Home page logo
/

snort logo Snort mailing list archives

Re: MySQL support for Snort 2.9.4
From: Kaya Saman <kayasaman () gmail com>
Date: Wed, 12 Dec 2012 03:50:23 +0000

On 12/12/2012 03:37 AM, Jeremy Hoel wrote:

Yeah you!


Next time someone in my house makes cookies everyone's invited :-)

Are you outputting snort in unified2 format and reading that with barnyard2?


Yep:

output unified2: filename snort.u2, limit 128

Share your snort.conf output lines.


Snort.conf is bog standard with:

top customized with details of servers and IP addresses yada yada yada ..... man snort.conf {am glossing as is trivial }

I just changed:

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules


###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules



###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules
#include $RULE_PATH/local.rules

#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/botnet-cnc.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/file-identify.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules



I also wrote a custom script'ish section to produce the file:

#include $RULE_PATH/rule.set

Basically:

ls -l rules | cut -c 50-100 > rule.list
sed 's/^/include $RULE_PATH\//' rule.list > rule.set


This would be fine for adding any *.rules files to rule.list which then gets transformed to rule.set; saves having to write out each line manually!


That's about it.......


# ls -lh /var/log/snort
total 837292
-rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
-rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
-rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
-rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
-rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
-rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
-rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
-rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668



Now all I need to do is get Barnyard2 working and with a bit of luck will start being able to see alerts back on Base.

Few, that was a trek and half!

On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com <mailto:kayasaman () gmail com>> wrote:

    On 12/11/2012 09:54 PM, Joel Esler wrote:

    Doesn't sound like that was the problem.  Looks like you have a
    larger problem.  Traffic not being received or analyzed
    correctly.  You said that all you were getting was icmp alerts,
    and that doesn't sound right (unless that's all you have)

    --
    *Joel Esler*
    Senior Research Engineer, VRT
    OpenSource Community Manager
    Sourcefire


    Finally I got this working!!!! :-)

    Basically all I needed to do was to add the paths for these in and
    take out all the other obsolete rules which weren't working:

    include $RULE_PATH/decoder.rules
    include $RULE_PATH/preprocessor.rules
    include $RULE_PATH/sensitive-data.rules

    Now I get alerts even!

    The only issue is that Barnyard2 is now segfaulting when reading
    the Snort log files? :-( I keep getting "bus error" - which I've
    been having too much of lately!


    Thanks for all the help!


    Regards,


    Kaya

    ------------------------------------------------------------------------------
    LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
    Remotely access PCs and mobile devices and provide instant support
    Improve your efficiency, and focus on delivering more value-add
    services
    Discover what IT Professionals Know. Rescue delivers
    http://p.sf.net/sfu/logmein_12329d2d
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the
    latest Snort news!


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]