Snort mailing list archives

Re: snort 2.9.6.2 unified2

From: Sharif Uddin <Sharif.Uddin () spectrumasa com>
Date: Tue, 23 Sep 2014 10:32:31 +0000

I see its erroring on your waldo file

'/var/log/barnyard2/barnyard2.waldo'


Change the waldo file path to point to /var/log/snort/


Make sure permission are all correct on /var/log/snort/






-----Original Message-----
From: John Hally [mailto:JHally () EBSCO COM]
Sent: 23 September 2014 11:18
To: Sharif Uddin; Shirkdog
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.6.2 unified2

I've tried all different filenames, nothing seems to work.

barnyard2 will recognize files with snort.log.##### format (which snort logs to when starting with -A), but does not 
recognize the file if started w/o -A:

# ps -aef |grep snort
snort    10516     1 67 Sep22 ?        09:04:04 /usr/local/bin/snort -D -i
eth1 -u snort -g snort -c /etc/snort/etc/snort.conf


# ls -l /var/log/snort/
total 1096
-rw------- 1 snort snort 1120079 Sep 23 05:54 snort.log



starting /etc/init.d/barnyard2...
Running in Continuous mode

        --== Initializing Barnyard2 ==-- Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/snort INFO database: Defaulting 
Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = ptfld-sdn-ids-console.epnet.com
database:           user = snort
database:  database name = snortdb
database:    sensor name = sensor-ptfld-sdn01:eth1
database:      sensor id = 1
database:     sensor cid = 21
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.13 (Build 327)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy 
() securixlive com>

WARNING: Unable to open waldo file '/var/log/barnyard2/barnyard2.waldo'
(No such file or directory)
WARNING: Can't extract timestamp extension from 'snort.log'using base ''
WARNING: Can't extract timestamp extension from '..'using base ''
Waiting for new spool file
WARNING: Can't extract timestamp extension from 'snort.log'using base ''
WARNING: Can't extract timestamp extension from '..'using base ''
WARNING: Can't extract timestamp extension from 'snort.log'using base ''
...





On 9/23/14, 5:47 AM, "Sharif Uddin" <Sharif.Uddin () spectrumasa com> wrote:

Have you tried changing log file name?

Im assuming the log file gets filled up, since you can process batch
files?

-----Original Message-----
From: John Hally [mailto:JHally () EBSCO COM]
Sent: 23 September 2014 10:41
To: Sharif Uddin; Shirkdog
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.6.2 unified2

Thanks Sharif,

That line is there, just a type-o:
config archivedir: /var/log/barnyard2/archive config
process_new_records_only input unified2 output database: log, mysql,
user=snort password=###### dbname=###### host=####.####.com

Should have been:

config archivedir: /var/log/barnyard2/archive config
process_new_records_only input unified2 output database: log, mysql,
user=snort password=###### dbname=###### host=####.####.com

I've also verified that I can connect to mysql from the snort system
using the credentials, view tables, etc.

I can also manually run barnyard2 in batch mode and process individual
files.

Thanks,

John.

On 9/23/14, 5:32 AM, "Sharif Uddin" <Sharif.Uddin () spectrumasa com> wrote:

In barnyard add

output database: log, mysql, user=root password=*** dbname=snorby
host=localhost


make sure mysql is started.


In snort config change the logfile name

output unified2: filename snort.u2, limit 128



start barnyard2 after you have started snort


with

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
-w /tmp/barnyard2.waldo


-----Original Message-----
From: John Hally [mailto:JHally () EBSCO COM]
Sent: 23 September 2014 10:24
To: Shirkdog
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.6.2 unified2

Hi Michael,

Barnyard config:

config reference_file:      /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file:            /etc/snort/etc/gen-msg.map
config sid_file:            /etc/snort/etc/sid-msg.map
config daemon
config logdir: /var/log/snort
config hostname: snort1
config interface:  eth1
config alert_with_interface_name
config waldo_file: /tmp/barnyard2.waldo config reference_net:
10.0.0.0/8 config archivedir: /var/log/barnyard2/archive config
process_new_records_only input unified2 output database: log, mysql,
user=snort password=###### dbname=###### host=####.####.com



Relavent snort config:

config logdir: /var/log/snort
output unified2: filename snort.log, limit 128, nostamp


Startup of barnyard2:

/usr/local/bin/barnyard2 -u snort -g snort -c
/etc/barnyard2/barnyard2.conf -d /var/log/snort -w
/var/log/barnyard2/barnyard2.waldo

Startup of snort:

/usr/local/bin/snort -D -i eth1 -u snort -g snort -c
/etc/snort/etc/snort.conf


Thanks for the help!

John.


On 9/22/14, 9:40 PM, "Shirkdog" <shirkdog () gmail com> wrote:

Now we need your barnyard config to show that it is reading unified2
format. If your barnyard is 2.1-13 BETA (current git checkout), you
should have this in your conf file

# this is not hard, only unified2 is supported ;) input unified2

---
Michael Shirk


On Mon, Sep 22, 2014 at 9:18 PM, John Hally <JHally () ebsco com> wrote:

Hi All,

I¹m having an issue that I just cant figure out.

I¹m trying to combine alerts and logs in uniified2 format which I
have the  following in my snort.conf file:

output unified2: filename snort.log, limit 128, nostamp

The issue is when I try to get barnyard2 to process the file.  It
seems that  if I run snort like the following, barnyard2 reports
that its waiting for a  spool file:

/usr/local/bin/snort -D -i eth1 -u snort -g snort -c
/etc/snort/etc/snort.conf

And barnyard2 never finds the snort.log file that is created.


BUT if I run snort this way:

/usr/local/bin/snort -A full -D -i eth1 -u snort -g snort c
/etc/snort/etc/snort.conf

barnyard2 finds the snort.log.##### filename that gets created, but
I think  the file format isnt correct.

Sorry if this is more of a barnyard2 issue than snort

Thanks!

John


--------------------------------------------------------------------
--
---
-----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
Reports  Are you Audit-Ready for PCI DSS 3.0 Compliance? Download
White paper  Comply to PCI DSS 3.0 Requirement 10 and 11.5 with
EventLog Analyzer

http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.
clk
trk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the
latest Snort  news!


---------------------------------------------------------------------
--
---
----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download
White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with
EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg
.c
lkt
rk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



----------------------------------------------------------------------
---
-
----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White
paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog
Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.
clk
t
rk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

IMPORTANT - This message and any attached files contain information
intended for the exclusive use of the party or parties to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law. If
you are not an intended recipient, you are hereby notified that any
viewing, copying, disclosure or distribution of this information may
be subject to legal restriction or sanction. Please notify the sender
immediately and delete the original message without making any copies.
Copyright in this email and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email
communications. We do not accept any liability for losses or damages
that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as
permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and
Wales. Registered number: 1979422. Registered office: 95 Aldwych,
London WC2B 4JF.



IMPORTANT - This message and any attached files contain information
intended for the exclusive use of the party or parties to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not an intended recipient, you are hereby notified that any
viewing, copying, disclosure or distribution of this information may be
subject to legal restriction or sanction. Please notify the sender
immediately and delete the original message without making any copies.
Copyright in this email and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email
communications. We do not accept any liability for losses or damages
that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as
permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and
Wales. Registered number: 1979422. Registered office: 95 Aldwych,
London WC2B 4JF.

IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify
the sender immediately and delete the original message without making any copies. Copyright in this email and any
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered
office: 95 Aldwych, London WC2B 4JF.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort 2.9.6.2 unified2 John Hally (Sep 22)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)
  - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
    - Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
    - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
    - Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
    - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
    - Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
    - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)