Snort 2.9.7.2 and barnyard2 1.13 on RHEL via RPM

[Tomas Hajek <hajek () oakland edu>]

Hello Everyone,

I have barnyard2 1.13, snort 2.9.7.2, working on Red Hat Enterprise Linux
6.6 installed via rpms.
I am running both barnyard2 and snort using their typical config files
snort.conf and barnyard2.conf but also with the RHEL way of using sysconfig
and init scripts.

I had many problems initially getting unified2 logging to work but finally
came to what I believe to be the underlying issue.  This was after running
through the removal of -A and -b, for specifics I mean modifying the
parameters in /etc/sysconfig/snort to set the following:
BINARY_LOG=0
ALERTMODE=

The larger problem for me seems to be the init scripts.  For barnyard2 it
assumes a log directory of /var/log/snort/$INTERFACE where $INTERFACE is
the name of the network interface (e.g. eth0, or eth1).  The snort init
script seems to make a special case of running snort on a single interface
and as such logs to /var/log/snort/ with a single interface and
/var/log/snort/$INTERFACE/ when multiple interfaces are specified in the
sysconfig file.  This means that when I have only 1 network interface
configured, snort is writing the merged.log to /var/log/snort/ but
barynard2 expects it to be in /var/log/snort/eth0/.

I tried to change the value of LOG_FILE in /etc/sysconfig/barnyard2 to
../merged.log or /var/log/snort/merged.log but it appears that that
variable is stripped down to just the filename so I can't seem to fix it
with that.   I also noted that barnyard2 also expects a timestamp to be
appended to the unified2 log (so unified2 logging also needs to have
nostamp removed in /etc/snort/snort.conf default config ).

I confess that I am a new user of snort and barnyard2 and this had me
stumped for a day or two and I am wondering how others are maintaining
snort and barnyard2 on a RHEL system with RPM installs?

Has anyone experience the same that I have?
Have I missed something obvious or is my assessment above correct?

I admit at the moment I just added a second interface to snort and now have
snort and barnyard2 logging and reading from the same corresponding
directories ( /var/log/snort/eth0 and /var/log/snort/eth1) but is there a
way to get this to work properly with just one interface?

Any advice would be appreciated.

thanks,
 -Tomas
-- 

                Tomas Hajek
                hajek () oakland edu
                1-248-370-3505
                Senior Linux Systems Engineer
                University Technology Services
                Oakland University

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!