sumitkamboj commented 11 years ago

Hi,

I have setup snort 2.9.4 , barnyard2-1.11 on a ubuntu 11.10 box, all seems ok, however the events generated by snort are not written to the mysql database.

---- below the setup in snort.conf

output unified2: filename snort.log, limit 128

----- below the barnyard2 config

config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/community-sid-msg.map config logdir: /var/log/barnyard2/ config waldo_file: /var/log/snort/barnyard2.waldo input unified2 output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

---- below the barnyard startup command

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

---- below the stdout from above barnyard job ----------------------

Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='2';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='2';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='2';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='2';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='2';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='2';] database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='2';] [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snort database: database name = snort database: sensor name = sumit-laptop:NULL database: sensor id = 2 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility

    --== Initialization Complete ==--

__ -> Barnyard2 <- / ,,_ \ Version 2.1.11 (Build 317) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

'''' + (C) Copyright 2008-2012 Ian Firns firnsy@securixlive.com

Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1359316800 record_idx = 0 Opened spool file '/var/log/snort/snort.log.1359316800' Waiting for new data

database: Closing connection to database "snort"

Record Totals: Records: 0 Events: 0 (0.000%) Packets: 0 (0.000%)

Unknown: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets): ETH: 0 (0.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 0 (0.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 0

Problem: I am running snort on ppp0 interface using command snort -c /etc/snort/snort.conf -i ppp0 -A console snort logs all alert into directory /var/log/snort. when i run barnyard it reads 0 records from all logs files that are generated by snort(snort log files are full of alerts). In short barnyard2 reading files but thinks there is no content in the file.

-------------------Sample log file..............(partial part of snort log file)

\D4ò\A1\00\00\00\00\00\00\00\00\00\00\EA\00\00q\00\00\00O\87Q\FB\A9 \00\C4\00\00\C4\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00E\00\B4\EE@\00-D\92S\A7\E6\B0u\E0e[\00P\B2\B1gw\B1\FE\F8\80\00;-\97\00\00 \B2晭\00=\CFHTTP/1.1 200 OK Date: Sun, 27 Jan 2013 20:00:14 GMT Server: Apache X-Powered-By: PHP/5.3.8 Connection: close Transfer-Encoding: chunked Content-Type: text/html

Please guys help as soon as possible.

binf commented 11 years ago

How large is your unified2 file?

The recors you printed seem's to be a EXTRA DATA record. And Barnyard2 and the default database schema does not support EXTRA DATA type of unified2 records but you should have statistics for unknown record when you exit barnyard2.

But if you have regular events in the unified2 file they should be logged without an issue.

Also if you want to have valid unified2 output you should not run snort using the -A console output mode.

Just run snort normaly, using snort -c /snort.conf -i IFACENAME

sumitkamboj commented 11 years ago

Size of my unified file is 75.1KB. I am again paste content of unified with more detail.

----------content of unified file.....................

\D4ò\A1\00\00\00\00\00\00\00\00\00\00\EA\00\00q\00\00\00\95Q\97\E5\00\C4\00\00\C4\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00E\00\B4\DA\FE@\00,\B0\C1S\A7\E6\B0u\E0 L\00P\D2\EA\8E;\FDu\8C\CAkj\80\00:t\00\00 \B3'\88\00JuGHTTP/1.1 200 OK Date: Sun, 27 Jan 2013 20:58:43 GMT Server: Apache X-Powered-By: PHP/5.3.8 Connection: close Transfer-Encoding: chunked Content-Type: text/html

2023

Songs.PK - Download Bollywood Songs,Songspk,Mp3 Songs,Bollywood Music,Indian Movie Songs,Hindi Music,Indian Mp3

```

``` ``` ``` ``` ``` ``` 3a9e

<\95Q\FD\00\C4\00\00\C4\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00E\00\B4\DB@\00,\B0\BES\A7\E6\B0u\E0 ``` L\00P\D2\EA\8E< \F5\8C\CAkj\80\00:\B8U\00\00 \B3(\DB\00Ju\B9img src="http://images.songspk.pk/images/cellpk_01.gif" width="19" height="15" alt="">

Songs.PK - Bollywood Music Indian Songs Mp3

```

sumitkamboj commented 11 years ago

Sorry guys previous comment got split into many parts due to having html tags.

binf commented 11 years ago

unified2 file are binary format, you should use u2spewfoo tool that comes with snort source to output relevant information from the unified2 file your trying to process.

Im still under the impression that the event you pasted is a EXTRA DATA event type and as previously stated this is not logged to the database due to format restriction.

sumitkamboj commented 11 years ago

Thank you Binf Now it's working using snort -c /snort.conf -i IFACENAME thanks again for helping

maxbit89 commented 9 years ago

hy i have the same problem i'm running xubuntu and i start snort like this over the init:

/etc/init/snort.conf

description "Snort NIDS Service"
stop on runlevel [!2345]
start on runlevel [2345]
script
    exec /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
end script

if i get it right the only thing that changes here is

prozess runs as snort:snort
-q quite disable outputs
-D deamon

So why should there be a difference ?

when i start it from command line: sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

every thing works fine :S

pauloangelo commented 9 years ago

Hi maxbit89,

Can you certify that Snort is really running after the system boot? Ie, via init process.

Try, the command " ps auxw | grep snort "

If yes, take a look at the logs configured at your syslog, maybe /var/log/daemon.log or /var/log/snort.log, to see what is happening with snort.

Just to remember you that snort should save the events in a file (generally an unfied2 file) and barnyard2 is "responsible" to read this file and save in MySQL. So, you will need barnyard2 running too.

[]'s PA

firnsy / barnyard2

Barnyard2 not logging snort log into mysql database. #64

database: Closing connection to database "snort"

Unknown: 0 (0.000%)