hi to all,
i have setup a new nst26 system and i have configured snort with barnyard2.
I can enable this and now, the state is in "activating" ,
This issue is on snort and barnyard, i have also reloaded but the same with "reloading"
The system is installed on a 120Gb ssd harddisk with 16GB RAM, 8Core AMD CPU
RULES="-r local";
if [ "no" = "yes" ]; then
RULES="-r ";
fi
NSTCONF="/etc/nst.conf";
Save local Snort Admin MySQL Password
and Set remote Snort IDS Collector Password...
if [ "" = "checked" ]; then
if [ -f "${NSTCONF}" ]; then
#
# Save original local Snort Admin MySQL Password...
SAVENSTCTSNORTPASSWD="$(/bin/cat "${NSTCONF}" | /bin/grep '^NSTCTSNORTPASSWD' | /bin/sed -e 's/^NSTCTSNORTPASSWD="(.)"$/\1/';)";
#
# Set remote Snort IDS Collector Password...
/bin/sudo /bin/sed -i -e 's/^NSTCTSNORTPASSWD=.$/NSTCTSNORTPASSWD=""/' "${NSTCONF}";
fi
fi
Add on any rule update URLs and setup snort options...
printf "\n\n*** Bringing up interface enp12s0...\n" >> /var/log/wui/snort_setup_enp12s0.log;
if [ ! -d "${SNORT_DIR}" ]; then
printf "\n\nERROR failed to find snort installation directory\n";
echo 1 >| "/var/log/wui/snort_setup_complete_enp12s0.log";
exit 1;
fi
Assume this Snort/Barnyard2 instance setup is successful...
RC=0;
if /bin/sudo /sbin/ifconfig enp12s0 up >> /var/log/wui/snort_setup_enp12s0.log 2>&1; then
if [ "" = "true" ]; then
printf "\n\n*** Starting up the Snort/Barnyard2 daemons for interface: enp12s0...\n" >> /var/log/wui/snort_setup_enp12s0.log;
printf "\n/bin/sudo /bin/systemctl restart snort@enp12s0.service barnyard2@enp12s0.service\n" >> /var/log/wui/snort_setup_enp12s0.log;
/bin/sudo /bin/systemctl restart snort@enp12s0.service barnyard2@enp12s0.service >> /var/log/wui/snort_setup_enp12s0.log 2>&1;
/bin/sudo /bin/systemctl status snort@enp12s0.service barnyard2@enp12s0.service >> /var/log/wui/snort_setup_enp12s0.log 2>&1;
if [ "" != "checked" ]; then
printf "\n\n*** Make sure a Snorby service is running.\n" >> /var/log/wui/snort_setup_enp12s0.log;
if ! /bin/sudo /bin/systemctl is-active snorby.service &> "/dev/null"; then
printf "\n/bin/sudo /bin/systemctl start snorby.service\n" >> /var/log/wui/snort_setup_enp12s0.log;
/bin/sudo /bin/systemctl start snorby.service >> /var/log/wui/snort_setup_enp12s0.log 2>&1;
else
printf "\nA Snorby service was already running.\n" >> /var/log/wui/snort_setup_enp12s0.log;
fi
fi
printf "\n" >> /var/log/wui/snort_setup_enp12s0.log;
else
#
# Not auto starting: Set "Disabled" state...
if [ -d "/etc/snort_enp12s0" ]; then
/bin/sudo /bin/bash -c '/bin/cat >| "/etc/snort_enp12s0/pstate.conf"' <<SETSTATE SNORT_STATE_enp12s0="Disabled" ;="" BARNYARD2_STATE_enp12s0="Disabled" ;="" SETSTATE="" printf="" "\\n***="" Not="" auto-starting="" this="" snort="" instance:="" Setting="" the="" \\"Disabled\\"="" state.\\n"="">> /var/log/wui/snort_setup_enp12s0.log;
fi
fi
else
printf "\nERROR failed to bring up interface enp12s0\n" >> /var/log/wui/snort_setup_enp12s0.log;
RC=1;
fi
Using runtime directory: "/var/nst" for Snort and MySQL data files... Using local base Snort rules definitions...
*** Copying base Snort's rule definitions from the NST distribution to: "/var/nst/snort/rules_enp12s0/rules"
/bin/cp -rp /usr/share/snortrules/rules /var/nst/snort/rules_enp12s0
*** Copying latest "snort.conf" to: "/var/nst/snort/rules_enp12s0/rules"
*** Copying global snort threshold file "/etc/snort/threshold.conf" to: "/etc/snort_enp12s0"
*** Clearing the Snort rule set cache directory: "/var/nst/snort_rs_cache"...
*** Setting up a separate "Barnyard2" configuration for this instance of Snort: "/etc/snort_enp12s0/barnyard2.conf"
*** Setup the MySQL Server...
/usr/local/bin/setup_mysql -rdir /var/nst --dbPort 3306 -v
*** Start MariaDB database server setup: 2018-01-25 23:53:05...
*** A MariaDB database server is already running, script: "setup_mysql" is exiting normally...
*** Setting the MySQL administrative password for "Snorby".
*** Checking if "snorby" is initially setup.
*** Stopping any previous running "snorby workers" under systemd.
Snorby was already setup. Now updating "snorby".
RUBYOPT=-W0 /usr/bin/bundle exec rake snorby:update RAILS_ENV=production; [datamapper] Finished auto_upgrade! for :default repository 'snorby' [~] Building aggregated_events database view [~] Building events_with_join database view Removing old jobs Starting the Snorby worker process. Adding jobs to the queue
*** Stopping any running "snorby workers" created during snorby update.
*** Starting "snorby workers" under systemd.
*** Check to add the "ids_engine" column to the 'sensor' table for the 'snorby' database.
*** A "snort" MySQL user exists.
*** Displaying the "snorby" database status using the "snort" MySQL user.
/usr/bin/mysql Ver 15.1 Distrib 10.1.26-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 281
Current database: snorby
Current user: snort@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.1.26-MariaDB MariaDB Server
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: utf8
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 51 min 26 sec
Threads: 2 Questions: 9129 Slow queries: 0 Opens: 160 Flush tables: 1 Open tables: 44 Queries per second avg: 2.958
*** Setting the Snort Startup flag...
The Snort Startup flag is currently set to: "Disabled" for network interface: "enp12s0"
The Barnyard2 Startup flag is currently set to: "Disabled" for network interface: "enp12s0"
*** Bringing up interface enp12s0...
*** Not auto-starting this snort instance: Setting the "Disabled" state.
Last edit: Lin Hu 2018-01-25
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
hi to all,
i have setup a new nst26 system and i have configured snort with barnyard2.
I can enable this and now, the state is in "activating" ,
This issue is on snort and barnyard, i have also reloaded but the same with "reloading"
The system is installed on a 120Gb ssd harddisk with 16GB RAM, 8Core AMD CPU
(snort: v2.9.9.0-50.nst26) (daq: v2.0.6-7.nst26) (barnyard2: v2.1.14-337.25nst26) (snorby: v2.6.3-113.nst26)
LOG
LANG=en_US.UTF-8 TERM=ansi /bin/stdoutisatty /bin/systemctl --no-pager --full status snort@enp12s0.service barnyard2@enp12s0.service mariadb.service snorby-worker.service snorby.service 2>&1;
00002: ● snort@enp12s0.service - snort Service for Interface enp12s0
00003: Loaded: loaded (/usr/lib/systemd/system/snort@.service; enabled; vendor preset: disabled)
00004: Active: active (running) since Wed 2018-01-24 18:13:09 CET; 1h 52min ago
00005: Docs: man:snort(8)
00006: https://www.snort.org/
00007: Process: 1798 ExecStart=/usr/share/snort/systemd/snort_single_execstart enp12s0 (code=exited, status=0/SUCCESS)
00008: Main PID: 2203 (snort)
00009: Tasks: 2 (limit: 4915)
00010: CGroup: /system.slice/system-snort.slice/snort@enp12s0.service
00011: └─2203 /usr/sbin/snort -D -c /etc/snort_enp12s0/snort.conf -l /var/nst/snort/logs_enp12s0
00012:
00013: ● barnyard2@enp12s0.service - barnyard2 Service for Interface: enp12s0
00014: Loaded: loaded (/usr/lib/systemd/system/barnyard2@.service; enabled; vendor preset: disabled)
00015: Active: active (running) since Wed 2018-01-24 18:13:09 CET; 1h 52min ago
00016: Docs: https://github.com/firnsy/barnyard2
00017: Process: 2136 ExecStart=/usr/share/barnyard2/systemd/barnyard2_single_execstart enp12s0 (code=exited, status=0/SUCCESS)
00018: Main PID: 2179 (barnyard2)
00019: Tasks: 1 (limit: 4915)
00020: CGroup: /system.slice/system-barnyard2.slice/barnyard2@enp12s0.service
00021: └─2179 /usr/bin/barnyard2 -D -i enp12s0 -n -c /etc/snort_enp12s0/barnyard2.conf -d /var/nst/snort/logs_enp12s0 -f snort.u2 -w /var/nst/snort/logs_enp12s0/barnyard2.waldo
00022:
00023: ● mariadb.service - MariaDB 10.1 database server
00024: Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
00025: Active: active (running) since Wed 2018-01-24 18:13:09 CET; 1h 52min ago
00026: Process: 2098 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS)
00027: Process: 1863 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mariadb.service (code=exited, status=0/SUCCESS)
00028: Process: 1792 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)
00029: Main PID: 1915 (mysqld)
00030: Status: "Taking your SQL requests now..."
00031: Tasks: 28 (limit: 4915)
00032: CGroup: /system.slice/mariadb.service
00033: └─1915 /usr/libexec/mysqld --basedir=/usr
00034:
00035: ● snorby-worker.service - Worker service
00036: Loaded: loaded (/usr/lib/systemd/system/snorby-worker.service; enabled; vendor preset: disabled)
00037: Active: active (running) since Wed 2018-01-24 18:13:13 CET; 1h 52min ago
00038: Docs: https://github.com/Snorby/snorby
00039: Process: 2135 ExecStart=/usr/bin/bundle exec script/delayed_job restart RAILS_ENV=production (code=exited, status=0/SUCCESS)
00040: Main PID: 2357 (ruby-mri)
00041: Tasks: 3 (limit: 4915)
00042: CGroup: /system.slice/snorby-worker.service
00043: └─2357 delayed_job
00044:
00045: ● snorby.service - Web application for IDS monitoring service
00046: Loaded: loaded (/usr/lib/systemd/system/snorby.service; enabled; vendor preset: disabled)
00047: Active: active (running) since Wed 2018-01-24 18:13:13 CET; 1h 52min ago
00048: Docs: https://github.com/Snorby/snorby
00049: Main PID: 2361 (ruby-mri)
00050: Tasks: 2 (limit: 4915)
00051: CGroup: /system.slice/snorby.service
00052: └─2361 /usr/share/snorby/ruby/2.4.0/bin/thin start --ssl --ssl-key-file /etc/nst/httpd/conf/ssl.key/server.key --ssl-cert-file /etc/nst/httpd/conf/ssl.crt/server.crt -e production -p 9099
00053: Exit Code: 0
00054: Start: 2018-01-24 20:06:47.800 End: 20:06:47.857 Dur: 0.057
hi again.
thats my startup log createt with NST:
Running the following script to setup snort
! /bin/bash
allow some settling time...
/bin/sleep 1;
RULES="-r local";
if [ "no" = "yes" ]; then
RULES="-r ";
fi
NSTCONF="/etc/nst.conf";
Save local Snort Admin MySQL Password
and Set remote Snort IDS Collector Password...
if [ "" = "checked" ]; then
if [ -f "${NSTCONF}" ]; then
#
# Save original local Snort Admin MySQL Password...
SAVENSTCTSNORTPASSWD="$(/bin/cat "${NSTCONF}" | /bin/grep '^NSTCTSNORTPASSWD' | /bin/sed -e 's/^NSTCTSNORTPASSWD="(.)"$/\1/';)";
#
# Set remote Snort IDS Collector Password...
/bin/sudo /bin/sed -i -e 's/^NSTCTSNORTPASSWD=.$/NSTCTSNORTPASSWD=""/' "${NSTCONF}";
fi
fi
Add on any rule update URLs and setup snort options...
/bin/sudo /bin/setsid /usr/local/bin/setup_snort ${RULES} -i enp12s0 -v -rdir /var/nst --HOME_NET 'any' --EXTERNAL_NET 'any' --sensor_name "WAN" >> /var/log/wui/snort_setup_enp12s0.log 2>&1;
Set the Snort startup flag for this instance...
printf "\n\n*** Setting the Snort Startup flag...\n" >> /var/log/wui/snort_setup_enp12s0.log;
if [ "" = "true" ]; then
/bin/sudo /bin/setsid /usr/local/bin/setup_snort --verbose -startup 'enabled' -i enp12s0 >> /var/log/wui/snort_setup_enp12s0.log 2>&1;
else
/bin/sudo /bin/setsid /usr/local/bin/setup_snort --verbose -startup 'disabled' -i enp12s0 >> /var/log/wui/snort_setup_enp12s0.log 2>&1;
fi
Restore local Snort MySQL Password...
if [ "" = "checked" ]; then
if [ -f "${NSTCONF}" ]; then
restore Password...
/bin/sudo /bin/sed -i -e 's/^NSTCTSNORTPASSWD=.*$/NSTCTSNORTPASSWD="'"${SAVENSTCTSNORTPASSWD//$/\$}"'"/' "${NSTCONF}";
fi
fi
SNORT_DIR="$(dirname $(awk -- '{ if ( $1 = "config" && $2 == "logdir:" ) print $3; }' < /etc/snort_enp12s0/snort.conf;);)";
printf "\n\n*** Bringing up interface enp12s0...\n" >> /var/log/wui/snort_setup_enp12s0.log;
if [ ! -d "${SNORT_DIR}" ]; then
printf "\n\nERROR failed to find snort installation directory\n";
echo 1 >| "/var/log/wui/snort_setup_complete_enp12s0.log";
exit 1;
fi
Assume this Snort/Barnyard2 instance setup is successful...
RC=0;
if /bin/sudo /sbin/ifconfig enp12s0 up >> /var/log/wui/snort_setup_enp12s0.log 2>&1; then
if [ "" = "true" ]; then
printf "\n\n*** Starting up the Snort/Barnyard2 daemons for interface: enp12s0...\n" >> /var/log/wui/snort_setup_enp12s0.log;
printf "\n/bin/sudo /bin/systemctl restart snort@enp12s0.service barnyard2@enp12s0.service\n" >> /var/log/wui/snort_setup_enp12s0.log; /bin/sudo /bin/systemctl restart snort@enp12s0.service barnyard2@enp12s0.service >> /var/log/wui/snort_setup_enp12s0.log 2>&1; /bin/sudo /bin/systemctl status snort@enp12s0.service barnyard2@enp12s0.service >> /var/log/wui/snort_setup_enp12s0.log 2>&1; if [ "" != "checked" ]; then printf "\n\n*** Make sure a Snorby service is running.\n" >> /var/log/wui/snort_setup_enp12s0.log; if ! /bin/sudo /bin/systemctl is-active snorby.service &> "/dev/null"; then printf "\n/bin/sudo /bin/systemctl start snorby.service\n" >> /var/log/wui/snort_setup_enp12s0.log; /bin/sudo /bin/systemctl start snorby.service >> /var/log/wui/snort_setup_enp12s0.log 2>&1; else printf "\nA Snorby service was already running.\n" >> /var/log/wui/snort_setup_enp12s0.log; fi fi printf "\n" >> /var/log/wui/snort_setup_enp12s0.log;else
#
# Not auto starting: Set "Disabled" state...
if [ -d "/etc/snort_enp12s0" ]; then
/bin/sudo /bin/bash -c '/bin/cat >| "/etc/snort_enp12s0/pstate.conf"' <<SETSTATE SNORT_STATE_enp12s0="Disabled" ;="" BARNYARD2_STATE_enp12s0="Disabled" ;="" SETSTATE="" printf="" "\\n***="" Not="" auto-starting="" this="" snort="" instance:="" Setting="" the="" \\"Disabled\\"="" state.\\n"="">> /var/log/wui/snort_setup_enp12s0.log;
fi
fi
else
printf "\nERROR failed to bring up interface enp12s0\n" >> /var/log/wui/snort_setup_enp12s0.log;
RC=1;
fi
Indicate that this setup script completed
echo >| "/var/log/wui/snort_setup_complete_enp12s0.log";
exit ;
Results of running above script follow
Using runtime directory: "/var/nst" for Snort and MySQL data files...
Using local base Snort rules definitions...
*** Copying base Snort's rule definitions from the NST distribution to: "/var/nst/snort/rules_enp12s0/rules"
/bin/cp -rp /usr/share/snortrules/rules /var/nst/snort/rules_enp12s0
*** Copying latest "snort.conf" to: "/var/nst/snort/rules_enp12s0/rules"
*** Copying global snort threshold file "/etc/snort/threshold.conf" to: "/etc/snort_enp12s0"
*** Clearing the Snort rule set cache directory: "/var/nst/snort_rs_cache"...
*** Setting up a separate "Barnyard2" configuration for this instance of Snort: "/etc/snort_enp12s0/barnyard2.conf"
*** Setup the MySQL Server...
/usr/local/bin/setup_mysql -rdir /var/nst --dbPort 3306 -v
*** Start MariaDB database server setup: 2018-01-25 23:53:05...
*** A MariaDB database server is already running, script: "setup_mysql" is exiting normally...
*** Setting the MySQL administrative password for "Snorby".
*** Checking if "snorby" is initially setup.
*** Stopping any previous running "snorby workers" under systemd.
Snorby was already setup. Now updating "snorby".
RUBYOPT=-W0 /usr/bin/bundle exec rake snorby:update RAILS_ENV=production;
[datamapper] Finished auto_upgrade! for :default repository 'snorby'
[~] Building aggregated_events database view
[~] Building events_with_join database view Removing old jobs
Starting the Snorby worker process.
Adding jobs to the queue
*** Stopping any running "snorby workers" created during snorby update.
*** Starting "snorby workers" under systemd.
*** Check to add the "ids_engine" column to the 'sensor' table for the 'snorby' database.
*** A "snort" MySQL user exists.
*** Displaying the "snorby" database status using the "snort" MySQL user.
/usr/bin/mysql Ver 15.1 Distrib 10.1.26-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 281
Current database: snorby
Current user: snort@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.1.26-MariaDB MariaDB Server
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: utf8
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 51 min 26 sec
Threads: 2 Questions: 9129 Slow queries: 0 Opens: 160 Flush tables: 1 Open tables: 44 Queries per second avg: 2.958
*** Snort config files: "/etc/snort_enp12s0"...
total 440
drwxr-xr-x 2 root root 247 Jan 25 23:53 .
drwxr-xr-x 220 root root 12288 Jan 25 23:53 ..
-rw-r--r-- 1 root root 12104 Jan 25 23:53 barnyard2.conf
-rw-r--r-- 1 root root 3521 Jul 22 2005 classification.config
-rw-r--r-- 1 root root 8971 Jul 22 2005 gen-msg.map
-rw-r--r-- 1 root root 1717 Jul 22 2005 generators
-rw-r--r-- 1 root root 76 Jan 25 23:53 pstate.conf
-rw-r--r-- 1 root root 608 Jul 22 2005 reference.config
-rw-r--r-- 1 root root 5 Jul 22 2005 sid
-rw-r--r-- 1 root root 297436 Jul 22 2005 sid-msg.map
-rw-r--r-- 1 root root 27208 Jan 25 23:53 snort.conf
-rw-rw-r-- 1 root root 0 Jan 25 23:53 snort_options
-rw-r--r-- 1 root root 2335 Jul 7 2009 threshold.conf
-rw-r--r-- 1 root root 53841 Jul 22 2005 unicode.map
*** Setup Snort complete...
... A SNORT CONFIGURATION INSTANCE - SENSOR INTERFACE: enp12s0 ...
Snort Version: 2.9.9.0
DAQ Version: 2.0.6
Barnyard2 Version: 2.1.14
MariaDB (MySQL) Version: 10.1.26
Snorby Version: 2.6.3
Snort Runtime Directory: /var/nst/snort
Snort Configuration File: /etc/snort_enp12s0/snort.conf
Barnyard2 Configuration File: /etc/snort_enp12s0/barnyard2.conf
Snort Rules Directory: /var/nst/snort/rules_enp12s0/rules
Snort Unified2 Logs Directory: /var/nst/snort/logs_enp12s0
Base Snort Rules Source: local (NST Distribution)
MariaDB (MySQL) Database Hostname: localhost
MariaDB (MySQL) Database Port: 3306
Snort IDS Interface: enp12s0
Snort IDS Sensor Name: WAN
Snort Alert Event Logging Mode: full
Snort Options:
***********
**********
--- To run this Snort instance on network interface: "enp12s0" ---
First make sure this instance of "snort" is 'Enabled' to run:
/usr/local/bin/setup_snort -startup enabled -i "enp12s0";
Next start both the "snort" and "barnyard2" systemd control
service units: "snort@enp12s0.service barnyard2@enp12s0.service"
via systemctl:
***Note: All other configured and enabled snort instances will not be effected.
/bin/systemctl start snort@enp12s0.service barnyard2@enp12s0.service;
Use snorby to view IDS events via a web browser.
/bin/systemctl start snorby-worker.service snorby.service;
*** Setting the Snort Startup flag...
The Snort Startup flag is currently set to: "Disabled" for network interface: "enp12s0"
The Barnyard2 Startup flag is currently set to: "Disabled" for network interface: "enp12s0"
*** Bringing up interface enp12s0...
*** Not auto-starting this snort instance: Setting the "Disabled" state.
Last edit: Lin Hu 2018-01-25