Snort configuration changes not happening…

fvter

Hey all,

I am trying to configure the snort package but when i change options under the advanced tab, it doesn't seem to want to accept any of them.

For instance, if i turn off «enable barnyard2» after having it enabled, I still get log entries concerning it.

Also, I have configured the database path but it is complaining that no database can be found. here is my database field:

output database: log, mysql, dbname=snort user=snort host=db.home.<mydomain>.com password=XXXXXXXXXXXXX</mydomain>

Here is what I am seeing the log:

ct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
Oct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
Oct 11 17:53:58	barnyard2[55471]: Generating maps
Oct 11 17:53:58	barnyard2[55471]: Generating maps
Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf

any ideas, all i want is to have the snort pkg send events to mysql db!

Thanks

jamesdean

@fvter:

Hey all,

I am trying to configure the snort package but when i change options under the advanced tab, it doesn't seem to want to accept any of them.

For instance, if i turn off «enable barnyard2» after having it enabled, I still get log entries concerning it.

Also, I have configured the database path but it is complaining that no database can be found. here is my database field:

output database: log, mysql, dbname=snort user=snort host=db.home.<mydomain>.com password=XXXXXXXXXXXXX</mydomain>

Here is what I am seeing the log:

ct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
Oct 11 17:54:01	barnyard2[55473]: FATAL ERROR:
Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
Oct 11 17:54:01	barnyard2[55473]: database: must enter database name in configuration file
Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
Oct 11 17:54:01	barnyard2[55471]: Daemon parent exiting
Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
Oct 11 17:54:01	barnyard2[55473]: Daemon initialized, signaled parent pid: 55471
Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
Oct 11 17:54:01	barnyard2[55473]: Writing PID "55473" to file "/var/run//barnyard2_re0.pid"
Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
Oct 11 17:54:01	barnyard2[55473]: PID path stat checked out ok, PID path set to /var/run/
Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
Oct 11 17:54:01	barnyard2[55471]: Initializing daemon mode
Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
Oct 11 17:54:01	barnyard2[55471]: WARNING: Unable to open waldo file '/usr/local/etc/snort/barnyard2.waldo' (No such file or directory)
Oct 11 17:53:58	barnyard2[55471]: Generating maps
Oct 11 17:53:58	barnyard2[55471]: Generating maps
Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
Oct 11 17:53:58	barnyard2[55471]: Found interface config directive (re0)
Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
Oct 11 17:53:58	barnyard2[55471]: Found hostname config directive (fvtgate.home.tvf-prod.com)
Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found sid-msg-map config directive (/usr/local/etc/snort/sid-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found gen-msg-map config directive (/usr/local/etc/snort/gen-msg.map)
Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
Oct 11 17:53:58	barnyard2[55471]: Found class-map config directive (/usr/local/etc/snort/classification.config)
Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
Oct 11 17:53:58	barnyard2[55471]: Found reference-map config directive (/usr/local/etc/snort/reference.config)
Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf
Oct 11 17:53:58	barnyard2[55471]: Parsing rules files /usr/local/etc/barnyard2.conf

any ideas, all i want is to have the snort pkg send events to mysql db!

Thanks

Please post pfSense version and system specs

fvter

pfSense version: 1.2.3-RC3
snort version: 2.8.4.1_5 pkg v.1.6

Memory usage is at 43%
cpu usgae never goes over 50%
disk usage is about 1%

I have the box set-up in a dual-wan load balanced configuration with very few rules and some very simple NAT (just nat for bittorrent, WoW & xboxlive).

Hardware info follows:

CPU: Intel(R) Celeron(R) CPU        E3300  @ 2.50GHz (2500.02-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x1067a  Stepping = 10
  Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x400e3bd <sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,xsave>AMD Features=0x20100000 <nx,lm>AMD Features2=0x1 <lahf>Cores per package: 2
real memory  = 2136866816 (2037 MB)
avail memory = 2081316864 (1984 MB)
ACPI APIC Table: <gbt   ="" gbtuacpi="">FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
ioapic0: Changing APIC ID to 2
ioapic0 <version 2.0="">irqs 0-23 on motherboard
wlan: mac acl policy registered
kbd1 at kbdmux0
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
cryptosoft0: <software crypto="">on motherboard
acpi0: <gbt gbtuacpi="">on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
acpi0: reservation of 0, a0000 (3) failed
acpi0: reservation of 100000, 7f4e0000 (3) failed
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
acpi_hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
acpi_button0: <power button="">on acpi0
pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0
pci0: <acpi pci="" bus="">on pcib0
vgapci0: <vga-compatible display="">port 0xe400-0xe407 mem 0xe1300000-0xe137ffff,0xd0000000-0xdfffffff,0xe1000000-0xe10fffff irq 16 at device 2.0 on pci0
agp0: <intel g33="" svga="" controller="">on vgapci0
agp0: detected 7164k stolen memory
agp0: aperture size is 256M
pci0: <multimedia, hda="">at device 27.0 (no driver attached)
pcib1: <acpi pci-pci="" bridge="">irq 16 at device 28.0 on pci0
pci1: <acpi pci="" bus="">on pcib1
pcib2: <acpi pci-pci="" bridge="">irq 17 at device 28.1 on pci0
pci2: <acpi pci="" bus="">on pcib2
re0: <realtek 8168="" 8168b="" 8168c="" 8168cp="" 8168d="" 8111b="" 8111c="" 8111cp="" pcie="" gigabit="" ethernet="">port 0xc000-0xc0ff mem 0xe1110000-0xe1110fff,0xe1100000-0xe110ffff irq 17 at device 0.0 on pci2
re0: Using 1 MSI messages
re0: Chip rev. 0x3c000000
re0: MAC rev. 0x00400000
miibus0: <mii bus="">on re0
rgephy0: <rtl8169s 8110s="" 8211b="" media="" interface="">PHY 1 on miibus0
rgephy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
re0: Ethernet address: 00:24:1d:73:5e:b3
re0: [FILTER]
rl0: Ethernet address: 00:15:e9:f1:8e:e1
rl0: [ITHREAD]
rl1: <d-link 10="" dfe-530tx+="" 100basetx="">port 0xd100-0xd1ff mem 0xe1201000-0xe12010ff irq 19 at device 1.0 on pci3
rlphy1: <realtek internal="" media="" interface="">PHY 0 on miibus2
rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl1: Ethernet address: 00:15:e9:f1:82:34</realtek></d-link></rtl8169s></mii></realtek></acpi></acpi></acpi></acpi></multimedia,></intel></vga-compatible></acpi></acpi></power></high></gbt></software></version></gbt ></lahf></nx,lm></sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,xsave></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe> 

Essentially my problem seems to be that anything I change in the advanced configuration tab of the snort package don't get written back down into the configuration.
Cheers

jamesdean

Remove all your passwords from the outputs.

Give me the output of

ps -aux | grep snort

cat /usr/local/etc/barnyard2.conf

rob

fvter

Here you go:

# ps -aux | grep snort
root   60350  0.9 16.3 358076 338300  ??  Ss   Sun06PM  86:19.75 snort -c /usr/local/etc/snort/snort.conf -l /
root   60544  0.0 16.3 358076 338272  ??  Ss   Sun06PM  28:43.74 snort -c /usr/local/etc/snort/snort.conf -l /
root   45872  0.0  0.0  1684   980  p0  RL+   9:51PM   0:00.00 grep snort
#

# cat /usr/local/etc/barnyard2.conf

#       barnyard2.conf
#   barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php

#       Copyright (C) 2006 Robert Zelaya
#       part of pfSense
#       All rights reserved.

#       Redistribution and use in source and binary forms, with or without
#       modification, are permitted provided that the following conditions are met:

#       1\. Redistributions of source code must retain the above copyright notice,
#          this list of conditions and the following disclaimer.

#       2\. Redistributions in binary form must reproduce the above copyright
#          notice, this list of conditions and the following disclaimer in the
#          documentation and/or other materials provided with the distribution.

#       THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
#       INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
#       AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
#       AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
#       OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#       INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
#       CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#       ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#       POSSIBILITY OF SUCH DAMAGE.

# set the appropriate paths to the file(s) your Snort process is using
config reference-map:   /usr/local/etc/snort/reference.config
config class-map:       /usr/local/etc/snort/classification.config
config gen-msg-map:     /usr/local/etc/snort/gen-msg.map
config sid-msg-map:     /usr/local/etc/snort/sid-msg.map

config hostname:       fvtgate.home.tvf-prod.com
config interface:

# Step 2: setup the input plugins
input unified2

# database: log to a variety of databases
output database: log, mysql, dbname=snort user=snort host=XXXXXXXXXXXXXXXXXXX password=XXXXXXXXXXXXXXXX

jamesdean

Weird, don't know why your barnyard2.conf file is not being updated.
As long as you click save in the Advanced tab the settings.

What is your interface name ?
What are you typing in the Barnyard2 Configure Interface ID ?

I'm redoing the barnyard code tonight…

James

fvter

I am running snort on both WAN & OPT1 but I've tried to put all sorts of info the barnyard interface field (rl0, re0, re1, LAN, WAN, OPT1).

Also, i'm not getting any data at all being sent to mysql. although this is probably normal since the service doesn't seem to be starting up (cf previous log entries)

Cheers

jamesdean

Do a ifconfig and only put BSD interface names like vr0, not WAN.

Logging to mysql with multiple interfaces is broken right now.

Redoing the code. Be patient.

James