Snort mailing list archives

Re: Daq not getting installed.

From: k vijay sai prashanth <vijaysaiprashanth () gmail com>
Date: Tue, 27 Nov 2012 23:46:07 +0530

It did run in continuous mode. Find the below logs and let me know if there
is anything that's not in place.


[root@usrhsnort snort]# /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
/etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map
-C /etc/snort/classification.config
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = localhost:eth2
database:      sensor id = 2
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

WARNING: Unable to open waldo file '/etc/snort/bylog.waldo' (No such file
or directory)
Opened spool file '/var/log/snort/snort.log.1353617809'
Closing spool file '/var/log/snort/snort.log.1353617809'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353697635'
Closing spool file '/var/log/snort/snort.log.1353697635'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353707432'
Closing spool file '/var/log/snort/snort.log.1353707432'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353710475'
Closing spool file '/var/log/snort/snort.log.1353710475'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353710547'
Closing spool file '/var/log/snort/snort.log.1353710547'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353965598'
Closing spool file '/var/log/snort/snort.log.1353965598'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353965787'
Closing spool file '/var/log/snort/snort.log.1353965787'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353969012'
Closing spool file '/var/log/snort/snort.log.1353969012'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1354036147'
Closing spool file '/var/log/snort/snort.log.1354036147'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1354039300'
Waiting for new data

I get the above kind of message in one sensor.



On Tue, Nov 27, 2012 at 2:15 AM, k vijay sai prashanth <
vijaysaiprashanth () gmail com> wrote:

could you tell me whats the command to start barnyard in continuous mode
and Daemon mode?

This is the command that I've used which I got from a installation guide.

usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -C /etc/snort/classification.config

Regards,
Prashanth


On Sat, Nov 24, 2012 at 4:25 AM, Jeremy Hoel <jthoel () gmail com> wrote:

are you running by2 in continuous mode?

whats the startup script/command/options you are using and what
outputs do you have in by2?

you should see it, when it starts, listing that it's running in
Continios and deamon mode.

Nov 23 22:40:58 st001 barnyard2[25881]: Running in Continuous mode
Nov 23 22:40:58 st001 barnyard2[25881]:
Nov 23 22:40:58 st001 barnyard2[25881]:         --== Initializing
Barnyard2 ==--
Nov 23 22:40:58 st001 barnyard2[25881]: Initializing Input Plugins!
Nov 23 22:40:58 st001 barnyard2[25881]: Initializing Output Plugins!
Nov 23 22:40:58 st001 barnyard2[25881]: Parsing config file
"/etc/snort/barnyard2.conf"
Nov 23 22:41:14 st001 barnyard2[25881]: Log directory = /var/log/snort/
Nov 23 22:41:14 st001 barnyard2[25881]: Initializing daemon mode
Nov 23 22:41:14 st001 barnyard2[25881]: Daemon parent exiting
Nov 23 22:41:14 st001 barnyard2[25883]: Daemon initialized, signaled
parent pid: 25881
Nov 23 22:41:14 st001 barnyard2[25883]: PID path stat checked out ok,
PID path set to /var/run/
Nov 23 22:41:14 st001 barnyard2[25883]: Writing PID "25883" to file
"/var/run//barnyard2_eth1.pid"



On Fri, Nov 23, 2012 at 10:52 PM, k vijay sai prashanth
<vijaysaiprashanth () gmail com> wrote:

so get this. I have snort installed and functioning.  My test rule

generates

traffic. Barnyard2 also did read files and show on the screen.

 --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team:

http://www.securixlive.com/about.php

 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/etc/snort/bylog.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.log
    time_stamp      = 1353533911
    record_idx      = 40
Opened spool file '/var/log/snort/snort.log.1353533911'
Closing spool file '/var/log/snort/snort.log.1353533911'. Read 40

records

Opened spool file '/var/log/snort/snort.log.1353688568'
Closing spool file '/var/log/snort/snort.log.1353688568'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353698765'
Closing spool file '/var/log/snort/snort.log.1353698765'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353699211'
Closing spool file '/var/log/snort/snort.log.1353699211'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353699244'
 ***showed some output onto the screen here ***
Closing spool file '/var/log/snort/snort.log.1353699244'. Read 206

records

Opened spool file '/var/log/snort/snort.log.1353699581'
Closing spool file '/var/log/snort/snort.log.1353699581'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353705065'
Closing spool file '/var/log/snort/snort.log.1353705065'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353707845'
Closing spool file '/var/log/snort/snort.log.1353707845'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353709641'
Closing spool file '/var/log/snort/snort.log.1353709641'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1353709666'
Waiting for new data

===============================================================================

Record Totals:
   Records:          246
    Events:          107 (43.496%)
   Packets:          136 (55.285%)

===============================================================================

Packet breakdown by protocol (includes rebuilt packets):
      ETH: 136        (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 136        (100.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 33         (24.265%)
      UDP: 0          (0.000%)
     ICMP: 103        (75.735%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 136

===============================================================================



But I see that the events in mysql database are not increasing. What's

the

situation. I have a continual ping going on in the background which

should

trigger my test rule. Why is the database not increasing??

Regards,
Prashanth


On Sat, Nov 24, 2012 at 4:14 AM, Jeremy Hoel <jthoel () gmail com> wrote:


basically yes.. but they are two different apps and you can choose to
run either, both or none in daemon mode.  They don't depend on each
other for that.

snort in daemon mode, if the unified2 output is used, will write u2
files using the file structure you specify in the snort.conf for the
unified2 output.

by2 will read the files you tell it too and when a new one gets
written, it will close the old one and archive if (if desired) and
then continue reading and acting on the u2 files, updating it's waldo
file as it goes.




On Fri, Nov 23, 2012 at 10:38 PM, k vijay sai prashanth
<vijaysaiprashanth () gmail com> wrote:

Jeremy,

So if I run snort and barnyard2 running in daemon mode snort will

keep

alerting and Barnyard2 will keep feeding the alerts to the database
right?

Regards,
Prashanth


On Sat, Nov 24, 2012 at 2:45 AM, Jeremy Hoel <jthoel () gmail com>

wrote:


Good deal.


On Fri, Nov 23, 2012 at 8:09 PM, k vijay sai prashanth
<vijaysaiprashanth () gmail com> wrote:

ran ldconfig got it installed thanks a lot mate. :) appreciate the
help.

Regards,
Prashanth


On Sat, Nov 24, 2012 at 1:31 AM, k vijay sai prashanth
<vijaysaiprashanth () gmail com> wrote:


I don't get anything doing ldconfig -p | grep libpcap

How do I get it libpcap installed?

Regards,
Prashanth


On Fri, Nov 23, 2012 at 11:41 PM, Jeremy Hoel <jthoel () gmail com>
wrote:


Quick note.. that should be 'ldconfig -p |grep libpcap'

libpcap.. not lubpcap.

:-)


On Fri, Nov 23, 2012 at 5:52 PM, Jeremy Hoel <jthoel () gmail com>
wrote:

After you installed libpcap did you run ldconifg?

'ldconfig -p |grep lubpcap' should return at least one result.


On Fri, Nov 23, 2012 at 5:46 PM, k vijay sai prashanth
<vijaysaiprashanth () gmail com> wrote:

Hello All,

I have two IDS servers with RHEL 5 installed on each. I have
installed
libpcap-1.3.0, daq-1.1.1 and snort-2.9.3.1 on one while on

the

other I
was
able to install libpcap-1.3.0 from source but when I try to
install
daq-1.1.1 by ./configure I get exited with the below error
message.

checking for pcap.h... (cached) yes
checking for pcap_lib_version... checking for

pcap_lib_version

in
-lpcap...
(cached) yes
checking for libpcap version >= "1.0.0"... no

    ERROR!  Libpcap library version >= 1.0.0  not found.
    Get it from http://www.tcpdump.org

I did install libpcap-1.3.0 but when I give the below

command I

got
nothing:

"rpm -qa | grep libpcap"

When I do a "locate pcap.h" its not found. But I am able to
manually
navigate to the file at /usr/local/src/libpcap-1.3.0. It

seems

to
have
no
execute rights. Does this matter?

Why is this failing. What can I do to get daq-1.1.1

installed.

Are
there any
other dependencies which I am missing to fully install
libpcap-1.3.0.
Please
advise.

Regards,
Prashanth

------------------------------------------------------------------------------

Monitor your physical, virtual and cloud infrastructure from

single
web console. Get in-depth insight into apps, servers,

databases,

vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all

the

latest
Snort
news!

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Daq not getting installed., (continued)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
  - Re: Daq not getting installed. Jeremy Hoel (Nov 23)
    - Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
    - Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
    - Re: Daq not getting installed. Jeremy Hoel (Nov 23)
    - Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
    - Re: Daq not getting installed. Jeremy Hoel (Nov 23)
    - Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
    - Re: Daq not getting installed. Jeremy Hoel (Nov 23)
    - Re: Daq not getting installed. k vijay sai prashanth (Nov 26)
    - Re: Daq not getting installed. k vijay sai prashanth (Nov 27)
    - Re: Daq not getting installed. k vijay sai prashanth (Nov 27)
    - Re: Daq not getting installed. beenph (Nov 27)
    - Re: Daq not getting installed. Jeremy Hoel (Nov 27)