Home page logo
/

snort logo Snort mailing list archives

Re: MySQL support for Snort 2.9.4
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 11 Dec 2012 22:51:46 -0500

If you run pulledpork in it's default configuration, you can just use snort.rules

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Dec 11, 2012, at 10:50 PM, Kaya Saman <kayasaman () gmail com> wrote:

On 12/12/2012 03:37 AM, Jeremy Hoel wrote:
Yeah you! 


Next time someone in my house makes cookies everyone's invited :-)

Are you outputting snort in unified2 format and reading that with barnyard2?


Yep:

output unified2: filename snort.u2, limit 128

Share your snort.conf output lines. 


Snort.conf is bog standard with:

top customized with details of servers and IP addresses yada yada yada ..... man snort.conf {am glossing as is 
trivial }

I just changed:

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules


###################################################
# Step #4: Configure dynamic loaded libraries.  
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules



###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules
#include $RULE_PATH/local.rules

#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/botnet-cnc.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/file-identify.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules



I also wrote a custom script'ish section to produce the file:

#include $RULE_PATH/rule.set

Basically:

ls -l rules | cut -c 50-100 > rule.list
sed 's/^/include $RULE_PATH\//' rule.list > rule.set


This would be fine for adding any *.rules files to rule.list which then gets transformed to rule.set; saves having to 
write out each line manually!


That's about it.......


# ls -lh /var/log/snort
total 837292
-rw-r--r--  1 _snort  _snort     0B Dec  4 01:21 alert
-rw-------  1 root    _snort   5.1K Dec 12 03:24 snort.u2.1355282592
-rw-------  1 root    _snort     0B Dec 12 03:26 snort.u2.1355282785
-rw-------  1 root    _snort  19.8M Dec 12 03:27 snort.u2.1355282811
-rw-------  1 root    _snort   128M Dec 12 03:32 snort.u2.1355282879
-rw-------  1 root    _snort   128M Dec 12 03:36 snort.u2.1355283128
-rw-------  1 root    _snort   128M Dec 12 03:41 snort.u2.1355283410
-rw-------  1 root    _snort   4.8M Dec 12 03:48 snort.u2.1355283668



Now all I need to do is get Barnyard2 working and with a bit of luck will start being able to see alerts back on Base.

Few, that was a trek and half!

On Dec 11, 2012 8:29 PM, "Kaya Saman" <kayasaman () gmail com> wrote:
On 12/11/2012 09:54 PM, Joel Esler wrote:

Doesn't sound like that was the problem.  Looks like you have a larger problem.  Traffic not being received or 
analyzed correctly.  You said that all you were getting was icmp alerts, and that doesn't sound right (unless 
that's all you have)

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


Finally I got this working!!!! :-)

Basically all I needed to do was to add the paths for these in and take out all the other obsolete rules which 
weren't working:

include $RULE_PATH/decoder.rules
include $RULE_PATH/preprocessor.rules
include $RULE_PATH/sensitive-data.rules

Now I get alerts even!

The only issue is that Barnyard2 is now segfaulting when reading the Snort log files? :-( I keep getting "bus error" 
- which I've been having too much of lately!


Thanks for all the help!


Regards,


Kaya

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]