Snort mailing list archives

Previous By Date Next
Previous By Thread Next

upgrading to snort 2.6

From: "Derek Stinchfield" <derek () aero und edu>
Date: Thu, 28 Sep 2006 12:47:30 -0500
Recently, my department was able to free up a new server that we decided to use to replace our old snort box.  I 
figured that this would be a good time to update to 2.6.  I saved a few of the old config files and went to work with 
the new box from scratch.  I loaded RHELAS 4 and after the install, I downloaded and installed 2.6.0.2, and Barnyard 
0.2.0.  I then checked and copied over the config files, rulesets, and startup scripts from our old snort 2.4 box and I 
thought I pounded out any issues with file locations and permissions.  Both snort and barnyard are now starting and 
running, however I let it run last night, outputting unified files and having barnyard pointed at a remote syslog 
server, and I didn't have  a single rule in the remote syslog today.  

I had snort make a fast alert output to be sure that rules were being triggered, and sure enough they are, which leaves 
me with barnyard.  I did the fast alert for this too and it didn't even create the file for it.   This is the first 
time I've tried to use the barnyard startup script.   before I would just start it with <barnyard -D -n -f 
/var/log/snort/snort.alert>  

Now that I'm trying to use the script, the command is </usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d 
/var/log/snort -a /var/log/snort-proces....>  obviously, if I try to start it the old way I now get a segmentation 
fault.  


I have posted the barnyard script as well as what I use in the barnyard.conf      Any help I can get is appreciated.  
Also if it helps, I don't absolutely have to use the barnyard script, so if there is an idea the excludes it, I would 
appreciate that as much as any help.

Thanks in advance,
                   
Derek



The barnyard script I used is this:

#!/bin/bash
#
# barnyard Start/Stop barnyard daemon
#
# Written by Alejandro Flores <alejandrorfloresgmail.com>
#
# chkconfig: 2345 42 62
# description: Output spool reader for Snort! This program decouples
#output overhead from # the Snort network intrusion detection system
#and allows Snort to run at full speed. It takes #input and output
#plugins and can therefore be used to convert almost any spooled fil
#

. /etc/rc.d/init.d/functions

# Barnyard binary
# Executavel do barnyard
BARNYARD=/usr/local/bin/barnyard

# Where to place processed logs
# Diretorio onde vãficar os logs járocessados
PROCESSADOS=/var/log/snort-processados

# Base dir for snort logs
# Diretó base dos logs do snort
LOG_BASE=/var/log/snort

# Unified log filename
# Nome do arquivo de log unified
LOG_FILE=snort.log

# Barnyard config
# Configuraç do barnyard
CONFIG=/etc/snort/barnyard.conf

# where is sid-msg.map
# Localizaç do arquivo sid-msg.map
SIDMAP=/etc/snort/sid-msg.map

# where is gen-msg.map
# Localizaç do arquivo gen-msg.map
GENMAP=/etc/snort/gen-msg.map

# where is classification.config
# Localizaç do arquivo classification.config
CLASSCONF=/etc/snort/classification.config

# where to place the barnyard bookmark
# Localizaç do bookmark do barnyard
WALDO=/var/log/snort/waldo

case "$1" in
    start)
        if [ -f /var/lock/subsys/barnyard ]; then
            echo "Barnyard is already running."
            exit
        fi
        echo -n "Starting Barnyard: "
        daemon $BARNYARD \
        -c $CONFIG \
        -d $LOG_BASE \
        -a $PROCESSADOS \
        -f $LOG_FILE \
        -w $WALDO \
        -s $SIDMAP \
        -g $GENMAP \
        -p $CLASSCONF \
        -D
        touch /var/lock/subsys/barnyard
        ;;

    stop)
        echo -n "Stopping Barnyard"
        killproc barnyard
        rm /var/lock/subsys/barnyard
/script



This is my barnyard.conf <some commented parts omitted>

#-------------------------------------------------------------
#   http://www.snort.org    Barnyard 0.1.0 configuration file
#          Contact: snort-barnyard () lists sourceforge net 
#-------------------------------------------------------------
# $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
########################################################
# Currently you want to do two things in here: turn on 
# available data processors and turn on output plugins.
# The data processors (dp's) and output plugin's (op's)
# automatically associate with each other by type and
# are automatically selected at run time depending on 
# the type of file you try to load.
########################################################

# Step 1: configuration declarations
# To keep from having a commandline that uses every letter in the alphabet
# most configuration options are set here

# enable daemon mode
 config daemon

#INSERTED BY DEREK.  Indicate which interface shall be monitored
config interface: eth1

#INSERTED BY DEREK.  Give Barnyad the information location of Meta-data.
config sid-msg-map: /etc/snort/sid-msg.map
config gen-msg-map: /etc/snort/gen-msg.map
config class-file: /etc/snort/classification.config

# set the hostname (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config hostname: snorthost

# set the interface name (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config interface: fxp0

# set the filter (currently only used for the acid db output plugin)
#COMMENTED OUT BY DEREK. config filter: not port 22

# Step 2: setup the output plugins

# alert_fast
#-----------------------------
# Converts data from the dp_alert plugin into an approximation of Snort's 
# "fast alert" mode.  Argument: <filename>

output alert_fast: barnyard.alert

# log_dump
#-----------------------------
# Converts data from the dp_log plugin into an approximation of Snort's 
# "ASCII packet dump" mode.  Argument: <filename>

#COMMENTED OUT BY DEREK. output log_dump


# alert_syslog2
#-------------------------------
# Generates a syslog alert.  This supports considerably more features than
# the original syslog output plugin.
# 
output alert_syslog2: severity: ALERT; syslog_host: x.x.x.x;


/barnyard.config

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»

Derek Stinchfield
Network Analyst
Scientific Computing Center
University of North Dakota - ÆROSPACE
derek () aero und edu

«««««««««««««««««««»»»»»»»»»»»»»»»»»»»

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: