Re: Snort/Banyard2 Logging

[Eric Luellen <eluellen () perimeterusa com>]

Thank you very much for that information. I was able to get that installed and I got some additional information in my 
logs than I was able to before. Below is the output I got from going Unified2 Snort --> Barnyard with "output 
log_syslog_full: sensor_name snort-sensor, local, operation_mode complete" in my barnyard2.conf.

Jul 16 11:03:05 localhost barnyard2: | [SNORTIDS[ALERT]: [snort-test-sensor] } || 2012-07-16 15:02:50.594 0 Snort Alert 
[1:10000003:0] || [Unknown Classification] || 6 192.168.56.1 192.168.56.101 || 53389 80 || #012 |

Jul 16 11:03:05 localhost barnyard2: | [SNORTIDS[LOG]: [snort-test-sensor] ] || 2012-07-16 15:02:50.594 0 Snort Alert 
[1:10000003:0] || [Unknown Classification] || 6 3232249857 3232249957 5 0 0 40 7282 2 0 60582 0 || 53389 80 1139115519 
1675916956 5 0 16 16425 2225 0 || 60 
08002748F9EC08002700A4B60800450000281C7240008006ECA6C0A83801C0A83865D08D005043E585FF63E4769C5010402908B10000000000000000
 || #012 |

However it's still not the output I'm looking for. I started playing with the Snort options a little more and found my 
ideal output with this command:
 - snort -de -U -X -A full -c /etc/snort/snort.conf -i eth2 -K ascii &

[**] Telnet Traffic" [**]
07/17-18:14:44.475770 1C:C1:DE:91:F3:4C -> 00:16:47:A2:B3:43 type:0x800 len:0x42
10.45.9.77:56667 -> 98.139.183.24:23 TCP TTL:128 TOS:0x0 ID:25276 IpLen:20 DgmLen:52 DF
******S* Seq: 0x5E65BBAE  Ack: 0x0  Win: 0x2000  TcpLen: 32
TCP Options (6) => MSS: 1460 NOP WS: 8 NOP NOP SackOK
0x0000: 00 16 47 A2 B3 43 1C C1 DE 91 F3 4C 08 00 45 00  ..G..C.....L..E.
0x0010: 00 34 62 BC 40 00 80 06 6A EA 0A 2D 09 4D 62 8B  .4b. ()    j  - Mb.
0x0020: B7 18 DD 5B 00 17 5E 65 BB AE 00 00 00 00 80 02  ...[..^e........
0x0030: 20 00 2A 6C 00 00 02 04 05 B4 01 03 03 08 01 01   .*l............
0x0040: 04 02  

The problem with this is when I tell it to output ascii, it splits the information up per IP and puts them into 
separate folders. I would like that information but with it in syslog. Please let me know if I'm overlooking something 
obvious or if you all recommend other options/flags for more detailed logging information on alerts.

Eric


-----Original Message-----
From: beenph [mailto:beenph () gmail com] 
Sent: Friday, July 13, 2012 5:28 PM
To: Eric Luellen
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort/Banyard2 Logging

On Fri, Jul 13, 2012 at 4:33 PM, Eric Luellen <eluellen () perimeterusa com> wrote:
> Hello,
>
> I need some help with my Snort/Barnyard2 setup. My goal is to have 
> Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the 
> data to other locations. Here is my current setup.
>
> OS
> - Scientific Linux 6
>
> Snort Version
> - 2.9.2.3
>
> Barnyard2 Version
> - 2.1.9
>
> Snort command
> - snort -c /etc/snort/snort.conf -i eth2 &
>
> Barnyard2 command
> - /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d 
> /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo &
>
> snort.conf
> - output unified2: filename snort.log, limit 128
>
> barnyard2.conf
> - output alert_syslog: host=127.0.0.1
> - output database: log, mysql, user=snort dbname=snort 
> password=password host=localhost
>
> With this setup, barnyard2 is showing all of the correct information 
> in the database and I'm using BASE to view it on the web GUI. I was 
> hoping to be able to send the full packet data to syslog with 
> barnyard2 but after reading around, it seems that it is impossible to 
> do that. So I then started trying to modify the snort.conf file and add lines like "output alert_full:
> alert.full". This definitely gave me a lot more information but still 
> not the full packet data like I want. So my question is, is there any 
> way I can use barnyard2 to send the full packet data of alerts to a 
> human readable file? Since I can't send it directly to syslog, I can 
> create another process to take the data from that file and ship it off 
> to another server. If not, what flags and/or snort.conf configuration 
> would you recommend to get the most data possible but still be able to 
> handle quite a bit of traffic? In the end of it all, these alerts will 
> be shipped to a central server via a SSH tunnel. I'm trying to stay 
> away from databases and would like to get the type of output you get when you add the -v flag and log to the console.
> However I don't want it for all traffic, just the alerts. Thanks in 
> advance for any help.

Greetings Eric,

Barnyard 2-1.10 has the ability to send full packet over syslog

You can get it from there https://github.com/firnsy/barnyard2/tree/pre-stable

You could reach your objective by using the following configuration line (adjust it for your setup) # output 
log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete or 
# output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514, operation_mode 
complete

-elz



--
 The sender of this email subscribes to Perimeter E-Security's email
 anti-virus service. This email has been scanned for malicious code and is
 believed to be virus free. For more information on email security please
 visit: http://www.perimeterusa.com/services/messaging
 This communication is confidential, intended only for the named recipient(s)
 above and may contain trade secrets or other information that is exempt from
 disclosure under applicable law. Any use, dissemination, distribution or
 copying of this communication by anyone other than the named recipient(s) is
 strictly prohibited. If you have received this communication in error, please
 delete the email and immediately notify our Command Center at 203-541-3444.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!