Re: Snort Install successful - Need a proper database

[k vijay sai prashanth <vijaysaiprashanth () gmail com>]

I have got some events now. But the count seems to be stuck at a specific
value.

Will restart snort and update the status.

Regards,
Prashanth


On Wed, Nov 21, 2012 at 9:09 PM, k vijay sai prashanth <
vijaysaiprashanth () gmail com> wrote:

> Is it also critical to change the below variables in  barnyard2.conf??
>
> config hostname: localhost config interface: eth2
>
> I have executed all of these configurations. Still no events in mysql
> database. :(
>
> Where could I be going wrong?
>
> And what is the command for having snort run as a background process
> [daemon] and restart when the server restarts?
>
>
> Regards,
> Prashanth
>
>
> On Wed, Nov 21, 2012 at 8:28 AM, Ron Sinclair <unixfool () gmail com> wrote:
>
> > I also forgot to add that snort.conf might also need some editing,
> > specifically the "configure output plugins" section:
> >
> > Edit the "unified2" section to your liking.  I use:
> >
> > output unified2: filename snort.u2, limit 128
> >
> > Edit the database section.  Specifically, comment out "include
> > database.conf" (I think it's uncommented by default).  That way, it
> > disables the plugin for Snort (BY2 will be configured with the database
> > details so that it can input the alerts into the database).
> >
> > --
> > Ron
> >
> >
> > On Tue, Nov 20, 2012 at 9:02 PM, Ron Sinclair <unixfool () gmail com> wrote:
> >
> > > Prashanth,
> > >
> > > I use the same BY2 startup command as you, so I think you're OK with
> > > that.
> > >
> > > In barnyard.conf, I've used the following (I edited only those, and left
> > > everything else as default, for now):
> > >
> > > ===
> > > output alert_fast: stdout
> > >
> > > output database: alert, mysql, user=snort password=xxxxxx dbname=snort
> > > host=localhost
> > > ===
> > >
> > > When I test, I usually test via browser or telnet:
> > >
> > > http://localhost/root.exe (or cmd.exe)
> > > telnet localhost root.exe (or cmd.exe)
> > >
> > > Those two commands will trigger CodeRed or Nimda sigs, if they're
> > > enabled.  If not enabled, I'll sometimes run a simple Nmap scan (nmap
> > > localhost) if I don't have any luck with the previous commands, which
> > > triggers SNMP sigs for me.  I then check the database, and I usually see
> > > the triggered signatures.
> > >
> > > I hope that helps.
> > >
> > > --
> > > Ron
> > >
> > >
> > > On Tue, Nov 20, 2012 at 4:57 PM, k vijay sai prashanth <
> > > vijaysaiprashanth () gmail com> wrote:
> > >
> > > > Yes. I've made sure that snort is functioning properly and logging
> > > > alerts onto the snort.log files.
> > > >
> > > > Barnyard2 is working too. When I enter the command which I got from an
> > > > installation guide:
> > > >
> > > > /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
> > > > -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S
> > > > /etc/snort/sid-msg.map -C /etc/snort/classification.config
> > > >
> > > > I get an output shown below:
> > > >
> > > >  --== Initialization Complete ==--
> > > >
> > > >   ______   -*> Barnyard2 <*-
> > > >  / ,,_  \  Version 2.1.9 (Build 263)
> > > >  |o"  )~|  By the SecurixLive.com Team:
> > > > http://www.securixlive.com/about.php
> > > >  + '''' +  (C) Copyright 2008-2010 SecurixLive.
> > > >
> > > >            Snort by Martin Roesch & The Snort Team:
> > > > http://www.snort.org/team.html
> > > >            (C) Copyright 1998-2007 Sourcefire Inc., et al.
> > > >
> > > > Using waldo file '/etc/snort/bylog.waldo':
> > > >     spool directory = /var/log/snort
> > > >     spool filebase  = snort.log
> > > >     time_stamp      = 1353441428
> > > >     record_idx      = 25592
> > > > Opened spool file '/var/log/snort/snort.log.1353441428'
> > > >
> > > >
> > > > But I see that the mysql tables are still empty. Can someone tell me
> > > > how to have barnyard2 log events into the tables?
> > > > I've compiled barnyard2 with mysql. [./configure --with-mysql]
> > > >
> > > > Regards,
> > > > Prashanth
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Monitor your physical, virtual and cloud infrastructure from a single
> > > > web console. Get in-depth insight into apps, servers, databases, vmware,
> > > > SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> > > > Pricing starts from $795 for 25 servers or applications!
> > > > http://p.sf.net/sfu/zoho_dev2dev_nov
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!