[Snort-users] Snort report not showing any data - not sure if Snort is working

[Joe Nunham]

Hello,

 

I recently installed Snort 2.9.3.1 on Ubuntu 12.10 x86_64. I followed the guide here (http://www.snort.org/assets/158/snortinstallguide293.pdf) and didn’t have any issues when installing packages/configuring configuration files. I can see that the interface I have Snort configured to listen on is receiving data and a few of the snort.u2 logs are not 0 bytes. There are 4 of them that are and the barnyard2.waldo file is 0 bytes as well. When I go in to the snort database and do a SELECT * FROM on any of the tables they all return Empty set (0.00 sec). So when I go to look on Snort report I do not see any data because as I understand it, Snort report is reading data from the MySQL database.

 

I’m not sure what I may have misconfigured, any assistance would be appreciate. If you need any additional information please let me know.

 

Thanks

[Tony Robinson]

as much as I don't want to sound like someone selling snake oil, I have a script called autosnort that completes the entire snort installation for you. If you want to try it out, take a look at: https://github.com/da667/Autosnort/tree/master/Autosnort%20-%20Ubuntu

note: the script says ubuntu 12.04. While I haven't officially tested against 12.10 (I'm downloading it as we speak to run the script and ensure compatibility), I have no reason to believe there would be any issues running the script against Ubuntu 12.10.

If you're not comfortable running the script however, there are a number of areas I would recommend checking:

1) Where are your unified files being logged to? the guide you are referring to logs them to /var/log/snort can you verify, and also do an ls -l and verify that the snort user and group have permissions on the directory and ALL the files contained within? Can you confirm that barnyard is installed and running while snort is running? what command options are you giving to barnyard? what command options are you giving snort? are you making it drop privilege to the snort user and group?

2) Regarding the database install, check /var/www/snortreport-1.3.3/srconf.php -- there are lines that need to know the password of the snort database user to read from the database. Confirm that you input the correct credentials by logging into the database as the snort user? (mysql -u[snort user] -p[snort user pass] [database name, usually snort] ) try performing a select and/or a show tables with the snort user.

3) you indicate the data isn't in the database at all. Did you install the snort database schema for barnyard? the show tables command above should more than confirm that. Was barnyard 2 compiled with --with-mysql (or the database you are using as a backend?) was it compiled to point to the proper folder for the libmysqlclient library (--with-mysql-libraries=/usr/lib/x86_64-linux-gnu)? what does your barnyard2.conf look like? specifically check your output database line to make sure that the snort database user and the same database password used for srconf.php are exactly the same.

4) is there anything in /var/log/messages or syslog that indicate a problem with snort OR barnyard running?

I hope this gives you enough to chew on. Message me on or offlist if you have questions -- I can't always guarantee a fast response, though.

DA

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

--
when does reality end? when does fantasy begin?

[Joe Nunham]

Hi,

 

I will give your script a shot and post back with results.

 

Thanks

 

From: Tony Robinson [mailto:deusexma...@gmail.com]
Sent: Thursday, November 15, 2012 7:08 PM
To: Joe Nunham
Cc: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] Snort report not showing any data - not sure if Snort is working

 

Just wanted to post a quick update here for Joe and everyone else, the Autosnort script I posted  for Ubuntu 12.04 is indeed compatible with Ubuntu 12.10 and performs wonderfully. These are screen caps post-install after throwing an armitage hail mary against an OWASP bwa virtual machine and metasploitable 2 with exploit rank set to poor. I think it works.

Cheers,

DA

[Joe Nunham]

Hi all,

 

I ran the script and it installed and got Snort up and running. I did have to grant the snort user permission to the MySQL database and reboot in order for it to work though, not sure if I missed a step somewhere along the lines. Thanks for the suggestion and the awesome script.

 

Joe

[k vijay sai prashanth]

Do you have the script for RHEL 5? 

[Tony Robinson]

forgot to CC snort users here.

The current script I have for CentOS6/RHEL6 will, to my knowledge NOT work on CentOS/RHEL 5. I would have to spin up a CentOS 5 VM to test that, or if any of you would like to tackle that, be my guest, post results -- pics or it didn't happen :)

Regards,

DA

On Fri, Nov 16, 2012 at 5:58 PM, Tony Robinson <deusexma...@gmail.com> wrote:

Apologies sir,

but I do not have one for RHEL 5 unfortunately. If I have a bit of time coming up, I can try to spin up a CentOS 5 vm to built a script with.

-Tony