Need help testing Snort, Barnyard2,PulledPork,BASE IDS is not loging to mysql
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help testing Snort, Barnyard2,PulledPork,BASE IDS is not loging to mysql
-*> Snort! <* Version 2.9.6.0 GRE (Build 47)
barnyard2-2-1.13
My system specs are ubuntu 14.04 LTS with all current updates,2.0GB DDR400, AMD Athlon 64 Processor 3800+ , currently running the OS 32 bit.
It seems like snort and barnyard and pulled pork are running good. I meem they arent showing errors I believe. I just am not getting anything in the mysql data base as far as I can see the through Basic Analysis and Security Engine (BASE).
Could some body help me with a walk through to de bug this? I can post my config files or links to screen shots anything needed to get there. I have noticed this error at a lot of web sites but havent been able figure it out. As many of the pages just stop without resolution. Could be a good complete answer for many peoples problems. Any way Thanks in advance A Gallina
A little more info on what the software you are using is expected to do, maybe a link to a site. If you have mysql, are you able to use it by logging in to a terminal, can you create a database, access it, insert into that way to eliminate that as a problem.
...and in addition to what yancek wrote about eliminating errors: the fact that Snort or Barnyard2 are not showing errors does not mean there aren't any. Snort requires configuration and a rule set, the result of which you can pre-flight check using the "-T" switch: see 'man snort'. And if you're using Barnyard2 ensure your configuration is correct. Note you can use multiple output plugins so testing with syslog additionally will tell if there's any alerts logged. Also ensure the traffic you use (or replay) has rules that actually fire, because without any of that obviously nothing will be logged anywhere.
Quote "If you have mysql, are you able to use it by logging in to a terminal, can you create a database, access it, insert into that way to eliminate that as a problem." The snort, pulledpork, barnyard2,adob,and Basic Analysis and Security Engine (BASE), that is running on apache. Is design to utomate the process so one would not have to insert the data directly into the mysql data base.
That the data base is there. And BASE does try to connect to it.
Hello unspawn.
I have checked the configs a lot : ) Should I post them to see if you can see anything please. Preflight passes on the T command as far as I can tell.
I have put these in my local rules set. To make it fire a alert.
Code:
alert icmp any any -> any any (msg:ICMP Testing Rule; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg:TCP Testing Rule; sid:1000002; rev:1;)
alert udp any any -> any any (msg:UDP Testing Rule; sid:1000003; rev:1;)
Last edited by unSpawn; 03-22-2015 at 05:24 AM.
Reason: //Add vBB code and noparse tags.
As with software like Nagios, configuring Snort could be seen as some sort of rite of passage for Linux users which it really isn't: you should read the extensive documentation and understand what you're running. That also helps asking more detailed questions. If you have verified your configuration files are correct there is no need to post them. (If you want to post them first clean them up like this:
then attach them to your reply.) Note that "-T" will output to stdout / stderr or syslog so that would be good to check thoroughly. Same goes for what I wrote about using syslog with Barnyard2 (at least during your setup phase) to ensure rules actually fire.
150322 5:26:48 [Note] /usr/sbin/mysqld: Normal shutdown
150322 5:26:48 [Note] Event Scheduler: Purging the queue. 0 events
150322 5:26:51 [Warning] /usr/sbin/mysqld: Forcing close of thread 48 user: 'snort'
150322 5:26:55 InnoDB: Starting shutdown...
150322 5:26:58 InnoDB: Shutdown completed; log sequence number 29543893
150322 5:26:58 [Note] /usr/sbin/mysqld: Shutdown complete
150322 8:51:32 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
150322 8:51:33 [Note] Plugin 'FEDERATED' is disabled.
150322 8:51:33 InnoDB: The InnoDB memory heap is disabled
150322 8:51:33 InnoDB: Mutexes and rw_locks use GCC atomic builtins
150322 8:51:33 InnoDB: Compressed tables use zlib 1.2.8
150322 8:51:33 InnoDB: Using Linux native AIO
150322 8:51:33 InnoDB: Initializing buffer pool, size = 128.0M
150322 8:51:33 InnoDB: Completed initialization of buffer pool
150322 8:51:33 InnoDB: highest supported file format is Barracuda.
150322 8:51:37 InnoDB: Waiting for the background threads to start
150322 8:51:38 InnoDB: 5.5.41 started; log sequence number 29543893
150322 8:51:38 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
150322 8:51:38 [Note] - '127.0.0.1' resolves to '127.0.0.1';
150322 8:51:38 [Note] Server socket created on IP: '127.0.0.1'.
150322 8:51:39 [Note] Event Scheduler: Loaded 0 events
150322 8:51:39 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.5.41-0ubuntu0.14.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
Let me know if you see anything here. Or what my next step would be please. And thank you for taking the time to look at this.
Last edited by unSpawn; 03-26-2015 at 01:35 AM.
Reason: //Moved SMTP issue to https://www.linuxquestions.org/questions/linux-software-2/smtp-issue-4175537871/
Explain, I think. Because I said that if you have verified your configuration files are correct there is no need to post them?.. Besides I hinted twice now at checking snort's "-T" output and using syslog with Barnyard2 which you have not addressed.
Thank you unSpawn.
Snort runs fine with the -T . Seems Barnyard wont log to syslog. I tried by activating, output alert_syslog
,and output alert_syslog: LOG_AUTH LOG_INFO. Neither would give me out put to syslog. Is that what you were suggesting for me to do? Did I miss anything? I tried a scan on myself too with nmap. Not sure what to try next.
Or how to do it. Suggestion will be greatly appreciated. Thank you unSpawn.
Seems Barnyard wont log to syslog. I tried by activating, output alert_syslog,and output alert_syslog: LOG_AUTH LOG_INFO. Neither would give me out put to syslog. Is that what you were suggesting for me to do?
Yes. Try this with respect to Barnyard2 syslog syntax.
Thank you unSpawn
Barnyard 2 seems be stopping with a fatal error. But it is logging to syslog now. Thats how I could see this.
Code:
Mar 29 10:38:39 zina-desktop barnyard2[3886]: --== Initializing Barnyard2 ==--
Mar 29 10:38:39 zina-desktop barnyard2[3886]: Initializing Input Plugins!
Mar 29 10:38:39 zina-desktop barnyard2[3886]: Initializing Output Plugins!
Mar 29 10:38:39 zina-desktop barnyard2[3886]: Parsing config file "/etc/snort/barnyard.conf"
Mar 29 10:38:39 zina-desktop barnyard2[3886]: #012#012+[ Signature Suppress list ]+#012----------------------------
Mar 29 10:38:39 zina-desktop barnyard2[3886]: +[No entry in Signature Suppress List]+
Mar 29 10:38:39 zina-desktop barnyard2[3886]: ----------------------------#012+[ Signature Suppress list ]+#012
Mar 29 10:38:39 zina-desktop barnyard2[3886]: Barnyard2 spooler: Event cache size set to [2048]
Mar 29 10:38:39 zina-desktop barnyard2[3886]: FATAL ERROR: Stat check on log dir (/var/log/snort/eth0) failed: No such file or directory.
Mar 29 10:38:39 zina-desktop barnyard2[3886]: Barnyard2 exiting
Mar 29 10:38:39 zina-desktop barnyard2[3886]: ===============================================================================
Not sure where it is getting the input to check /var/log/snort/eth0
"Mar 29 10:38:39 zina-desktop barnyard2[3886]: FATAL ERROR: Stat check on log dir (/var/log/snort/eth0)"
There is a /var/log/snort/ but it has the waldo files there and active u2 files. No file named eth0.
I figured it had to be getting this setting from the barnyard config file, but couldnt see it there.
Looks like barnyard2 gets started with "-d /var/log/snort/eth0". While barnyard2 is running run 'pgrep -lf barnyard2;' to catch command line args or check your init script. Or else just 'install -m 0750 -o snort -g snort -d /var/log/snort/eth0/archive;'. *Note please adjust -o and -g ownership to match the account Snort/Barnyard2 runs under and also note the "/archive" is due to barnyard2 maybe running with also "-a /var/log/snort/eth0/archive".
How would I check my init script please.
Also upon a closer look at my syslog
It appears as if two instances of barnyard2 are running. The first one apears to be correct while the second crashes.
Code:
Mar 31 09:50:37 zina-desktop snort[3646]: --== Initialization Complete ==--
Mar 31 09:50:37 zina-desktop snort[3646]: Commencing packet processing (pid=3646)
Mar 31 09:50:37 zina-desktop barnyard2[3679]: Running in Continuous mode
Mar 31 09:50:37 zina-desktop barnyard2[3679]:
Mar 31 09:50:37 zina-desktop barnyard2[3679]: --== Initializing Barnyard2 ==--
Mar 31 09:50:37 zina-desktop barnyard2[3679]: Initializing Input Plugins!
Mar 31 09:50:37 zina-desktop barnyard2[3679]: Initializing Output Plugins!
Mar 31 09:50:37 zina-desktop barnyard2[3679]: Parsing config file "/etc/snort/barnyard2.conf"
Mar 31 09:50:37 zina-desktop barnyard2[3679]: #012#012+[ Signature Suppress list ]+#012----------------------------
Mar 31 09:50:37 zina-desktop barnyard2[3679]: +[No entry in Signature Suppress List]+
Mar 31 09:50:37 zina-desktop barnyard2[3679]: ----------------------------#012+[ Signature Suppress list ]+#012
Mar 31 09:50:38 zina-desktop barnyard2[3679]: Barnyard2 spooler: Event cache size set to [2048]
Mar 31 09:50:38 zina-desktop barnyard2[3679]: Log directory = /var/log/barnyard2
Mar 31 09:50:38 zina-desktop snort[3679]: Initializing daemon mode
Mar 31 09:50:38 zina-desktop snort[3680]: Daemon initialized, signaled parent pid: 3679
Mar 31 09:50:38 zina-desktop snort[3680]: PID path stat checked out ok, PID path set to /var/run/
Mar 31 09:50:38 zina-desktop snort[3680]: Writing PID "3680" to file "/var/run//barnyard2_NULL.pid"
Mar 31 09:50:38 zina-desktop snort[3680]:
Mar 31 09:50:38 zina-desktop snort[3680]: --== Initialization Complete ==--
Mar 31 09:50:38 zina-desktop snort[3680]: Barnyard2 initialization completed successfully (pid=3680)
Mar 31 09:50:38 zina-desktop snort[3679]: Daemon parent exiting
Mar 31 09:50:38 zina-desktop snort[3680]: Using waldo file '/var/log/snort/barnyard2.waldo':#012 spool directory = /var/log/snort#012 spool filebase = snort.log#012 time_stamp = 1427477973#012 record_idx = 0
Mar 31 09:50:38 zina-desktop snort[3680]: Processing new records only.
Mar 31 09:50:38 zina-desktop snort[3680]: Skipping file: /var/log/snort/snort.log.1427477973
Mar 31 09:50:38 zina-desktop snort[3680]: Opened spool file '/var/log/snort/snort.log.1427477973'
Mar 31 09:50:38 zina-desktop snort[3680]: Skipped 0 old records
Mar 31 09:50:38 zina-desktop snort[3680]: Waiting for new data
Mar 31 09:50:39 zina-desktop barnyard2[3910]: Running in Continuous mode
Mar 31 09:50:39 zina-desktop barnyard2[3910]:
Mar 31 09:50:39 zina-desktop barnyard2[3910]: --== Initializing Barnyard2 ==--
Mar 31 09:50:39 zina-desktop barnyard2[3910]: Initializing Input Plugins!
Mar 31 09:50:39 zina-desktop barnyard2[3910]: Initializing Output Plugins!
Mar 31 09:50:39 zina-desktop barnyard2[3910]: Parsing config file "/etc/snort/barnyard.conf"
Mar 31 09:50:39 zina-desktop barnyard2[3910]: #012#012+[ Signature Suppress list ]+#012----------------------------
Mar 31 09:50:39 zina-desktop barnyard2[3910]: +[No entry in Signature Suppress List]+
Mar 31 09:50:39 zina-desktop barnyard2[3910]: ----------------------------#012+[ Signature Suppress list ]+#012
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Barnyard2 spooler: Event cache size set to [2048]
Mar 31 09:50:40 zina-desktop barnyard2[3910]: FATAL ERROR: Stat check on log dir (/var/log/snort/eth0) failed: No such file or directory.
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Barnyard2 exiting
Mar 31 09:50:40 zina-desktop barnyard2[3910]: ===============================================================================
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Record Totals:
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Records: 0
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Events: 0 (0.000%)
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Packets: 0 (0.000%)
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Unknown: 0 (0.000%)
Mar 31 09:50:40 zina-desktop barnyard2[3910]: Suppressed: 0 (0.000%)
Mar 31 09:50:40 zina-desktop barnyard2[3910]: ===============================================================================
Apologies for late reply. Got caught up doing stuff as usual.
Quote:
Originally Posted by A Gallina
How would I check my init script please.
Hmm. That kind of depends. If you install packages from source they may (or may not) provide an init script. Another indication may be how you run your application. If you don't prefix the applications name with systemctl, service or /etc/init.d/ then you may not have (or use) an init script. You could try to find it with commands like 'locate barnyard|grep etc/;' or 'find /etc -iname barnyard\*;'. Else maybe create one yourself: https://help.ubuntu.com/community/UbuntuBootupHowto
Quote:
Originally Posted by A Gallina
Also upon a closer look at my syslog
It appears as if two instances of barnyard2 are running. The first one apears to be correct while the second crashes.
I saw that but I have no idea what's causing it.
Anyway, I'll be setting up a Snort node next week (CentOS though), until then I suggest you best retrace your steps, redo all installation and configuration steps.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.