Snort mailing list archives
snort + barnyard problem; base not updating but things seem to be working
From: John Huss <john.huss () thebunker net>
Date: Thu, 15 Jan 2009 12:53:00 +0000
Hello, I've been playing with snort and would appreciate a bit of help. Initially I did a simple snort+mysql+base setup which was working and displaying alerts no problem. It was very interesting to see alerts that were flagged on a 100MB connection. I then integrated barnyard and made that work. I could see alerts going up in base and could click on them for further information, just like I could before except I could see barnyard running and output logging info as it open and processed the snort unified log files. However, as I now wanted to snort to look for only certain alerts, I made some changes, taking out filters for things that I wasn't concerned about, dropped the database and recreated the setup (including surfing to setup.php to get base to do the final database bits of setup). I wanted to have just a few of the 'include' filters and port scan features rather than everything alerting me as it was too much info for a newbie. I've even put the vanilla snort config file back after my meddling and still get the same results. Currently snort, barnyard and mysql are all running but when I surf to base, it is always saying there are 0 alerts. I can see in /var/log/snort/ that alert and log files are being created and selecting * from event in the mysql database shows tons of records. i.e: -rw------- 1 root root 1277264 Jan 15 12:26 snort.alert.1232021175 -rw------- 1 root root 50192 Jan 15 12:27 snort.alert.1232022387 drwxr-xr-x 2 root root 12288 Jan 15 12:27 archive drwxrwx--- 3 snort snort 4096 Jan 15 12:27 . -rw------- 1 root root 7227914 Jan 15 12:43 snort.log.1232022457 -rw------- 1 root root 921552 Jan 15 12:43 snort.alert.1232022457 -rw-r--r-- 1 root root 42 Jan 15 12:43 barnyard.waldo I can't see any errors in any log files for mysql, apache, snort or barnyard; and all applications start and stay running once they've been started. Given that I had this working previously I've deleted everything and started again following the guide I created as I set it up originally but still get the same result of 0 alerts when I surf to base. Even after leaving it a while to get a few hundred megabytes of log files. If I click on 'cache & status' in base I can see that it says there are tens of thousands of events in the 'alert information cache' section. To show that mysql is receiving data copied below is the last 3 lines from mysql 'select * from event'; : | 1 | 128282 | 16 | 2009-01-15 12:46:21 | | 1 | 128283 | 16 | 2009-01-15 12:46:21 | | 1 | 128284 | 16 | 2009-01-15 12:46:21 | +-----+--------+-----------+---------------------+ 85703 rows in set (0.41 sec) This not working is my fault I'm sure but I really can't spot what is going on. Very sorry for the long post but any help would be gratefully received. I'm sure I've been silly and missed something that I had edited before. Please find copied below nfo about my setup: OS: Gentoo Linux 32-bit. Packages installed: ------------------- net-analyzer/snort-2.6.1.3-r1 net-analyzer/barnyard-0.2.0-r1 dev-db/mysql-5.0.70-r1 net-analyzer/base-1.4.1 dev-php/adodb-5.05 Config files: ------------- 1 * /etc/snort/snort.conf - I've now swapped my version with the vanilla config file. The only change made to the vanilla file are these two additions: output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 2 * /etc/snort/barnyard.conf - The only uncommented lines in this file are: config hostname: localhost config interface: eth1 config filter: not port 22 output alert_fast: /var/log/snort/snort output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password snort output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password snort 3 * /etc/conf.d/snort IFACE=eth1 PIDFILE=/var/run/snort_$IFACE.pid LOGDIR="/var/log/snort" CONF=/etc/snort/snort.conf SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF" 4 * /etc/conf.d/barnyard PIDFILE="/var/run/barnyard.pid" LOG_FILE="snort.log" LOGDIR="/var/log/snort" ARCHIVEDIR="$LOGDIR/archive" GENMSG_FILE="/etc/snort/gen-msg.map" SIDMSG_FILE="/etc/snort/sid-msg.map" WALDO_FILE="$LOGDIR/barnyard.waldo" CONF=/etc/snort/barnyard.conf BARNYARD_OPTS="-D -c $CONF -d $LOGDIR -g $GENMSG_FILE -s $SIDMSG_FILE -w $WALDO_FILE -L $LOGDIR -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE" 5 * ps auxw | grep -i <app-name> # shows barnyard, mysql, apache and snort all running. 6 * base_conf.php session_start(); $BASE_VERSION = '1.4.1 (lara)'; $BASE_Language = 'english'; $Use_Auth_System = 0; $BASE_display_sig_links = 1; $BASE_urlpath = ''; $BASE_installID = ''; $base_custom_footer = ''; $DBlib_path = '/var/www/localhost/htdocs/adodb5'; $DBtype = 'mysql'; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'snort'; $archive_exists = ''; # Set this to 1 if you have an archive DB $archive_dbname = ''; $archive_host = ''; $archive_port = ''; $archive_user = ''; $archive_password = ''; $db_connect_method = 1; $use_referential_integrity = 0; $base_style = 'base_style.css'; $chart_file_format = 'png'; $chart_bg_color_default = array(255,255,255); $chart_lgrid_color_default = array(205,205,205); $chart_bar_color_default = array(190, 5, 5); $MAX_ROWS = 10; $show_rows = 48; $last_num_alerts = 15; $last_num_ualerts = 15; $last_num_uports = 15; $last_num_uaddr = 15; $freq_num_alerts = 5; $freq_num_uaddr = 15; $freq_num_uports = 15; $max_scroll_buttons = 12; $debug_mode = 0; $debug_time_mode = 1; $html_no_cache = 1; $sql_trace_mode = 0; $sql_trace_file = ''; $refresh_stat_page = 1; $refresh_all_pages = 0; $stat_page_refresh_time = 180; $show_previous_alert = 0; $max_script_runtime = 180; $ip_address_input = 2; $use_sig_list = 0; $resolve_IP = 0; $show_summary_stats = 0; $dns_cache_lifetime = 20160; $whois_cache_lifetime = 40320; $portscan_file = ''; $portscan_payload_in_signature = '1'; $event_cache_auto_update = 1; $maintain_history = 1; $main_page_detail = 1; $avoid_counts = 0; $show_first_last_links = 0; $external_whois_link = 'http://www.dnsstuff.com/tools/whois.ch?ip='; $external_dns_link = 'http://www.dnsstuff.com/tools/ptr.ch?ip='; $external_all_link = 'http://www.whois.sc/'; $external_port_link = array('sans' => 'http://isc.sans.org/port.html?port=', 'tantalo' => 'http://ports.tantalo.net/?q=', 'sstats' => 'http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input='); $external_sig_link = array('bugtraq' => array('http://www.securityfocus.com/bid/', ''), 'snort' => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''), 'cve' => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''), 'arachnids' => array('http://www.whitehats.com/info/ids', ''), 'mcafee' => array('http://vil.nai.com/vil/content/v_', '.htm'), 'icat' => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''), 'nessus' => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''), 'url' => array('http://', ''), 'local' => array('signatures/', '.txt'), 'EmThreats' => array('http://docs.emergingthreats.net/', '')); $action_email_smtp_host = 'smtp.example.com'; $action_email_smtp_auth = 1; $action_email_smtp_user = 'username'; $action_email_smtp_pw = 'password'; $action_email_from = 'smtpuser () example com'; $action_email_subject = 'BASE Incident Report'; $action_email_msg = ''; $action_email_mode = 0; $use_user_session = 0; $user_session_path = ''; $user_session_function = ''; $colored_alerts = 0; $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600'); $BASE_path = dirname(__FILE__); include files.... define( '_BASE_INC', 1 ); include("$BASE_path/languages/$BASE_Language.lang.php"); - Sorry for the long post! Any help or advice would be very welcome, I'm struggling to see what the smeg is going wrong. I even tried stracing barnyard before my eyes went weird trying to understand the output :) ------------ Kind Regards, Johnny ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort + barnyard problem; base not updating but things seem to be working John Huss (Jan 15)
- Re: snort + barnyard problem; base not updating but things seem to be working John Huss (Jan 16)
- Re: snort + barnyard problem; base not updating but things seem to be working Joel Esler (Jan 16)
- Re: snort + barnyard problem; base not updating but things seem to be working John Huss (Jan 19)
- Re: snort + barnyard problem; base not updating but things seem to be working John Huss (Jan 16)