Snort mailing list archives
Re: snort 2.9.6.2 unified2
From: John Hally <JHally () EBSCO COM>
Date: Tue, 23 Sep 2014 14:55:19 +0000
Hi Sharif, I figured it out; I had “nostamp” set on the unified2 output configuration. Once I removed that, it added the timestamp to the snort.log filename and barnyard2 picked up the file and started sending alerts to MySQL. Thanks for the help! John. On 9/23/14, 6:32 AM, "Sharif Uddin" <Sharif.Uddin () spectrumasa com> wrote:
I see its erroring on your waldo file '/var/log/barnyard2/barnyard2.waldo' Change the waldo file path to point to /var/log/snort/ Make sure permission are all correct on /var/log/snort/ -----Original Message----- From: John Hally [mailto:JHally () EBSCO COM] Sent: 23 September 2014 11:18 To: Sharif Uddin; Shirkdog Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort 2.9.6.2 unified2 I've tried all different filenames, nothing seems to work. barnyard2 will recognize files with snort.log.##### format (which snort logs to when starting with -A), but does not recognize the file if started w/o -A: # ps -aef |grep snort snort 10516 1 67 Sep22 ? 09:04:04 /usr/local/bin/snort -D -i eth1 -u snort -g snort -c /etc/snort/etc/snort.conf # ls -l /var/log/snort/ total 1096 -rw------- 1 snort snort 1120079 Sep 23 05:54 snort.log starting /etc/init.d/barnyard2... Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/barnyard2/barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/snort INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = ptfld-sdn-ids-console.epnet.com database: user = snort database: database name = snortdb database: sensor name = sensor-ptfld-sdn01:eth1 database: sensor id = 1 database: sensor cid = 21 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 327) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> WARNING: Unable to open waldo file '/var/log/barnyard2/barnyard2.waldo' (No such file or directory) WARNING: Can't extract timestamp extension from 'snort.log'using base '' WARNING: Can't extract timestamp extension from '..'using base '' Waiting for new spool file WARNING: Can't extract timestamp extension from 'snort.log'using base '' WARNING: Can't extract timestamp extension from '..'using base '' WARNING: Can't extract timestamp extension from 'snort.log'using base '' ... On 9/23/14, 5:47 AM, "Sharif Uddin" <Sharif.Uddin () spectrumasa com> wrote:Have you tried changing log file name? Im assuming the log file gets filled up, since you can process batch files? -----Original Message----- From: John Hally [mailto:JHally () EBSCO COM] Sent: 23 September 2014 10:41 To: Sharif Uddin; Shirkdog Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort 2.9.6.2 unified2 Thanks Sharif, That line is there, just a type-o: config archivedir: /var/log/barnyard2/archive config process_new_records_only input unified2 output database: log, mysql, user=snort password=###### dbname=###### host=####.####.com Should have been: config archivedir: /var/log/barnyard2/archive config process_new_records_only input unified2 output database: log, mysql, user=snort password=###### dbname=###### host=####.####.com I've also verified that I can connect to mysql from the snort system using the credentials, view tables, etc. I can also manually run barnyard2 in batch mode and process individual files. Thanks, John. On 9/23/14, 5:32 AM, "Sharif Uddin" <Sharif.Uddin () spectrumasa com> wrote:In barnyard add output database: log, mysql, user=root password=*** dbname=snorby host=localhost make sure mysql is started. In snort config change the logfile name output unified2: filename snort.u2, limit 128 start barnyard2 after you have started snort with barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /tmp/barnyard2.waldo -----Original Message----- From: John Hally [mailto:JHally () EBSCO COM] Sent: 23 September 2014 10:24 To: Shirkdog Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort 2.9.6.2 unified2 Hi Michael, Barnyard config: config reference_file: /etc/snort/etc/reference.config config classification_file: /etc/snort/etc/classification.config config gen_file: /etc/snort/etc/gen-msg.map config sid_file: /etc/snort/etc/sid-msg.map config daemon config logdir: /var/log/snort config hostname: snort1 config interface: eth1 config alert_with_interface_name config waldo_file: /tmp/barnyard2.waldo config reference_net: 10.0.0.0/8 config archivedir: /var/log/barnyard2/archive config process_new_records_only input unified2 output database: log, mysql, user=snort password=###### dbname=###### host=####.####.com Relavent snort config: config logdir: /var/log/snort output unified2: filename snort.log, limit 128, nostamp Startup of barnyard2: /usr/local/bin/barnyard2 -u snort -g snort -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/barnyard2.waldo Startup of snort: /usr/local/bin/snort -D -i eth1 -u snort -g snort -c /etc/snort/etc/snort.conf Thanks for the help! John. On 9/22/14, 9:40 PM, "Shirkdog" <shirkdog () gmail com> wrote:Now we need your barnyard config to show that it is reading unified2 format. If your barnyard is 2.1-13 BETA (current git checkout), you should have this in your conf file # this is not hard, only unified2 is supported ;) input unified2 --- Michael Shirk On Mon, Sep 22, 2014 at 9:18 PM, John Hally <JHally () ebsco com> wrote:Hi All, I¹m having an issue that I just cant figure out. I¹m trying to combine alerts and logs in uniified2 format which I have the following in my snort.conf file: output unified2: filename snort.log, limit 128, nostamp The issue is when I try to get barnyard2 to process the file. It seems that if I run snort like the following, barnyard2 reports that its waiting for a spool file: /usr/local/bin/snort -D -i eth1 -u snort -g snort -c /etc/snort/etc/snort.conf And barnyard2 never finds the snort.log file that is created. BUT if I run snort this way: /usr/local/bin/snort -A full -D -i eth1 -u snort -g snort c /etc/snort/etc/snort.conf barnyard2 finds the snort.log.##### filename that gets created, but I think the file format isnt correct. Sorry if this is more of a barnyard2 issue than snort Thanks! John -------------------------------------------------------------------- -- --- ----- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. clk trk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!--------------------------------------------------------------------- -- --- ---- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg .c lkt rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------------------------------------------------------------------- --- - ---- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. clk t rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort 2.9.6.2 unified2 John Hally (Sep 22)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)