Find the answer to your Linux question:
Results 1 to 6 of 6
I am trying to install Snort using the "Snort 2.9.4.0 on Debian 6.0.6 by Jason Weir", which can be found in the docs site of the Snort site. I don't ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2013
    Posts
    7

    MySQL and Barnyard with snort.


    I am trying to install Snort using the "Snort 2.9.4.0 on Debian 6.0.6 by Jason Weir", which can be found in the docs site of the Snort site. I don't have the appropriate permissions to post links or images due to my low post count.

    I am using Oracle Virtual Box 4.1.18 as the virtual platform and the distro I'm using is the "debian 6.0.5 netinstal". I realise the guide is for a later version of my distro, however I don't believe this to be the issue due to everything else working as it should.

    I have snort working, as it can capture packets and print them to the screen. Also when I use BASE I can see that it is capturing packets correctly and writing them to the database. However when I attempt to do this part of the guide...

    "Now start snort and barnyard with these commands:
    # /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &

    # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo /etc/snort/gen-msg.map

    /etc/snort/sid-msg.map -C /etc/snort/classification.config &

    Again ping the management IP address from another machine

    This command shows that barnyard is correctly inserting events into the database:
    # mysql -uroot -p -D snort -e "select count(*) fromevent" # enter password again "



    The only result I see is a table "fromevents" with the figure one, this is the same results regardless of how many attempts were carried out.

    From BASE it is clear to see that the log is being written into somewhere. The value of the "total number of alerts" increments after each time I attempt this.

    I have a suspicion it is to do with the name of the table but can't see any issue. I had a look at the "/etc/snort/barnyard2.conf" file but the database name is the same. I currently have the following line at the bottom of the file "output database: log, mysql, user=snort password=secret dbname=snort host=localhost"

    Not really sure what else I can do to attempt to rectify this issue, I am not even sure what the implications of this issue are. Please help.

    Thanks

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    hi,

    can you post the link by just substituting hxxp for http in the beginning of the link?

    is the below part of the commands you wrote a typo?

    Code:
    # mysql -uroot -p -D snort -e "select count(*) fromevent" # enter password again "
    b/c there should be a space in b/t from and event, i think, e.g.:

    Code:
    mysql -u root -p -D snort -e "select count(*) from event"
    if that doesn't work, just try getting into the MySQL shell, e.g.:
    Code:
    mysql -u root -p
    then list databases:
    Code:
    > SHOW DATABASES;
    you should see the db named "snort", I guess.

    then you change to the snort table:

    Code:
    > USE SNORT
    and list tables:
    Code:
    > SHOW TABLES;
    tell us what you can and can't do from above, and show output where necessary.

    NOTE: in the above mysql commands, the case is insensitive, it is just there to clarify that they are mysql commands and not shell commands. you do need to punctuate commands with a semi-colon (usually).

  3. #3
    Just Joined!
    Join Date
    Mar 2013
    Posts
    7
    Thanks for your time mate.

    Link to the guide... http://s3.amazonaws.com/snort-org/ww...nort_howto.pdf

    Screenshot of 'use snort;' > 'show tables'

    http://gyazo.com/d01f9f576a0bdc4a5ed2cbcdc3a34b8a

    http://gyazo.com/5037a87a0ad22084c30f619a978b9804

    This bit is a typo in the guide, (# mysql -uroot -p -D snort -e "select count(*) fromevent" # enter password again ") when executing I put the space in.

    This is base prior to executing;
    Code:
    # /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 & 
    # /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S 
    /etc/snort/sid-msg.map -C /etc/snort/classification.config &
    http://gyazo.com/fe461f5d289d6297b890497acaf8073e

    and after the command is executed.

    http://gyazo.com/6ba606d929ac6755b205b2fe49d97b7f

    And this is when executing the command;
    Code:
    mysql -uroot -p -D snort -e "select count(*) fromevent"
    http://gyazo.com/ac87449652da97cf30ea77656cd2dc5a
    Last edited by atreyu; 05-01-2013 at 04:06 AM. Reason: fixed links and added CODE tags

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    i see a table named "event" in your list of tables, so i think you definitely need a space after "from" and before "event", like this:
    Code:
    mysql -uroot -p -D snort -e "select count(*) from event"
    is this what you have done?

    btw, that query will just show the number of records in the table. if you want to see the actual data, try this:

    Code:
    mysql -uroot -p -D snort -e "select * from event"

  6. #5
    Just Joined!
    Join Date
    Mar 2013
    Posts
    7
    Got it all working, thanks ever so much.

    Just need to figure out how to compare it with suricata now, the joys. Thanks again, I really appreciate your time.

  7. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    np, happy to help. i'll go ahead and mark this as Solved for you. Note that you can do this yourself at any time using the Thread Tools link at the top of the page.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •