jvinson

Members
  • Content count

    11
  • Joined

  • Last visited

About jvinson

  • Rank
    Member

Profile Information

  • Country
    USA
  1. Hello, The my AWS setup continues to progress. I've managed to get success (I think) in running the pulledpork tutorial, however, I do have some lingering questions that concern me where I needed to deviate from the tutorial instructions: 1.) I'm using a Linux mySQL instance for the database. The Apache2 server is also running on the Linux box. Not std for the Winsnort tutorial where it comments on IIS Vs. Apache2 customizations The first instruction in question is to delete all files from a directory structure that is not present on my winIDS snort slave install: C:\IDS\Apache24\htdocs\base\signatures\ The cmd to del all files in the dir does not bother me. after seeing the file path referenced in the pulledpork.conf file I created the file structure to accommodate the update process. I'm curious if these "signatures" are intended to be added somehow to the MySQL database via apache? The front end I'm using, Snorby, has a listing of signatures that it pulls from the MySQL DB. the front end only reports the original 522 signatures. Any thoughts on how the concepts work for a standard WinIDS deployment? Does Base have an updated sig count of 12000+ signatures after running pulledpork? 2.) When I ran the pulledpork cmd it seemed to go ok - the questions in the forums resolved some concerns - the downloaded signature files totaled 23,499 in the C:\IDS\Apache24\htdocs\base\signatures\ path. when running the pulledpork in ips_policy=security the pp script determines that out of 30577 rules 12275 will be enabled and 18302 will be disabled. I'd like to know more as to why the script decides on which rules to enable / disable 3.) This is the thing that is of highest concern to me - I know the OS evnironment for the tutorial was a Win 7 machine and I'm installing on the Server counterpart, 2008 R2, but there is a box toward the bottom of the tutorial that claims after restarting the snort server that a Barnyard2 CMD window will just be running minimized in the taskbar area: " When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. " I don't think I missed any steps, but this is not going to happen in my current install - I'd like to know where I went wrong. 4.) Finally, my last question is concerning automating the Pulledpork updating process. Can WINsnort.com endorse the practice of having a .bat file called by a scheduled task to execute the CMD below on a daily basis? If yes why not include this in the pulledpork tutorial? Perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T Thanks in advance for the feedback. JVinson PS - @ Mopheus - did you see my private message? just wanted to confirm you did or not. Thanks.
  2. Resolved Issue - the following CMD is working in AWS EC2 instance: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i1 -l c:\IDS\Snort\log -p -k none the article where I found this information can be found here As a result, the rest of the stack from Barnyard to snorby are working as expected.
  3. Yes, correct it is only a test. the fatal error is what concerns me. ERROR: C:\Documents and Settings\Snort\Desktop\snort\src\output-plugins\spo_unified2.c(323) Could not open log/merged.log.1483030761: No such file or directory I just did a separate install following your tutorial to the letter. I ran the cmd: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i 1 -l c:\IDS\Snort\log This has created a merged.log.[timestamp] file in the .\Snort\log directory. My concern is that the data in this log file is not in unified2 format because of the error that is produced when I do not specify the log file path in the cmd window. Now that I have this merged.log.[timestamp] file barnyard should respond to it and dump the log data in the mysql database? Typically this has not happened for me. I'm guessing this is due to not having a unified2 file format....? Just to be clear I do want log data in the mysql database and not just alert data. Is this expectation correct or should I just assume the only data Barnyard2 sends to mysql is alert data? many thanks, Jvinson
  4. How can I be sure that the following command will use Unified2 output? c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i 1 -T -l c:\IDS\Snort\log I suspect that it will run using a default output as if I were to use the -A fast switch I'll try it and let you know - I have gotten some strange results from copy / paste into the cmd window - maybe if I type it manually it will function better.
  5. Update: There is something wrong with the Configuration or I have to start completely over - I just wanted to verify that I can get snort to create a unified2 log file all my previous commands run a log option via the command line, which takes priority over the snort.conf. Apparently the install I have does not generate Unified2 log files I tripple checked the snort.conf file and verified the line for output is: output unified2: filename merged.u2, limit 128 I run CMD: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i 1 -T Output: pcap DAQ configured to passive. The DAQ version does not support reload. Acquiring network traffic from "\Device\NPF_{58FEDF05-4BD0-466D-A69E-95CE016393D6}". ERROR: C:\Documents and Settings\Snort\Desktop\snort\src\output-plugins\spo_unified2.c(323) Could not open log/merged.u2.1483030761: No such file or directory Fatal Error, Quitting.. is this a bug fix issue? or have I gone completely wrong somewhere? The ERROR line above suggests there should be a Windows users profile named 'Snort' that is not the case. I also not the forward slash in the "...log/merged.u2.1483030761:..." path This does not explain why the other error is happening - the test.rules file is completely ignored - no alerts or logs have been generated. snort.conf
  6. Update: Clearly I need to learn more about snort. I now understand the differences between tcpdump / packet logger / NIDS modes. Making more sense from what I posted above. The CMD: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\Snort\log -i1 is used for IDS mode The CMD: c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p -c c:\IDS\Snort\etc\snort.conf is used for IDS mode w/ promiscuous disabled The CMD: c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p is used for packet logger mode w/ promiscuous disabled OK - Now I'm changing it up a bit. currently I have the services disabled and I'm running everything from an elevated CMD windows manually. #1 I'm running this CMD: c:\IDS\Snort\bin\snort -l c:\IDS\Snort\log -b -i 1 -E -U -p Snort generates a snort.log.[timestamp] file that grows - based on network traffic w/ source/destination of the snort server - this is packet logger mode I'm not sure of the output here i think it should be in binary and Barnyard2 should be able to sent it to the MySQL database server - correct? That's not happening my barnyard2 CMD: c:\ids\barnyard2\barnyard2.exe -c c:\ids\barnyard2\etc\barnyard2.conf -d c:\ids\snort\log -f snort.log -l c:\ids\barnyard2 -w c:\ids\snort\log\barnyard.waldo Banryard2 creates a new barnyard.waldo file which grows to 3 kb while the snort.log.[timestamp] file continues to grow. wait for an hr - no change. #2 I'm running this CMD: C:\IDS\Snort\bin\snort -b -A fast -c c:\IDS\Snort\etc\snort.conf -i1 -p -U -E Snort generates a snort.log.[timestamp] file that does not grow beyond 1 kb this is NIDS mode and therefore only logs traffic based on specific rules. Snort generates a alert.ids file that does not grow beyond 0 kb Now running the same CMD in barnyard2 - c:\ids\barnyard2\barnyard2.exe -c c:\ids\barnyard2\etc\barnyard2.conf -d c:\ids\snort\log -f snort.log -l c:\ids\barnyard2 -w c:\ids\snort\log\barnyard.waldo Banryard2 creates a new barnyard.waldo file which grows to 3 kb while the snort.log.[timestamp] file continues to grow. wait for an hr - no change. I've been using the -E option to log events to windows event viewer so I thought I check that out: I found this error from earlier today not sure how to correlate the error to what i was doing but here it is: "OpenAlertFile() => fopen() alert file log/alert.ids: No such file or directory" I think the path to the log file is hard coded somehow to be used in a linux/unix environment not windows. For windows should this not be "....log\alert.ids:..." the text "log/alert.ids" does not appera in the snort.conf file. I don't know if its a big deal or not Along these lines I also went into the .etc\snort.conf file and changed the site specific rules section lines from "include $RULE_PATH/local.rules" to "include $RULE_PATH\local.rules" going from forward slash to back slash on 117 lines. I have not seen any changes to the application based on this change. Finaly - this is interesting - I ran through the steps to apply the test.rules file from, "How manually to trigger TCP, IP, UDP, and icmp for event testing" and there was no change in the behavior for the snort logs or barnyard2 response. Any help is welcomed at this time. Thanks, JVinson
  7. Hello WinIDS community - again, Went through the Installing a slave client logging events to a remote MySQL Database tutorial. My remote WinIDS is running on server 2008 R2 and I have verified connectivity to Ubuntu server MySQL running 5.7.16 listening on port 3306. My hope is to use Snorby frontend running on the ubuntu 16.04 to read the mysql after Barnyard2 dumps the pcaps from snort into the DB. This is a change from the previous issues I was having to get the WINIDS / snort install working - As a general FYI I have validated that the referenced tutorial has been completed with the necessary modifications to my environment - i.e. Linux database / snorby instead of Windows MySQL / Base. the Snort and Barnyard2 applications are configured to run as services from startup per instructions and Barnyard2 is able to communicate with the MySQL database Snorby on the Ubuntu server. The snorby front end is also functional from the perspective that one can login to the website and browse the settings and menu options. Issue: I'm running this configuration in a set of Amazon AWS EC2 instances. AWS does not allow networks connecting EC2 instances to run packet sniffing functions - i.e. promiscuous mode NIDS type of functions - to this end I'm ok if I can just capture traffic going to/from the box where snort is installed and pass that data via barnyard to the mysql db. ** First configuration - Snort cmd - this was before running with -p to disable promiscuous mode c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\Snort\log -i1 result - snort was listening but nothing was being dumped to the log files - merged,log-[timestamp] = 0 kb Barnyard2 is not reading or getting any of this data and is not sending the data to mysql db ** 2nd configuration - Snort cmd - this was first attempt to disable promiscuous mode c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p -c c:\IDS\Snort\etc\snort.conf result - snort was listening but little was being dumped to the log files - merged.log-[timestamp] = 1 kb CMD window screen goes crazy cause there is lots of network traffic data being posted to the stdout Windows instance becomes slow to respond to anything other than snort window. barnyard was tracking merged.log file but no data was transferred. Test rules were inserted in local.rules file: alert icmp -> any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;) alert tcp -> any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;) alert udp -> any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;) I added google's ip address to the black_list.rules file Barnyard2 seemed more responsive - its stdout was tracking the merged.log file but not reading or getting any of this data and is not sending the data to mysql db ** 3rd configuration - Snort cmd - this was 2nd attempt to disable promiscuous mode c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p note: removed '-c c:\IDS\Snort\etc\snort.conf' from CMD line result - snort was listening the log files began growing fast - merged.log-[timestamp] = 3,072 kb CMD window screen is not posting network traffic data - warning is posted to the stdout. "No preprocessors configured for policy 0" Windows instance is not slow to respond at this time. barnyard2 was not able to find or create a new barnyard2.waldo file (i deleted all files in directory before running 3rd configuration) another error from stdout - "(snort_decoder) WARNING: IP dgm len < IP Hdr len" Test rules were inserted in local.rules file: alert icmp -> any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;) alert tcp -> any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;) alert udp -> any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;) I added google's ip address to the black_list.rules file Barnyard2 is not reading or getting any of this data and is not sending the data to mysql db At this point I don't know what to expect from the application based on the limitations I have in this environment. I'm not sure if I should change the CMD switches I have set or if my logs are even being output to unified2 (due to the exclusion of the conf file I'm not sure) current merged.log opened in notepad++ reads NUL about a gazillion times a a bunch of non-standard characters. Thoughts and input are welcome and greatly appreciated. Thanks, JVinson
  8. I was able to wget the latest barnyard2 tar.gz from github on my ubuntu box from there I made the necessary mysql database schema updates. After that I went back to remote snort/barnyard2 instance and everything worked like a charm. One recommendation - add a pause line to the end of the by2-test.bat so the cmd window doesn't disappear when it finally runs successfully. Thanks a bunch. now I hope the process I've created to get snorby up and running doesn't break the WinIDS config. Thanks again and have a great holiday! jvinson
  9. Thank you for the steps you provided and your quick response to this issue. I'll be sure to work through these steps, however, I think I may found a flaw in my setup. I'm hoping you can confirm. In the setup I have mentioned, the MySQL database, snort, has been created and permissions have been assigned correctly to the remote sensor, but I have not applied a schema or run tables as per your MySQL server install tutorials - of course your tutorials are windows based and I'm working on a linux ubuntu 16.04 system. Can this explain the behaviour? Thanks in advance Jvinson
  10. Hello WinIDS community, Went through the Installing a slave client logging events to a remote MySQL Database tutorial. My remote WinIDS is running on server 2008 R2 and I have verified connectivity to Ubuntu server MySQL running 5.7.16 listening on port 3306. My hope is to use Snorby frontend running on the ubuntu 16.04 to read the mysql after Barnyard2 dumps the pcaps from snort into the DB. I run the snort validation cmd: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\snort\log -i1 -T Output says it can't find the whitelist / blacklist entries Reputation Preprocessor disabled. 312 out of 1024 flowbits in use. Snort successfully validated the configuration! Snort Exiting. Snort is running as a service (delayed auto-start) Next applied the Reg file "auto-remote-barnyard2.reg" no files have been installed to the c:\IDS\Snort\log directory Run as administrator - "c:\IDS\activators\by2-test.bat" Warning invalid reference spec 'url,'. Ignored x9 INFO database: Defaulting Reconnect sleep time to 5 second..... (3 mins later) Unable to open waldo file C:\IDS\Snort\log\barnyard.waldo (no such file or directory) Waiting for new spool file.......(& waiting & waiting....) Process terminated by user because he screwed up somewhere. I'm assuming I have been careful about keeping the path reference changes adjusted for the modder.vbs and the Reg file my SQL DB has a slightly different config: grant all on snorby.* to 'snorby'@'10.0.0.44'IDENTIFIED BY '**************'; MySQL config has bind-address set to Master IDS server IP. Both master and slave have 1 NIC each. Based on a configuration I saw from a linux tutorial for running Snort I disabled the TCP Large Receive Offload on the Remote NIC. I really hope this doesn't matter, but they are EC2 instances on Amazon AWS. Not sure what to try next except throw away the VMs and start again. Any thoughts to help get me in the right direction would be awesome. Thanks & take care. snort.conf barnyard2.conf