Tested systems
1. CentOS 6.4 32-bit, kernel version 2.6.32-358.2.1.el6.i686.
2. CentOS 6.4 32-bit, kernel version 2.6.32.60-grsec (grsec patched kernel)
3. Virtualbox version 4.2.10.
4. Snort engine version 2.9.4. Snort rules version 2940.
Reference guide
There are numerous installation guide over the internet, however the guide written by nachum234 is by far the best of the best.
1. Snort installation.
2. Barnyard installation.
3. Snorby installation.
4. BASE installation.
EPEL repository
Use this link for 32-bit, and use this for 64-bit.
Use the wget to download the file then use rpm -Uvh epel-release-6-8.noarch.rpm to update the repository file in /etc/yum.repos.d/. After updated epel.repo and epel-testing.repo will be available in the directory.
[root@localhost yum.repos.d]# ls -lah total 32K drwxr-xr-x 2 root root 4.0K Mar 29 18:44 . drwxr-xr-x 75 root root 4.0K Mar 30 21:23 .. -rw-r--r-- 1 root root 1.9K Feb 25 16:57 CentOS-Base.repo -rw-r--r-- 1 root root 638 Feb 25 16:57 CentOS-Debuginfo.repo -rw-r--r-- 1 root root 630 Feb 25 16:57 CentOS-Media.repo -rw-r--r-- 1 root root 3.6K Feb 25 16:57 CentOS-Vault.repo -rw-r--r-- 1 root root 957 Nov 5 11:52 epel.repo -rw-r--r-- 1 root root 1.1K Nov 5 11:52 epel-testing.repo [root@localhost yum.repos.d]#
Default Centos installation does not include wget make sure you use yum install wget -y to install the package.
Required packages for snort
yum install libdnet libdnet-devel pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel -y
Refer nachum234’s snort installation for the required packages.
DAQ (Data AcQuistion library)
Regarding the compiling and installation you can refer to nachum234’s snort installation guide, in fact this post will not reproduce the steps written by nachum234.
DAQ can be downloaded from snort. More information can be read from snort blog.
snort configuration file
If you have created a symbolic link for /usr/local/snort/etc/ to /etc/snort then use snort -c /etc/snort/snort.conf -T to test the configuration.
In /usr/local/snort/etc/snort.conf variable configuration it is recommended you use absolute path, the default path is ../rules
# Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH /usr/local/snort/rules var SO_RULE_PATH /usr/local/snort/so_rules var PREPROC_RULE_PATH /usr/local/snort/preproc_rules
# unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types output unified2: filename snort.log, limit 128
No time stamp will be included if nostamp is used for the output unified2 statement. The snort log will be something like this:
[root@localhost etc]# ls -lah /var/log/snort/eth1/ total 92K drwxr-xr-x 3 snort snort 4.0K Mar 30 21:30 . drwxr-xr-x 4 snort snort 4.0K Mar 31 17:44 .. drwxr-xr-x 2 snort snort 4.0K Mar 30 09:42 archive -rw------- 1 snort snort 2.1K Mar 30 22:11 barnyard2.waldo -rw------- 1 snort snort 72K Mar 31 17:33 snort.log.1364650165 [root@localhost etc]#
Allow inbound http request
IPtables is enabled by default in Centos, add a rule to allow inbound TCP80 request.
[root@localhost eth1]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@localhost eth1]#
Snorby worker cannot be started
If you download and compile ruby yourself and did not specify the directory for ruby installation, then use ./configure --prefix=/usr to make sure the compiled ruby is installed to /usr directory.
The problem I encountered was ruby was installed to /usr/local/bin you can either do a symbolic link or install ruby under /usr directory. After you have installed the gems your snorby should be able to start the workers.
If there is no events in snorby or base
After installation you may find that no events appeared in BASE or Snorby, you can test using this command barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort/eth1 -f snort.log, barnyard2.waldo file will be created so you do not need to do touch barnyard2.waldo
If after sometime you do not see the events are updated, you may want to do the same command to check if barnyard is able to parse the unified2 format events. You can also include the waldo file for the test.
barnyard2 -c /etc/snort/barnyard.conf -d /var/log/snort/eth1 -w /var/log/snort/eth1/barnyard2.waldo -f snort.log
You should see these outputs if barnyard can parse unified2 formatted events.
....
....
....
03/31-15:41:13.885870 [**] [1:16008:12] Snort Alert [1:16008:12] [**] [Classification: Misc activity] [Priority: 3] {TCP} 203.211.153.16:80 -> 175.156.141.33:51985
03/31-15:41:13.880406 [**] [1:16008:12] Snort Alert [1:16008:12] [**] [Classification: Misc activity] [Priority: 3] {TCP} 203.211.153.16:80 -> 172.16.0.39:51984
03/31-15:41:13.880405 [**] [1:16008:12] Snort Alert [1:16008:12] [**] [Classification: Misc activity] [Priority: 3] {TCP} 203.211.153.16:80 -> 175.156.141.33:51984
03/31-15:41:14.298644 [**] [1:16008:12] Snort Alert [1:16008:12] [**] [Classification: Misc activity] [Priority: 3] {TCP} 203.211.153.16:80 -> 172.16.0.39:51988
03/31-15:41:14.298641 [**] [1:16008:12] Snort Alert [1:16008:12] [**] [Classification: Misc activity] [Priority: 3] {TCP} 203.211.153.16:80 -> 175.156.141.33:51988
03/31-16:26:59.515313 [**] [3:19187:2] Snort Alert [1:19187:2] [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 202.65.242.46:53 -> 175.156.141.33:56620
03/31-16:26:59.515912 [**] [3:19187:2] Snort Alert [1:19187:2] [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 202.65.242.46:53 -> 172.16.0.39:56620
03/31-17:05:30.211086 [**] [3:11672:6] Snort Alert [1:11672:6] [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.16.0.41:35156 -> 50.22.231.38:443
03/31-17:05:30.211089 [**] [3:11672:6] Snort Alert [1:11672:6] [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 175.156.141.33:35156 -> 50.22.231.38:443
03/31-17:33:46.347254 [**] [3:19187:2] Snort Alert [1:19187:2] [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 202.65.242.46:53 -> 175.156.141.33:60770
03/31-17:33:46.347713 [**] [3:19187:2] Snort Alert [1:19187:2] [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 202.65.242.46:53 -> 172.16.0.39:60770
Waiting for new data
^Cdatabase: Closing connection to database "snorby"
===============================================================================
Record Totals:
Records: 272
Events: 125 (45.956%)
Packets: 147 (54.044%)
Unknown: 0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
ETH: 147 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 147 (100.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 102 (69.388%)
UDP: 45 (30.612%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 147
===============================================================================
If barnyard2 is able to parse the events, then the problem may be due to mysql. Barnyard will parse the unified2 events and store them into mysql, BASE or snorby will access the mysql database and extract the events for display.
To check mysql databse use mysql -u root -p to login to mysql.
[root@localhost eth1]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 41 Server version: 5.1.67 Source distribution Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
In the mysql use use snorby; or if your database is not snorby you specify the correct database name based on your configuration. Then follow by select * from event;, you should not see Empty set (0.00 sec).
Example:
mysql> use snorby;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from event
-> ;
+-----+-----+-----------+-------------------+-------------+---------+-------------+------------------+---------------------+-----+
| sid | cid | signature | classification_id | users_count | user_id | notes_count | number_of_events | timestamp | id |
+-----+-----+-----------+-------------------+-------------+---------+-------------+------------------+---------------------+-----+
| 3 | 5 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 21:51:01 | 1 |
| 3 | 6 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 21:51:01 | 2 |
| 3 | 7 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 21:51:01 | 4 |
| 3 | 8 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 21:51:01 | 5 |
| 3 | 9 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:11:22 | 7 |
| 3 | 10 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:11:22 | 8 |
| 3 | 11 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:48:52 | 9 |
| 3 | 12 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:48:52 | 10 |
| 3 | 13 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:56:30 | 11 |
| 3 | 14 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:56:30 | 12 |
| 3 | 15 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:56:38 | 13 |
| 3 | 16 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 22:56:38 | 14 |
| 3 | 17 | 479 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:01:28 | 15 |
| 3 | 18 | 479 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:01:28 | 16 |
| 3 | 19 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:03:01 | 17 |
| 3 | 20 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:03:01 | 18 |
| 3 | 21 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:03:01 | 19 |
| 3 | 22 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:03:01 | 20 |
| 3 | 23 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:11:30 | 21 |
| 3 | 24 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:11:30 | 22 |
| 3 | 25 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:30:19 | 23 |
| 3 | 26 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-30 23:30:19 | 24 |
| 3 | 27 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 00:00:00 | 25 |
| 3 | 28 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 00:00:00 | 26 |
| 3 | 29 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 00:11:41 | 27 |
| 3 | 30 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 00:11:41 | 28 |
| 3 | 31 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 00:59:00 | 29 |
| 3 | 32 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 00:59:00 | 30 |
| 3 | 33 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 01:08:44 | 31 |
| 3 | 34 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 01:08:44 | 32 |
| 3 | 35 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 01:11:33 | 33 |
| 3 | 36 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 01:11:33 | 34 |
| 3 | 37 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 01:12:20 | 35 |
| 3 | 38 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 01:12:20 | 36 |
| 3 | 39 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 02:42:43 | 37 |
| 3 | 40 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 02:42:43 | 38 |
| 3 | 41 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 04:08:13 | 39 |
| 3 | 42 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 04:08:13 | 40 |
| 3 | 43 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 05:10:13 | 41 |
| 3 | 44 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 05:10:13 | 42 |
| 3 | 45 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 05:41:10 | 43 |
| 3 | 46 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 05:41:10 | 44 |
| 3 | 47 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 08:10:12 | 45 |
| 3 | 48 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 08:10:12 | 46 |
| 3 | 49 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 09:10:16 | 47 |
| 3 | 50 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 09:10:16 | 48 |
| 3 | 51 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 09:11:02 | 49 |
| 3 | 52 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 09:11:02 | 50 |
| 3 | 53 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 10:18:07 | 51 |
| 3 | 54 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 10:18:07 | 52 |
| 3 | 55 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 10:50:28 | 53 |
| 3 | 56 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 10:50:28 | 54 |
| 3 | 57 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 11:56:10 | 55 |
| 3 | 58 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 11:56:10 | 56 |
| 3 | 59 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 12:31:26 | 57 |
| 3 | 60 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 12:31:26 | 58 |
| 3 | 61 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:22:07 | 59 |
| 3 | 62 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:22:07 | 60 |
| 3 | 63 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:16 | 61 |
| 3 | 64 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:16 | 62 |
| 3 | 65 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:16 | 63 |
| 3 | 66 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:16 | 64 |
| 3 | 67 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:17 | 65 |
| 3 | 68 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:17 | 66 |
| 3 | 69 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:17 | 67 |
| 3 | 70 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 13:51:17 | 68 |
| 3 | 71 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 14:03:21 | 69 |
| 3 | 72 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 14:03:21 | 70 |
| 3 | 73 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 14:14:29 | 71 |
| 3 | 74 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 14:14:29 | 72 |
| 3 | 75 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 14:27:21 | 73 |
| 3 | 76 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 14:27:21 | 74 |
| 3 | 77 | 479 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:10:09 | 75 |
| 3 | 78 | 479 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:10:09 | 76 |
| 3 | 79 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:12:23 | 77 |
| 3 | 80 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:12:23 | 78 |
| 3 | 81 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:14:19 | 79 |
| 3 | 82 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:14:19 | 80 |
| 3 | 83 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:14:19 | 81 |
| 3 | 84 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:14:19 | 82 |
| 3 | 85 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:14:19 | 83 |
| 3 | 86 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:26:50 | 84 |
| 3 | 87 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:26:50 | 85 |
| 3 | 88 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:29:36 | 86 |
| 3 | 89 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:29:36 | 87 |
| 3 | 90 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 88 |
| 3 | 91 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 89 |
| 3 | 92 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 90 |
| 3 | 93 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 91 |
| 3 | 94 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 92 |
| 3 | 95 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 93 |
| 3 | 96 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 94 |
| 3 | 97 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 95 |
| 3 | 98 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 96 |
| 3 | 99 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 97 |
| 3 | 100 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 98 |
| 3 | 101 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 99 |
| 3 | 102 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 100 |
| 3 | 103 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 101 |
| 3 | 104 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 102 |
| 3 | 105 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 103 |
| 3 | 106 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 104 |
| 3 | 107 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 105 |
| 3 | 108 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 106 |
| 3 | 109 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 107 |
| 3 | 110 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 108 |
| 3 | 111 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 109 |
| 3 | 112 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 110 |
| 3 | 113 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 111 |
| 3 | 114 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 112 |
| 3 | 115 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 113 |
| 3 | 116 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 114 |
| 3 | 117 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 115 |
| 3 | 118 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 116 |
| 3 | 119 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 117 |
| 3 | 120 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 118 |
| 3 | 121 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 119 |
| 3 | 122 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 120 |
| 3 | 123 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:13 | 121 |
| 3 | 124 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:14 | 122 |
| 3 | 125 | 480 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 15:41:14 | 123 |
| 3 | 126 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 16:26:59 | 124 |
| 3 | 127 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 16:26:59 | 125 |
| 3 | 128 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 17:05:30 | 126 |
| 3 | 129 | 476 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 17:05:30 | 127 |
| 3 | 130 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 17:33:46 | 128 |
| 3 | 131 | 478 | NULL | 0 | NULL | 0 | 0 | 2013-03-31 17:33:46 | 129 |
+-----+-----+-----------+-------------------+-------------+---------+-------------+------------------+---------------------+-----+
127 rows in set (0.00 sec)
mysql>
Also check for permission, most of the time if events are not updated it has to be related to permission problem, ensure the snort.log and waldo file belong to group snort and user snort of course this has to be depend on how you set up if your snort engine does not belong to group snorby and user snorby change according to what you have set up.
My waldo file was created by root because I used the barnyard2 command under user root, there was no events in snorby, I use chown snort:snort barnyard2.waldo the events appear in snorby immediately.
Events not updated in snorby
If the events are not updated in snorby dashboard you may want to reset the table in mysql.
[root@localhost eth1]# mysql -u root -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) [root@localhost eth1]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 5.1.67 Source distribution Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use snorby; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> truncate table caches; Query OK, 0 rows affected (0.08 sec) mysql> exit Bye
The delete the worker’s job and restart worker job again in Snorby.
cyruslab 