IT Team

Waiting for New Data after configuring PulledPork

16 posts in this topic

Hi All

So my Barnyard2 cmd is just sitting at a waiting for new data prompt and has been like this all weekend, there is no data being passed to winids console either. Seems to me that barnyard is not receiving any traffic.  

If i run the test commands : d:\winids\snort\bin\snort -v -i1 or i2 both display's traffic and (warning: no preprocessors configured for policy 0).

If i run d:\winids\activators\by2-test config file successfully loads. 

Running 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T completes in about 30 mins no erros

Running d:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T (snort validated the config file successfully)

All services are running and started

Does anyone have any ideas what i am missing ?

Thanks

Gary

 

 

Share this post


Link to post
Share on other sites

I'm asking this in this in the snort-users list. I'm also seeing this when I run snort -v -i1 and I don't remember ever seeing this.

Warning: are usually only informational.

That warning is completely useless because its wanting to load the preprocessors, and that requires using the -c switch which has never been required when using the -v switch for viewing packets.

Let's see what they come back with...

This most likely has nothing to do with no events being captured.

Edited by Morpheus

Share this post


Link to post
Share on other sites

Hi Morpheus

Manually triggering the events worked, Snort is now collection data.

Thanks for your help 

Share this post


Link to post
Share on other sites

Ok, is it only collecting events using the test rules, or is it actually collecting events based on the active rules?

Share this post


Link to post
Share on other sites

Hi Morpheus

So i spoke to soon, Yesterday i removed the test.rules and restarted snort and barnyard2 both was running and collecting data. Today i went to check on new events and there was none, so logged onto the server and its stopped logging. Same issue as before (Waiting for new data).

So i am guessing that there is an issue with the rule set i am using. Can you take a look at my rules ? or do you think it might be something else.

Thanks

Gary  

Untitled.png

Share this post


Link to post
Share on other sites

Stop Snort, and Barnyard2. Delete everything in the log folder.

The Windows Intrusion Detection System needs to be plugged into a HUB or a switch that can mirror all the ports to the port the Windows Intrusion Detection System is plugged into.

Make SURE the HOME_NET is set correctly, and using any could be a work around until you are sure its logging events.

Restart the Windows Intrusion Detection System when the above is true.

My guess is that it is working but for some reason it's not seeing traffic.

The next thing to do if the above is true and the Windows Intrusion Detection System is still not logging, is to turn on all the rules.

Share this post


Link to post
Share on other sites

HI

Deleted everything in the log folder. 

Home_net is set as such : 

# Setup the network addresses you are protecting
ipvar HOME_NET any
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

I’m trying to check the config on our Cisco 3750 but I’m sure port mirroring is working ok.

Rebooted snort server and it just sits there waiting for new data.

*** Seeing as it logs traffic when using the test rule does that mean it is capturing data fine, So this tells me that one of the other rules is blocking the data capture ??  

black_list.rules, deleted.rules, experimental.rules, local.rules, white_list.rules, winids.rules

Thanks, Gary

 

Share this post


Link to post
Share on other sites

Running the test rules only tells you that it's capturing packets from that machine. If there is no mirroring in place then your not going to be seeing any events being logged.

Share this post


Link to post
Share on other sites

Hi Morpheus

So i reconfigured my mirror port today just to be sure and i think its working fine. (See screen shot) Lots of received packets.

Can you please help me in turning all the rules on and seeing if i get data in barnyard2

Thanks

Gary

Untitled.png

Share this post


Link to post
Share on other sites

So just after i posted the above message i got an event in barnyard, but im not sure what it means. See pic

Untitled 2.png

Share this post


Link to post
Share on other sites

Hi, It seems to be working fine now, I am receiving events in barnyard.

Can you tell me how i can delete all data that has been collected so far that is stored in the snort sql DB. Want to start with a clean DB so i can monitor new events.

Thanks Gary

Share this post


Link to post
Share on other sites

Hi, It seems to be working fine now, I am receiving events in barnyard.

Can you tell me how i can delete all data that has been collected so far that is stored in the snort sql DB. Want to start with a clean DB so i can monitor new events.

Thanks Gary

​Go into the Windows Intrusion Detection Systems security console and there is an option at the bottom that will allow you to delete as 1- All of the selected events.

Share this post


Link to post
Share on other sites

Hi Morpheus

Just wanted to say a big thank you for your time and effort.

Thanks

Gary

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now