Snort configuration changes not happening…



  • Hey all,

    I am trying to configure the snort package but when i change options under the advanced tab, it doesn't seem to want to accept any of them.

    For instance, if i turn off «enable barnyard2» after having it enabled, I still get log entries concerning it.

    Also, I have configured the database path but it is complaining that no database can be found. here is my database field:

    output database: log, mysql, dbname=snort user=snort host=db.home.<mydomain>.com password=XXXXXXXXXXXXX</mydomain>
    

    Here is what I am seeing the log:

    ct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
    Oct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
    Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
    Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
    Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
    Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
    Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
    Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
    Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
    Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
    Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
    Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
    Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
    Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
    Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
    Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
    Oct 11 17:53:58	barnyard2[55471]: Generating maps
    Oct 11 17:53:58	barnyard2[55471]: Generating maps
    Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
    Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
    Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
    Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
    Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
    Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
    Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
    Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
    Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
    Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
    

    any ideas, all i want is to have the snort pkg send events to mysql db!

    Thanks



  • @fvter:

    Hey all,

    I am trying to configure the snort package but when i change options under the advanced tab, it doesn't seem to want to accept any of them.

    For instance, if i turn off «enable barnyard2» after having it enabled, I still get log entries concerning it.

    Also, I have configured the database path but it is complaining that no database can be found. here is my database field:

    output database: log, mysql, dbname=snort user=snort host=db.home.<mydomain>.com password=XXXXXXXXXXXXX</mydomain>
    

    Here is what I am seeing the log:

    ct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
    Oct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
    Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
    Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
    Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
    Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
    Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
    Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
    Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
    Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
    Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
    Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
    Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
    Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
    Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
    Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
    Oct 11 17:53:58	barnyard2[55471]: Generating maps
    Oct 11 17:53:58	barnyard2[55471]: Generating maps
    Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
    Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
    Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
    Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
    Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
    Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
    Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
    Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
    Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
    Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
    Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
    

    any ideas, all i want is to have the snort pkg send events to mysql db!

    Thanks

    Please post pfSense version and system specs



  • pfSense version: 1.2.3-RC3
    snort version: 2.8.4.1_5 pkg v.1.6

    Memory usage is at 43%
    cpu usgae never goes over 50%
    disk usage is about 1%

    I have the box set-up in a dual-wan load balanced configuration with very few rules and some very simple NAT (just nat for bittorrent, WoW & xboxlive).

    Hardware info follows:

    CPU: Intel(R) Celeron(R) CPU        E3300  @ 2.50GHz (2500.02-MHz 686-class CPU)
      Origin = "GenuineIntel"  Id = 0x1067a  Stepping = 10
      Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x400e3bd <sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,xsave>AMD Features=0x20100000 <nx,lm>AMD Features2=0x1 <lahf>Cores per package: 2
    real memory  = 2136866816 (2037 MB)
    avail memory = 2081316864 (1984 MB)
    ACPI APIC Table: <gbt   ="" gbtuacpi="">FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
     cpu0 (BSP): APIC ID:  0
     cpu1 (AP): APIC ID:  1
    ioapic0: Changing APIC ID to 2
    ioapic0 <version 2.0="">irqs 0-23 on motherboard
    wlan: mac acl policy registered
    kbd1 at kbdmux0
    ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
    cryptosoft0: <software crypto="">on motherboard
    acpi0: <gbt gbtuacpi="">on motherboard
    acpi0: [ITHREAD]
    acpi0: Power Button (fixed)
    acpi0: reservation of 0, a0000 (3) failed
    acpi0: reservation of 100000, 7f4e0000 (3) failed
    Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
    acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
    acpi_hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0
    Timecounter "HPET" frequency 14318180 Hz quality 900
    acpi_button0: <power button="">on acpi0
    pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0
    pci0: <acpi pci="" bus="">on pcib0
    vgapci0: <vga-compatible display="">port 0xe400-0xe407 mem 0xe1300000-0xe137ffff,0xd0000000-0xdfffffff,0xe1000000-0xe10fffff irq 16 at device 2.0 on pci0
    agp0: <intel g33="" svga="" controller="">on vgapci0
    agp0: detected 7164k stolen memory
    agp0: aperture size is 256M
    pci0: <multimedia, hda="">at device 27.0 (no driver attached)
    pcib1: <acpi pci-pci="" bridge="">irq 16 at device 28.0 on pci0
    pci1: <acpi pci="" bus="">on pcib1
    pcib2: <acpi pci-pci="" bridge="">irq 17 at device 28.1 on pci0
    pci2: <acpi pci="" bus="">on pcib2
    re0: <realtek 8168="" 8168b="" 8168c="" 8168cp="" 8168d="" 8111b="" 8111c="" 8111cp="" pcie="" gigabit="" ethernet="">port 0xc000-0xc0ff mem 0xe1110000-0xe1110fff,0xe1100000-0xe110ffff irq 17 at device 0.0 on pci2
    re0: Using 1 MSI messages
    re0: Chip rev. 0x3c000000
    re0: MAC rev. 0x00400000
    miibus0: <mii bus="">on re0
    rgephy0: <rtl8169s 8110s="" 8211b="" media="" interface="">PHY 1 on miibus0
    rgephy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
    re0: Ethernet address: 00:24:1d:73:5e:b3
    re0: [FILTER]
    rl0: Ethernet address: 00:15:e9:f1:8e:e1
    rl0: [ITHREAD]
    rl1: <d-link 10="" dfe-530tx+="" 100basetx="">port 0xd100-0xd1ff mem 0xe1201000-0xe12010ff irq 19 at device 1.0 on pci3
    rlphy1: <realtek internal="" media="" interface="">PHY 0 on miibus2
    rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
    rl1: Ethernet address: 00:15:e9:f1:82:34</realtek></d-link></rtl8169s></mii></realtek></acpi></acpi></acpi></acpi></multimedia,></intel></vga-compatible></acpi></acpi></power></high></gbt></software></version></gbt ></lahf></nx,lm></sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,xsave></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe> 
    

    Essentially my problem seems to be that anything I change in the advanced configuration tab of the snort package don't get written back down into the configuration.
    Cheers



  • Remove all your passwords from the outputs.

    Give me the output of

    ps -aux | grep snort

    cat /usr/local/etc/barnyard2.conf

    rob



  • Here you go:

    
    # ps -aux | grep snort
    root   60350  0.9 16.3 358076 338300  ??  Ss   Sun06PM  86:19.75 snort -c /usr/local/etc/snort/snort.conf -l /
    root   60544  0.0 16.3 358076 338272  ??  Ss   Sun06PM  28:43.74 snort -c /usr/local/etc/snort/snort.conf -l /
    root   45872  0.0  0.0  1684   980  p0  RL+   9:51PM   0:00.00 grep snort
    #
    
    # cat /usr/local/etc/barnyard2.conf
    
    #       barnyard2.conf
    #   barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php
    
    #       Copyright (C) 2006 Robert Zelaya
    #       part of pfSense
    #       All rights reserved.
    
    #       Redistribution and use in source and binary forms, with or without
    #       modification, are permitted provided that the following conditions are met:
    
    #       1\. Redistributions of source code must retain the above copyright notice,
    #          this list of conditions and the following disclaimer.
    
    #       2\. Redistributions in binary form must reproduce the above copyright
    #          notice, this list of conditions and the following disclaimer in the
    #          documentation and/or other materials provided with the distribution.
    
    #       THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    #       INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    #       AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    #       AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    #       OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    #       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    #       INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    #       CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    #       ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    #       POSSIBILITY OF SUCH DAMAGE.
    
    # set the appropriate paths to the file(s) your Snort process is using
    config reference-map:   /usr/local/etc/snort/reference.config
    config class-map:       /usr/local/etc/snort/classification.config
    config gen-msg-map:     /usr/local/etc/snort/gen-msg.map
    config sid-msg-map:     /usr/local/etc/snort/sid-msg.map
    
    config hostname:       fvtgate.home.tvf-prod.com
    config interface:
    
    # Step 2: setup the input plugins
    input unified2
    
    # database: log to a variety of databases
    output database: log, mysql, dbname=snort user=snort host=XXXXXXXXXXXXXXXXXXX password=XXXXXXXXXXXXXXXX
    
    


  • Weird, don't know why your barnyard2.conf file is not being updated.
    As long as you click save in the Advanced tab the settings.

    What is your interface name ?
    What are you typing in the Barnyard2 Configure Interface ID ?

    I'm redoing the barnyard code tonight…

    James



  • I am running snort on both WAN & OPT1 but I've tried to put all sorts of info the barnyard interface field (rl0, re0, re1, LAN, WAN, OPT1).

    Also, i'm not getting any data at all being sent to mysql. although this is probably normal since the service doesn't seem to be starting up (cf previous log entries)

    Cheers



  • Do a ifconfig and only put BSD interface names like vr0, not WAN.

    Logging to mysql with multiple interfaces is broken right now.

    Redoing the code. Be patient.

    James


Log in to reply