Snort configuration changes not happening…
-
Hey all,
I am trying to configure the snort package but when i change options under the advanced tab, it doesn't seem to want to accept any of them.
For instance, if i turn off «enable barnyard2» after having it enabled, I still get log entries concerning it.
Also, I have configured the database path but it is complaining that no database can be found. here is my database field:
output database: log, mysql, dbname=snort user=snort host=db.home.<mydomain>.com password=XXXXXXXXXXXXX</mydomain>
Here is what I am seeing the log:
ct 11 17:54:01 barnyard2[55473]: FATAL ERROR: Oct 11 17:54:01 barnyard2[55473]: FATAL ERROR: Oct 11 17:54:01 barnyard2[55473]: database: must enter database name in configuration file Oct 11 17:54:01 barnyard2[55473]: database: must enter database name in configuration file Oct 11 17:54:01 barnyard2[55471]: Daemon parent exiting Oct 11 17:54:01 barnyard2[55471]: Daemon parent exiting Oct 11 17:54:01 barnyard2[55473]: Daemon initialized, signaled parent pid: 55471 Oct 11 17:54:01 barnyard2[55473]: Daemon initialized, signaled parent pid: 55471 Oct 11 17:54:01 barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid" Oct 11 17:54:01 barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid" Oct 11 17:54:01 barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/ Oct 11 17:54:01 barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/ Oct 11 17:54:01 barnyard2[55471]: Initializing daemon mode Oct 11 17:54:01 barnyard2[55471]: Initializing daemon mode Oct 11 17:54:01 barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory) Oct 11 17:54:01 barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory) Oct 11 17:53:58 barnyard2[55471]: Generating maps Oct 11 17:53:58 barnyard2[55471]: Generating maps Oct 11 17:53:58 barnyard2[55471]: Found interface config directive (re0) Oct 11 17:53:58 barnyard2[55471]: Found interface config directive (re0) Oct 11 17:53:58 barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com) Oct 11 17:53:58 barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com) Oct 11 17:53:58 barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config) Oct 11 17:53:58 barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config) Oct 11 17:53:58 barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config) Oct 11 17:53:58 barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config) Oct 11 17:53:58 barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf Oct 11 17:53:58 barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
any ideas, all i want is to have the snort pkg send events to mysql db!
Thanks
-
Hey all,
I am trying to configure the snort package but when i change options under the advanced tab, it doesn't seem to want to accept any of them.
For instance, if i turn off «enable barnyard2» after having it enabled, I still get log entries concerning it.
Also, I have configured the database path but it is complaining that no database can be found. here is my database field:
output database: log, mysql, dbname=snort user=snort host=db.home.<mydomain>.com password=XXXXXXXXXXXXX</mydomain>
Here is what I am seeing the log:
ct 11 17:54:01 barnyard2[55473]: FATAL ERROR: Oct 11 17:54:01 barnyard2[55473]: FATAL ERROR: Oct 11 17:54:01 barnyard2[55473]: database: must enter database name in configuration file Oct 11 17:54:01 barnyard2[55473]: database: must enter database name in configuration file Oct 11 17:54:01 barnyard2[55471]: Daemon parent exiting Oct 11 17:54:01 barnyard2[55471]: Daemon parent exiting Oct 11 17:54:01 barnyard2[55473]: Daemon initialized, signaled parent pid: 55471 Oct 11 17:54:01 barnyard2[55473]: Daemon initialized, signaled parent pid: 55471 Oct 11 17:54:01 barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid" Oct 11 17:54:01 barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid" Oct 11 17:54:01 barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/ Oct 11 17:54:01 barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/ Oct 11 17:54:01 barnyard2[55471]: Initializing daemon mode Oct 11 17:54:01 barnyard2[55471]: Initializing daemon mode Oct 11 17:54:01 barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory) Oct 11 17:54:01 barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory) Oct 11 17:53:58 barnyard2[55471]: Generating maps Oct 11 17:53:58 barnyard2[55471]: Generating maps Oct 11 17:53:58 barnyard2[55471]: Found interface config directive (re0) Oct 11 17:53:58 barnyard2[55471]: Found interface config directive (re0) Oct 11 17:53:58 barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com) Oct 11 17:53:58 barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com) Oct 11 17:53:58 barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map) Oct 11 17:53:58 barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config) Oct 11 17:53:58 barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config) Oct 11 17:53:58 barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config) Oct 11 17:53:58 barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config) Oct 11 17:53:58 barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf Oct 11 17:53:58 barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
any ideas, all i want is to have the snort pkg send events to mysql db!
Thanks
Please post pfSense version and system specs
-
pfSense version: 1.2.3-RC3
snort version: 2.8.4.1_5 pkg v.1.6Memory usage is at 43%
cpu usgae never goes over 50%
disk usage is about 1%I have the box set-up in a dual-wan load balanced configuration with very few rules and some very simple NAT (just nat for bittorrent, WoW & xboxlive).
Hardware info follows:
CPU: Intel(R) Celeron(R) CPU E3300 @ 2.50GHz (2500.02-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x1067a Stepping = 10 Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x400e3bd <sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,xsave>AMD Features=0x20100000 <nx,lm>AMD Features2=0x1 <lahf>Cores per package: 2 real memory = 2136866816 (2037 MB) avail memory = 2081316864 (1984 MB) ACPI APIC Table: <gbt ="" gbtuacpi="">FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 ioapic0: Changing APIC ID to 2 ioapic0 <version 2.0="">irqs 0-23 on motherboard wlan: mac acl policy registered kbd1 at kbdmux0 ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) cryptosoft0: <software crypto="">on motherboard acpi0: <gbt gbtuacpi="">on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of 0, a0000 (3) failed acpi0: reservation of 100000, 7f4e0000 (3) failed Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 acpi_hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0 Timecounter "HPET" frequency 14318180 Hz quality 900 acpi_button0: <power button="">on acpi0 pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0 pci0: <acpi pci="" bus="">on pcib0 vgapci0: <vga-compatible display="">port 0xe400-0xe407 mem 0xe1300000-0xe137ffff,0xd0000000-0xdfffffff,0xe1000000-0xe10fffff irq 16 at device 2.0 on pci0 agp0: <intel g33="" svga="" controller="">on vgapci0 agp0: detected 7164k stolen memory agp0: aperture size is 256M pci0: <multimedia, hda="">at device 27.0 (no driver attached) pcib1: <acpi pci-pci="" bridge="">irq 16 at device 28.0 on pci0 pci1: <acpi pci="" bus="">on pcib1 pcib2: <acpi pci-pci="" bridge="">irq 17 at device 28.1 on pci0 pci2: <acpi pci="" bus="">on pcib2 re0: <realtek 8168="" 8168b="" 8168c="" 8168cp="" 8168d="" 8111b="" 8111c="" 8111cp="" pcie="" gigabit="" ethernet="">port 0xc000-0xc0ff mem 0xe1110000-0xe1110fff,0xe1100000-0xe110ffff irq 17 at device 0.0 on pci2 re0: Using 1 MSI messages re0: Chip rev. 0x3c000000 re0: MAC rev. 0x00400000 miibus0: <mii bus="">on re0 rgephy0: <rtl8169s 8110s="" 8211b="" media="" interface="">PHY 1 on miibus0 rgephy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto re0: Ethernet address: 00:24:1d:73:5e:b3 re0: [FILTER] rl0: Ethernet address: 00:15:e9:f1:8e:e1 rl0: [ITHREAD] rl1: <d-link 10="" dfe-530tx+="" 100basetx="">port 0xd100-0xd1ff mem 0xe1201000-0xe12010ff irq 19 at device 1.0 on pci3 rlphy1: <realtek internal="" media="" interface="">PHY 0 on miibus2 rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto rl1: Ethernet address: 00:15:e9:f1:82:34</realtek></d-link></rtl8169s></mii></realtek></acpi></acpi></acpi></acpi></multimedia,></intel></vga-compatible></acpi></acpi></power></high></gbt></software></version></gbt ></lahf></nx,lm></sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,xsave></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>
Essentially my problem seems to be that anything I change in the advanced configuration tab of the snort package don't get written back down into the configuration.
Cheers -
Remove all your passwords from the outputs.
Give me the output of
ps -aux | grep snort
cat /usr/local/etc/barnyard2.conf
rob
-
Here you go:
# ps -aux | grep snort root 60350 0.9 16.3 358076 338300 ?? Ss Sun06PM 86:19.75 snort -c /usr/local/etc/snort/snort.conf -l / root 60544 0.0 16.3 358076 338272 ?? Ss Sun06PM 28:43.74 snort -c /usr/local/etc/snort/snort.conf -l / root 45872 0.0 0.0 1684 980 p0 RL+ 9:51PM 0:00.00 grep snort # # cat /usr/local/etc/barnyard2.conf # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php # Copyright (C) 2006 Robert Zelaya # part of pfSense # All rights reserved. # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # 1\. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # 2\. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # set the appropriate paths to the file(s) your Snort process is using config reference-map: /usr/local/etc/snort/reference.config config class-map: /usr/local/etc/snort/classification.config config gen-msg-map: /usr/local/etc/snort/gen-msg.map config sid-msg-map: /usr/local/etc/snort/sid-msg.map config hostname: fvtgate.home.tvf-prod.com config interface: # Step 2: setup the input plugins input unified2 # database: log to a variety of databases output database: log, mysql, dbname=snort user=snort host=XXXXXXXXXXXXXXXXXXX password=XXXXXXXXXXXXXXXX
-
Weird, don't know why your barnyard2.conf file is not being updated.
As long as you click save in the Advanced tab the settings.What is your interface name ?
What are you typing in the Barnyard2 Configure Interface ID ?I'm redoing the barnyard code tonight…
James
-
I am running snort on both WAN & OPT1 but I've tried to put all sorts of info the barnyard interface field (rl0, re0, re1, LAN, WAN, OPT1).
Also, i'm not getting any data at all being sent to mysql. although this is probably normal since the service doesn't seem to be starting up (cf previous log entries)
Cheers
-
Do a ifconfig and only put BSD interface names like vr0, not WAN.
Logging to mysql with multiple interfaces is broken right now.
Redoing the code. Be patient.
James