No Data

BASE-user
jbeach
2008-06-26
2013-06-03
  • jbeach

    jbeach - 2008-06-26

    I am not sure if this is the forum i should be posting in, but I am not getting any data showing up in base.  I went to look at my network connection and my sniffer port in snort has a solid amber light on the nic itself.  I won't take time to link up. I plug it in and instantly it lights up with a solid green light and a solid Amber light.  Anyone have any ideas?

    Thanks

    Joe

     
    • Juergen Leising

      Juergen Leising - 2008-06-26

      Hello Joe,

      plug and play is not true, at all, with snort  setups.  You do need to have a certain degree  of knowledge, and you must configure quite some stuff manually.

      This is true for snort.conf, for the
      creation of the database tables and
      for the setup of BASE.

      After having done all of this, make some tests:

      I. Can your particular snort build detect anything, at all?

      snort -vde -i lo -n 2
      ping -c 1 localhost

      snort -vde -i lo -L snort.pcap -n 2
      ping -c 1 localhost
      tcpdump -v -X -r snort.pcap

      II. Is your snort.conf syntactically correct?

      snort -T -c /etc/snort.conf

      III. Can snort qualify some of the observed data as "alerts"?

      vim /etc/snort.conf

      output alert_syslog: LOG_AUTH LOG_ALERT
      output log_tcpdump: snort.pcap

      and enable some rules, at least:

      bad-traffic.rules,
      icmp-info.rules,
      icmp.rules

      Now run snort in "IDS mode":

      snort -vde -i lo -L snort.pcap -c /etc/snort.conf -n 2

      ping -c 1 localhost

      tcpdump -n -v -X -r /var/log/snort/snort.pcap

      IV. Does snort trigger any alerts at all?

      Look in /var/log/messages (or whatever your syslog is called):

      snort[12857]: Action Stats:
      ALERTS: 1457
      LOGGED: 1457
      PASSED: 0

      In this case the answer is: yes, it does.

      V. Is the snort database syntactically ok?
      (Assuming you use mysql and the database is called "snort")

      mysqlcheck --check snort

      VI. Do any packets show up in the database?

      mysql> select * from event where timestamp like '%2008-06-26%';

      VII. Finally do the packets show up in BASE?

      Bye, bye,

      Juergen

       
      • jbeach

        jbeach - 2008-06-26

        Everything is working fine.  It is just my nic is solid amber light on the IDS box.  I was wondering if you know what that means and if there is a fix for it.

        Joe

         
    • jerry shenk

      jerry shenk - 2008-10-02

      Thanks for that troubleshooting "flow chart", Juergen.  I'm having the same problem....that last test shows "Empty set" so I'm guessing that either snort isn't dumping the data into the database or Barnyard isn't picking it up....I think it's the latter. 

      My /var/log/snort/snort.alert.nnnnnnn file is growing.  I wonder if I screwed up the creation of barnyard.waldo....that file has NOT changed.  Now I'm getting a "WARNING: Bookmark file is corrupt" - I think I'm closer....thanks for your tips.

       
    • jerry shenk

      jerry shenk - 2008-10-02

      Well, barnyard is definitely the problem...I'm thinking that it might be a 64 bit issue - http://nsmwiki.org/Talk:Sguil_on_RedHat_HOWTO#Barnyard_on_64-bit.  I've also found some references to snort 2.8 and barnyard having a problem with the unified format...will look into that too.

       
      • Juergen Leising

        Juergen Leising - 2008-10-02

        Hello Jerry,

        while I cannot tell about its behaviour under  64 bit, as an alternative to barnyard I prefer FLoP:

        http://www.geschke-online.de/FLoP/

        It is worth trying it, I would say.

        Bye, bye

        Juergen

         

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks