Snort mailing list archives
Re: Barnyard2 startup issue
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 22 Jul 2011 07:00:16 -0600
From: "Aycock, Jeff R." <JEFF.R.AYCOCK () saic com> Date: Fri, 22 Jul 2011 08:06:17 -0400 To: Snort <snort-users () lists sourceforge net> Subject: [Snort-users] Barnyard2 startup issue Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" .. sguil: Connected to localhost on 7735. ERROR: Connecton closed by client sguil: Connected to localhost on 7735. ERROR: Connecton closed by client sguil: Connected to localhost on 7735. ERROR: Connecton closed by client . Jeff, As much as I appreciated Sguils desire to go under a different user and what not, just for testing this thing out seemed like it tookover my already installed snort. Here's what I did to get (limited) success: Created dir /opt/bin/sguil and slapped all the executable scripts there Created dir /opt/etc/sguild and put all the sguild.* config files as well as the certs and lib dir, and autocat.conf Created dir /opt/etc/sguild_agants and put all the agent conf files in there sguild: total 64 -rw-r--r-- 1 root root 2167 2011-07-09 09:18 autocat.conf drwxr-xr-x 2 root root 4096 2011-07-09 14:35 certs drwxr-xr-x 2 root root 4096 2011-07-09 14:45 lib -rwxr-xr-x 1 root root 27498 2011-07-09 09:18 sguild -rw-r--r-- 1 root root 1286 2011-07-09 09:18 sguild.access -rw-r--r-- 1 root root 2669 2011-07-12 18:44 sguild.conf -rw-r--r-- 1 root root 2992 2011-07-09 09:18 sguild.email -rw-r--r-- 1 root root 789 2011-07-09 09:18 sguild.queries -rw-r--r-- 1 root root 2992 2011-07-09 09:18 sguild.reports -rw-r--r-- 1 root root 344 2011-07-09 09:18 sguild.users sguild_agents: total 28 -rw-r--r-- 1 root root 761 2011-07-10 08:38 example_agent.conf -rw-r--r-- 1 root root 961 2011-07-10 08:38 pads_agent.conf -rw-r--r-- 1 root root 1661 2011-07-10 08:38 pcap_agent.conf -rw-r--r-- 1 root root 1839 2011-07-10 08:38 pcap_agent-sancp.conf -rw-r--r-- 1 root root 1279 2011-07-10 08:38 sancp_agent.conf -rw-r--r-- 1 root root 896 2011-07-10 08:38 sancp-indexed.conf -rw-r--r-- 1 root root 1676 2011-07-12 19:01 snort_agent.conf I'd run all these in separate consoles in the foreground so you can see what's going on..change dir's to suite your needs: sudo /opt/bin/snort -i eth1 -c /opt/etc/snort/sguilsnort.conf sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C /opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g /opt/etc/snort/sguild/sguild.queries -A /opt/etc/snort/sguild/sguild.access sudo /opt/bin/sguil/snort_agent.tcl -c /opt/etc/snort/sguild_agents/snort_agent.conf sudo barnyard2 -c /opt/etc/snort/barnyard2.conf -d /var/log/snort -f sguil.u2 -w /var/log/snort/sguil.waldo Sguild.conf: set SGUILD_LIB_PATH /opt/etc/snort/sguild/lib set DEBUG 2 set DAEMON 0 set SYSLOGFACILITY daemon set SENSOR_AGGREGATION_ON 1 set SERVERPORT 7734 set SENSORPORT 7736 set RULESDIR /opt/etc/snort/rules set TMPDATADIR /tmp set DBNAME sguildb set DBPASS "yourpass" set DBHOST localhost set DBPORT 3306 set DBUSER sguil set LOCAL_LOG_DIR /var/log/snort/sguild_archive set TMP_LOAD_DIR /tmp/load set TCPFLOW "/usr/bin/tcpflow" set P0F 1 set P0F_PATH "/usr/sbin/p0f" sguild_agent.conf: set DEBUG 1 set DAEMON 0 set SERVER_HOST localhost set SERVER_PORT 7736 set BY_PORT 7735 set HOSTNAME gateway set NET_GROUP Ext_Net set LOG_DIR /var/log/snort set PORTSCAN 0 set PORTSCAN_DIR ${LOG_DIR}/portscans set SNORT_PERF_STATS 1 set SNORT_PERF_FILE "${LOG_DIR}/snort.stats" set WATCH_DIR ${LOG_DIR} set PS_CHECK_DELAY_IN_MSECS 10000 set DISK_CHECK_DELAY_IN_MSECS 1800000 set PING_DELAY 300000 barnyard2.conf config reference_file: /opt/etc/snort/reference.config config classification_file: /opt/etc/snort/classification.config config gen_file: /opt/etc/snort/gen-msg.map config sid_file: /opt/etc/snort/sid-msg.map config hostname: gateway config interface: eth1 input unified2 output alert_fast: stdout output sguil: agent_port=7735, sensor_name=gateway Sguilsnort.conf areas pertaining to sguil: preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: /var/log/snort/sguil.fast output log_tcpdump: /var/log/snort/sguil.pcap output unified2: filename /var/log/snort/sguil.u2 Alas, even after the amazing PITA it was to have to manually compile all the tcl stuff (Ubuntu's tcl packages are all threaded, which sguil isn't) I still don't really run it....the tcl interface on a 2.93 Ghz Intel Core i7 Mac run slow as dirt. Good luck! James ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue James Lay (Jul 22)
- Re: Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue Lay, James (Jul 22)
- Re: Barnyard2 startup issue beenph (Jul 22)
- Re: Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue James Lay (Jul 22)