Home page logo
/

snort logo Snort mailing list archives

Re: Snort not generating alerts
From: Pratik Narang <pratik.cse.bits () gmail com>
Date: Fri, 13 Jul 2012 11:51:12 +0530

On Tue, Jul 10, 2012 at 6:51 PM, Peter Bates <peter.bates () ucl ac uk> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 10/07/2012 14:09, Pratik Narang wrote:
Have you looked whether the unified2 file, 'snort.u2' in your
configuration contains any alerts or data using u2spewfoo?

Yes the log files do contain data (alerts?- can't see any...)

What does something like this show:

u2spewfoo snort.u2.1341924701 |grep sig

You should see something along the lines of:


        sig id: 3000035 gen id: 1       revision: 1
classification: 33
        sig id: 2013068 gen id: 1       revision: 2
classification: 28
        sig id: 23250   gen id: 1       revision: 1
classification: 21

The actual signatures you're hitting on.

Yes, the Snort log file does contain the actual signatures. Running Snort
with *-A console* also does display the same.

I tried this umpteen times... even re-installing Barnyard2...
Barnyard2.waldo must be empty to begin with (right?) since I am
only creating the file. Then, why should it contain rubbish??

Barnyard should create the file initially - if I was testing and
having problems I would

a) stop snort
b) stop barnyard2
c) delete (or move) files out of your LOGDIR
d) start snort
e) start barnyard2

I am not very clear what you mean. I did this, exactly as per the
guide available on snort.org -->

sudo tar zxvf barnyard2-1.9.tar.gz
cd barnyard2-1.9
sudo ./configure --with-mysql
sudo make
sudo make install
sudo cp etc/barnyard2.conf /usr/local/snort/etc
sudo mkdir /var/log/barnyard2
sudo chmod 666 /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
(so, as per the guide, i am creating the waldo file)

And some changes in barnyard2.conf file-
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth1

output database: log, mysql, user=snort password=MYPASSWORD dbname=snort
host=localhost

And as far as the (a) to (e) steps are concerned, yes i have tried
that....but stuck with the corrupt/truncated waldo file warning...


You could also run barnyard2 in the foreground with -v but I seem to
recall that doesn't show a great deal.

- --
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT


Thanks,
-Pratik

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP/CxDAAoJELhVoVpEMS6RGbsH/j0Aw2asnc+LKFJpWH21WBe0
CJf63S58XpwvVD6QRX2vXX92O6Lx9njEPdBhqH5J4/oY9cKjHXbsRw5LI68F1aJv
FwgYjd/emsZdMSMctQTjTSUAj2yoIGxjXMh7OkyOoTFwXmg5cWjyOroo0E0ExsA0
6Q9wZ5xZP1D+kL0ghSOyKtxbFMVYh2dIv/90jlNZp79hsGkbPiPzFGkPTR1tSiX3
dyXV5BGepBIic6u/FxkKfGQdfXsxbQEZRSq240u1uefw6XoXHaSj5AreBicWzFPW
Y3jWDb3IOI7rQfX+UIelIybwHrW5blXEnAsSJQN98QbxRTuhO0RG5VuC8YlGN8w=
=pWxT
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]