Snort mailing list archives

Re: Barnyard2 startup issue

From: "Aycock, Jeff R." <JEFF.R.AYCOCK () saic com>
Date: Fri, 22 Jul 2011 11:46:33 -0400
Thanks, James.  I did the mods and ran Barnyard2 again with another error, this time with mysql not being able to find 
the socket file:

[root@10 ~]# Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
sguil:  sensor name = sensor
sguil:  agent port =  7735
sguil:  Connected to localhost on 7735.
sguil: Waiting for sid and cid from sensor_agent.
sguil: sensor ID = 4
sguil: last cid = 0
Node unique name is: sensor:eth0

ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
Fatal Error, Quitting..


The socket file is located in /var/lib/mysql so I guess my next question is how do I direct Barnyard to look for this 
file instead of /tmp/mysql.sock which does not exists in this box?  Is there anything in the conf file that will do 
that?  The my.cnf file is showing the correct location of the socket file for mysql client.  I checked to see if Mysql 
is running:

[root@10 ~]# service mysqld status
mysqld.service - SYSV: MySQL database server.
          Loaded: loaded (/etc/rc.d/init.d/mysqld)
          Active: active (running) since Fri, 22 Jul 2011 09:16:35 -0400; 2h 25min ago
         Process: 1010 ExecStart=/etc/rc.d/init.d/mysqld start (code=exited, status=0/SUCCESS)
        Main PID: 1257 (mysqld)
          CGroup: name=systemd:/system/mysqld.service
                  â 1049 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock 
--pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --us...
                  â 1257 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql 
--plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pi...
[root@10 ~]#

Am I missing something here?

Thanks,
Jeff

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Friday, July 22, 2011 9:00 AM
To: Aycock, Jeff R.; Snort
Subject: Re: [Snort-users] Barnyard2 startup issue

From:  "Aycock, Jeff R." <JEFF.R.AYCOCK () saic com>
Date:  Fri, 22 Jul 2011 08:06:17 -0400
To:  Snort <snort-users () lists sourceforge net>
Subject:  [Snort-users] Barnyard2 startup issue



 
Running in Continuous mode
 
        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
ŠŠŠŠ
ŠŠŠ..
sguil:  Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil:  Connected to localhost on 7735.
ERROR: Connecton closed by client
sguil:  Connected to localhost on 7735.
ERROR: Connecton closed by client
ŠŠŠŠ.
ŠŠŠŠ
 


Jeff,

As much as I appreciated Sguils desire to go under a different user and
what not, just for testing this thing out seemed like it tookover my
already installed snort.  Here's what I did to get (limited) success:

Created dir /opt/bin/sguil and slapped all the executable scripts there
Created dir /opt/etc/sguild and put all the sguild.* config files as well
as the certs and lib dir, and autocat.conf
Created dir /opt/etc/sguild_agants and put all the agent conf files in
there

sguild:
total 64
-rw-r--r-- 1 root root  2167 2011-07-09 09:18 autocat.conf
drwxr-xr-x 2 root root  4096 2011-07-09 14:35 certs
drwxr-xr-x 2 root root  4096 2011-07-09 14:45 lib
-rwxr-xr-x 1 root root 27498 2011-07-09 09:18 sguild
-rw-r--r-- 1 root root  1286 2011-07-09 09:18 sguild.access
-rw-r--r-- 1 root root  2669 2011-07-12 18:44 sguild.conf
-rw-r--r-- 1 root root  2992 2011-07-09 09:18 sguild.email
-rw-r--r-- 1 root root   789 2011-07-09 09:18 sguild.queries
-rw-r--r-- 1 root root  2992 2011-07-09 09:18 sguild.reports
-rw-r--r-- 1 root root   344 2011-07-09 09:18 sguild.users

sguild_agents:
total 28
-rw-r--r-- 1 root root  761 2011-07-10 08:38 example_agent.conf
-rw-r--r-- 1 root root  961 2011-07-10 08:38 pads_agent.conf
-rw-r--r-- 1 root root 1661 2011-07-10 08:38 pcap_agent.conf
-rw-r--r-- 1 root root 1839 2011-07-10 08:38 pcap_agent-sancp.conf
-rw-r--r-- 1 root root 1279 2011-07-10 08:38 sancp_agent.conf
-rw-r--r-- 1 root root  896 2011-07-10 08:38 sancp-indexed.conf
-rw-r--r-- 1 root root 1676 2011-07-12 19:01 snort_agent.conf



I'd run all these in separate consoles in the foreground so you can see
what's going on..change dir's to suite your needs:

sudo /opt/bin/snort -i eth1 -c /opt/etc/snort/sguilsnort.conf

sudo /opt/bin/sguil/sguild -c /opt/etc/snort/sguild/sguild.conf -C
/opt/etc/snort/sguild/certs -a /opt/etc/snort/sguild/autocat.conf -g
/opt/etc/snort/sguild/sguild.queries -A /opt/etc/snort/sguild/sguild.access

sudo /opt/bin/sguil/snort_agent.tcl -c
/opt/etc/snort/sguild_agents/snort_agent.conf

sudo barnyard2 -c /opt/etc/snort/barnyard2.conf -d /var/log/snort -f
sguil.u2 -w /var/log/snort/sguil.waldo



Sguild.conf:
set SGUILD_LIB_PATH /opt/etc/snort/sguild/lib
set DEBUG 2
set DAEMON 0
set SYSLOGFACILITY daemon
set SENSOR_AGGREGATION_ON 1
set SERVERPORT 7734
set SENSORPORT 7736
set RULESDIR /opt/etc/snort/rules
set TMPDATADIR /tmp
set DBNAME sguildb
set DBPASS "yourpass"
set DBHOST localhost
set DBPORT 3306
set DBUSER sguil
set LOCAL_LOG_DIR /var/log/snort/sguild_archive
set TMP_LOAD_DIR /tmp/load
set TCPFLOW "/usr/bin/tcpflow"
set P0F 1
set P0F_PATH "/usr/sbin/p0f"

sguild_agent.conf:

set DEBUG 1
set DAEMON 0
set SERVER_HOST localhost
set SERVER_PORT 7736
set BY_PORT 7735
set HOSTNAME gateway
set NET_GROUP Ext_Net
set LOG_DIR /var/log/snort
set PORTSCAN 0
set PORTSCAN_DIR ${LOG_DIR}/portscans
set SNORT_PERF_STATS 1
set SNORT_PERF_FILE "${LOG_DIR}/snort.stats"
set WATCH_DIR ${LOG_DIR}
set PS_CHECK_DELAY_IN_MSECS 10000
set DISK_CHECK_DELAY_IN_MSECS 1800000
set PING_DELAY 300000

barnyard2.conf

config reference_file:      /opt/etc/snort/reference.config
config classification_file: /opt/etc/snort/classification.config
config gen_file:            /opt/etc/snort/gen-msg.map
config sid_file:            /opt/etc/snort/sid-msg.map
config hostname:   gateway
config interface: eth1
input unified2
output alert_fast: stdout
output sguil: agent_port=7735, sensor_name=gateway



Sguilsnort.conf areas pertaining to sguil:
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
10000

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: /var/log/snort/sguil.fast
output log_tcpdump: /var/log/snort/sguil.pcap
output unified2: filename /var/log/snort/sguil.u2




Alas, even after the amazing PITA it was to have to manually compile all
the tcl stuff (Ubuntu's tcl packages are all threaded, which sguil isn't)
I still don't really run it....the tcl interface on a 2.93 Ghz Intel Core
i7 Mac run slow as dirt.  Good luck!

James



------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Current thread:

Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
- Re: Barnyard2 startup issue James Lay (Jul 22)
  - Re: Barnyard2 startup issue Aycock, Jeff R. (Jul 22)
    - Re: Barnyard2 startup issue Lay, James (Jul 22)
    - Re: Barnyard2 startup issue beenph (Jul 22)