '';
    $refresh_stat_page = 1;
    $refresh_all_pages = 0;
    $stat_page_refresh_time = 180;
    $show_previous_alert = 0;
    $max_script_runtime = 180;
    $ip_address_input = 2;
    $use_sig_list = 0;
    $resolve_IP = 0;
    $show_summary_stats = 0;
    $dns_cache_lifetime = 20160;
    $whois_cache_lifetime = 40320;
    $portscan_file = '';
    $portscan_payload_in_signature = '1';
    $event_cache_auto_update = 1;
    $maintain_history = 1;
    $main_page_detail = 1;
    $avoid_counts = 0;
    $show_first_last_links = 0;
    $external_whois_link = 'http://www.dnsstuff.com/tools/whois.ch?ip=&apos;;
    $external_dns_link = 'http://www.dnsstuff.com/tools/ptr.ch?ip=&apos;;
    $external_all_link = 'http://www.whois.sc/&apos;;
    $external_port_link = array('sans'     =>
'http://isc.sans.org/port.html?port=&apos;,
                                'tantalo'  =>
'http://ports.tantalo.net/?q=&apos;,
                                'sstats'   =>
'http://www.securitystats.com/tools/portsearch.php?type=port&amp;select=any&amp;Submit=Submit&amp;input=&apos;);
    $external_sig_link = array('bugtraq'   =>
array('http://www.securityfocus.com/bid/&apos;, ''),
                               'snort'     =>
array('http://www.snort.org/pub-bin/sigs.cgi?sid=&apos;, ''),
                               'cve'       =>
array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=&apos;, ''),
                               'arachnids' =>
array('http://www.whitehats.com/info/ids&apos;, ''),
                               'mcafee'    =>
array('http://vil.nai.com/vil/content/v_&apos;, '.htm'),
                               'icat'      =>
array('http://icat.nist.gov/icat.cfm?cvename=CAN-&apos;, ''),
                               'nessus'    =>
array('http://www.nessus.org/plugins/index.php?view=single&amp;id=&apos;, ''),
                               'url'       => array('http://&apos;, ''),
                               'local'     => array('signatures/', '.txt'),
                               'EmThreats'  =>
array('http://docs.emergingthreats.net/&apos;, ''));
    $action_email_smtp_host = 'smtp.example.com';
    $action_email_smtp_auth = 1;
    $action_email_smtp_user = 'username';
    $action_email_smtp_pw = 'password';
    $action_email_from = 'smtpuser () example com';
    $action_email_subject = 'BASE Incident Report';
    $action_email_msg = '';
    $action_email_mode = 0;
    $use_user_session = 0;
    $user_session_path = '';
    $user_session_function = '';
    $colored_alerts = 0;
    $priority_colors = array
('FF0000','FFFF00','FF9900','999999','FFFFFF','006600');
    $BASE_path = dirname(__FILE__);
include files....
    define( '_BASE_INC', 1 );
    include("$BASE_path/languages/$BASE_Language.lang.php");


-

Sorry for the long post! Any help or advice would be very welcome, I'm
struggling to see what the smeg is going wrong. I even tried stracing
barnyard before my eyes went weird trying to understand the output :)

------------

Kind Regards,




Johnny

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users