Re: [Snort-users] Barnyard, Mudpit, and the Unified Output Format

--==========8FC2D8330617D11D73AC==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline



--On 24 August 2004 08:05 -0400 M Shirk <shirkdog_linux@hotmail.com> wrote:

> I really have some questions about the Unified Output Format, and issues
> I have experienced.
>
> Using Barnyard 0.2, and Mudpit 1.3, I have been able to run snort using
> the Unified Output Format (UOF) output plug-in. I have the
> snort.log.192832 and snort.alert.192832 files in /var/log/snort.
>
> Quick digression:
> It takes intuition to install Mudpit, you have to customize the makefiles
> in the output/acid directory to have the correct location of the mysql
> header and library files. You also have to link directly to an object
> file that after you run "make install" will be in the source tree under
> output/acid. I will try to work on a mudpit how-to, and post it to the
> list.

I didn't need to do that here. Your mysql install is probably (partially)
broken.

> Back to the story:
>
> After messing around, I am able to input alerts into the MySQL database.
> However, the SIDS are not correct. I checked the mappings and both
> barnyard and mudpit were referencing the /etc/snort/*.map files and the
> classification file in the same directory. I am not sure if this is an
> issue when working with snort22, but only certain alerts would show up
> with the correct sid and name. All I was doing was telneting to port 80
> and doing a GET /../../cat/etc/passwd HTTP/1.1 and I also was nmaping to
> port 80 and 443.

Snort doesn't use the .map files. The .map and .config files should be
rebuilt from the snort.conf/*.rules whenever those are modified. I've
attached my mudpit init script and makemap.sh to show how I've done this.

Finally, Mudpit needs to stopped and restarted before Snort is started
using the modified snort.conf/*.rules, otherwise there will be a mismatch
between Snort and Mudpit.

Also, if you don't purge your snort database between changes, expect the
events to get muddled up then also.

> Which brings me to a topic of discussion. Along with the issue above,
> there is no payload, no packet data. Now the reason to be running snort
> in this manner is to help with performance. But I was under the
> impression that snort will dump everything to the log file, including the
> payload in a binary format and then a separate process such as Barnyard
> or Mudpit will decode and input the payload into the MySQL database for
> use with ACID. I was mucking around with the output code for Mudpit and
> did find that there is a function for the data and data_payload. I just
> want to know if this is the true nature of the output plug-in; to allow
> snort to sniff at top speed, or if there is something wrong with my setup.

I emailed the list a while back about how tagging works in conjunction with
unified logging and spool processors. Andrew Baker (barnyard author) wrote:

======
AJ Butcher, Information Systems and Computing wrote:
>
> What is the preferred mechanism for logging sessions in this manner?
>
> Do *any* of them even work when using unified or database logging? The
> Snort 2.1.x manual indicates that 'tag' doesn't work with database
> logging, and 'logto' doesn't work in binary mode. It says nothing about
> 'session'.

The unified output plugins definitely support the tag option. When tagging
is enabled, all of the tagged packets will be written to the unified log
file. Additionally, with recent versions of Snort, if an alert is
triggered on a reassembled stream, then all of the packets for the stream
will also be written to the unified log file. While I cannot speak for
mudpit, Barnyard will process the tagged packets. However, how the are
processed is up to the discretion of each output plug-in. I do know that
the ACID database output plugin in Barnyard does not treat tagged packets
properly. IIRC, each tagged packet will become a new event entry in the
database instead of having all the packets associated with a single event.
This is a limitation of the database design since it significantly predates
tagged packet support.

-A
======

Mudpit appears to INSERT the tagged packets into the database, but they
appear as duplicate alerts (which can be a bit confusing as the content
that triggered the rule will probably only appear in one packet - and
therefore one alert - from the session).

FLoP extends the schema in order to support full session logging, and
provides a tool (getpacket) to retrieve the session in pcap format (e.g.
for Ethereal to load). I haven't used this feature "for real", yet, though.

> Look forward to your comments.
> Shirkdog

HTH,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9


--==========8FC2D8330617D11D73AC==========
Content-Type: application/octet-stream; name="makemap.sh"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="makemap.sh"; size=495

IyEvYmluL3NoCiMgbWFrZW1hcAojIHVzYWdlOgojICAgICUgY2 F0ICoucnVsZXMgfCBtYWtlbWFw
ID4gL3RtcC9zaWQtbXNnLm1hcAojCmVncmVwICJzaWQ6Liptc2 c6IiB8IAoJc2VkIC1lICdzL14u
KihbIF1zaWQ6WyBdKi9zaWQ6LycgXAoJICAgIC1lICdzL21zZz pbICJdKi9tc2c6LycgXAoJICAg
IC1lICdzL3JlZmVyZW5jZTpbIF0qL3JlZmVyZW5jZTovZycgXA oJICAgIC1lICdzLyJbIF0qOy87
LycgXAoJICAgIC1lICdzL1sgXSopJC87ZW5kOi8nIHwKCXRyIC c7JyAnXDAxMicgfAoJZWdyZXAg
Im1zZzp8cmVmZXJlbmNlOnxzaWQ6fGVuZDoiIHwgXAoJYXdrIC 1GOiAnL21zZy8ge21zZyA9ICQy
O2k9MH0gL3JlZmVyZW5jZS8ge3JlZltpKytdID0gJDJ9IC9zaW QvIHtzaWQ9JDJ9IC9lbmQvIFwK
eyBwcmludGYgIiVkIHx8ICVzIiwgc2lkLCBtc2c7IGlmIChpPj ApIHdoaWxlIChpLS0pIHsgcHJp
bnRmICIgfHwgJXMiLCByZWZbaV0gfSBcCnByaW50ZiAiXG4ifS cK

--==========8FC2D8330617D11D73AC==========
Content-Type: application/octet-stream; name="mudpit.init"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="mudpit.init"; size=3987

IyEvYmluL3NoCiMgU3RhcnR1cCBzY3JpcHQgZm9yIG11ZHBpdA ojCiMgY2hrY29uZmlnOiAyMzQ1
IDgwIDEwCiMgZGVzY3JpcHRpb246IEJhcm55YXJkIGRlY291cG xlcyB0aGUgU25vcnQgTklEUyBv
dXRwdXQgc3RhZ2UgZnJvbSBzbm9ydCBcCiMgICAgICAgICAgIC AgIGFuZCBnaXZlcyBhIGJvb3N0
IGluIHBlcmZvcm1hbmNlIGFuZCByZWxpYWJpbGl0eS4KCiMgU2 91cmNlIGZ1bmN0aW9uIGxpYnJh
cnkuCi4gL2V0Yy9yYy5kL2luaXQuZC9mdW5jdGlvbnMKClsgLW YgL3Vzci9iaW4vbXVkcGl0IF0g
fHwgZXhpdCAwCgpwcm9nPSJtdWRwaXQiCgpzdGFydCgpIHsKIC AgIGVjaG8gLW4gJCJTdGFydGlu
ZyAkcHJvZzogIiAKICAgIC4gL2V0Yy9zeXNjb25maWcvc25vcn QKICAgIFJFVFZBTD0wCiAgICBm
b3IgaSBpbiAkSU5URVJGQUNFOyBkbwoJICAgIENVUlJFTlRDT0 5GPWBscyAtMSAtLXNvcnQgdGlt
ZSAiJENPTkYiLiRpLmNvbmYgfCBoZWFkIC0xYAoJICAgIGVjaG 8gIm11ZHBpdCBmb3IgU25vcnQg
bGlzdGVuaW5nIG9uICRpLCB1c2luZyAkQ1VSUkVOVENPTkYiCg kgICAgZ3JlcCAnd3d3LnNub3J0
Lm9yZycgIiRDVVJSRU5UQ09ORiIgPi9kZXYvbnVsbAoJICAgIE 9SSUdDT05GPSQ/CgkgICAgaWYg
WyAkT1JJR0NPTkYgLW5lIDAgXTsgdGhlbgoJCSAgICBTSURGSU xFPWBncmVwIHNpZF9maWxlIC9l
dGMvc25vcnQvbXVkcGl0LiRpLmNmIHwgYXdrIC1GJyInICd7cH JpbnQgJDJ9JyB8IGhlYWQgLTFg
CgkJICAgIENMQVNTRklMRT1gZ3JlcCBjbGFzc19maWxlIC9ldG Mvc25vcnQvbXVkcGl0LiRpLmNm
IHwgYXdrIC1GJyInICd7cHJpbnQgJDJ9JyB8IGhlYWQgLTFgCg kJICAgIFJFRkZJTEU9YGdyZXAg
cmVmX2ZpbGUgL2V0Yy9zbm9ydC9tdWRwaXQuJGkuY2YgfCBhd2 sgLUYnIicgJ3twcmludCAkMn0n
IHwgaGVhZCAtMWAKCSAgICAgICAgICAgIGlmIFsgISAtZSAiJF NJREZJTEUiIC1vICIkQ1VSUkVO
VENPTkYiIC1udCAiJFNJREZJTEUiIF07IHRoZW4KCQkJZWNoby AicmUtY3JlYXRpbmcgJFNJREZJ
TEUiCgkJCWNhdCAiJENVUlJFTlRDT05GIiB8IG1ha2VtYXAuc2 ggPiIkU0lERklMRS50bXAiCgkJ
CW12IC1mICIkU0lERklMRSIgIiRTSURGSUxFLmdvb2QiCgkJCW 12IC1mICIkU0lERklMRS50bXAi
ICIkU0lERklMRSIKCQkgICAgZmkKCQkgICAgaWYgWyAhIC1lIC IkQ0xBU1NGSUxFIiAtbyAiJENV
UlJFTlRDT05GIiAtbnQgIiRDTEFTU0ZJTEUiIF07IHRoZW4KCQ kJZWNobyAicmUtY3JlYXRpbmcg
JENMQVNTRklMRSIKCQkJY2F0ICRDVVJSRU5UQ09ORiB8IGdyZX AgLWggJ15jb25maWcgY2xhc3Np
ZmljYXRpb24nID4iJENMQVNTRklMRS50bXAiCgkJCW12IC1mIC IkQ0xBU1NGSUxFIiAiJENMQVNT
RklMRS5nb29kIgoJCQltdiAtZiAiJENMQVNTRklMRS50bXAiIC IkQ0xBU1NGSUxFIiAgIAoJCSAg
ICBmaQoJICAgICAgICAgICAgaWYgWyAhIC1lICIkUkVGRklMRS IgLW8gIiRDVVJSRU5UQ09ORiIg
LW50ICIkUkVGRklMRSIgXTsgdGhlbgoJCQllY2hvICJyZS1jcm VhdGluZyAkUkVGRklMRSIKCQkJ
Y2F0ICRDVVJSRU5UQ09ORiB8IGdyZXAgLWggJ15jb25maWcgcm VmZXJlbmNlJyA+IiRSRUZGSUxF
LnRtcCIKCQkJbXYgLWYgIiRSRUZGSUxFIiAiJFJFRkZJTEUuZ2 9vZCIKCQkJbXYgLWYgIiRSRUZG
SUxFLnRtcCIgIiRSRUZGSUxFIgoJCSAgICBmaQoJICAgIGVsc2 UKCQkgICAgZWNobyAiU3RpbGwg
dXNpbmcgb3JpZ2luYWwgY29uZmlnIgoJICAgIGZpCgkgICAgZG FlbW9uIC91c3IvYmluL211ZHBp
dCAtRCAtYyAvZXRjL3Nub3J0L211ZHBpdC4kaS5jZgoJICAgIG xldCBSRVRWQUw9IiRSRVRWQUwg
fCAkPyIKICAgIGRvbmUKICAgIGVjaG8KICAgIHJldHVybiAkUk VUVkFMCn0KCnN0b3AoKSB7CiAg
ICBpZiB0ZXN0ICJ4YHBpZG9mIG11ZHBpdGAiICE9IHg7IHRoZW 4KCWVjaG8gLW4gJCJTdG9wcGlu
ZyAkcHJvZzogIgoJa2lsbHByb2MgbXVkcGl0CgllY2hvCiAgIC BmaQogICAgcm0gLWYgL3Zhci9y
dW4vbXVkcGl0LioucGlkIC92YXIvbG9nL3Nub3J0LyovY2hlY2 twb2ludAogICAgUkVUVkFMPSQ/
CiAgICByZXR1cm4gJFJFVFZBTAp9CgpyZWxvYWQoKSB7CiAgIC BpZiBbICJ4YHBpZG9mIG11ZHBp
dGAiICE9IHggXTsgdGhlbgoJZWNobyAtbiAkIlJlbG9hZGluZy AkcHJvZzogIgogICAgICAgIC4g
L2V0Yy9zeXNjb25maWcvc25vcnQKICAgICAgICBSRVRWQUw9MA ogICAgICAgIGZvciBpIGluICRJ
TlRFUkZBQ0U7IGRvCgkgICAgQ1VSUkVOVENPTkY9YGxzIC0xIC 0tc29ydCB0aW1lICIkQ09ORiIu
JGkuY29uZiB8IGhlYWQgLTFgCgkgICAgZWNobyAibXVkcGl0IG ZvciBTbm9ydCBsaXN0ZW5pbmcg
b24gJGksIHVzaW5nICRDVVJSRU5UQ09ORiIKCSAgICBncmVwIC d3d3cuc25vcnQub3JnJyAiJENV
UlJFTlRDT05GIiA+L2Rldi9udWxsCgkgICAgT1JJR0NPTkY9JD 8KCSAgICBpZiBbICRPUklHQ09O
RiAtbmUgMCBdOyB0aGVuCgkJICAgIFNJREZJTEU9YGdyZXAgc2 lkX2ZpbGUgL2V0Yy9zbm9ydC9t
dWRwaXQuJGkuY2YgfCBhd2sgLUYnIicgJ3twcmludCAkMn0nIH wgaGVhZCAtMWAKCQkgICAgQ0xB
U1NGSUxFPWBncmVwIGNsYXNzX2ZpbGUgL2V0Yy9zbm9ydC9tdW RwaXQuJGkuY2YgfCBhd2sgLUYn
IicgJ3twcmludCAkMn0nIHwgaGVhZCAtMWAKCQkgICAgUkVGRk lMRT1gZ3JlcCByZWZfZmlsZSAv
ZXRjL3Nub3J0L211ZHBpdC4kaS5jZiB8IGF3ayAtRiciJyAne3 ByaW50ICQyfScgfCBoZWFkIC0x
YAoJICAgICAgICAgICAgaWYgWyAhIC1lICIkU0lERklMRSIgLW 8gIiRDVVJSRU5UQ09ORiIgLW50
ICIkU0lERklMRSIgXTsgdGhlbgoJCQllY2hvICJyZS1jcmVhdG luZyAkU0lERklMRSIKCQkJY2F0
ICIkQ1VSUkVOVENPTkYiIHwgbWFrZW1hcC5zaCA+IiRTSURGSU xFLnRtcCIKCQkJbXYgLWYgIiRT
SURGSUxFIiAiJFNJREZJTEUuZ29vZCIKCQkJbXYgLWYgIiRTSU RGSUxFLnRtcCIgIiRTSURGSUxF
IgoJCSAgICBmaQoJCSAgICBpZiBbICEgLWUgIiRDTEFTU0ZJTE UiIC1vICIkQ1VSUkVOVENPTkYi
IC1udCAiJENMQVNTRklMRSIgXTsgdGhlbgoJCQllY2hvICJyZS 1jcmVhdGluZyAkQ0xBU1NGSUxF
IgoJCQljYXQgJENVUlJFTlRDT05GIHwgZ3JlcCAtaCAnXmNvbm ZpZyBjbGFzc2lmaWNhdGlvbicg
PiIkQ0xBU1NGSUxFLnRtcCIKCQkJbXYgLWYgIiRDTEFTU0ZJTE UiICIkQ0xBU1NGSUxFLmdvb2Qi
CgkJCW12IC1mICIkQ0xBU1NGSUxFLnRtcCIgIiRDTEFTU0ZJTE UiICAgCgkJICAgIGZpCgkgICAg
ICAgICAgICBpZiBbICEgLWUgIiRSRUZGSUxFIiAtbyAiJENVUl JFTlRDT05GIiAtbnQgIiRSRUZG
SUxFIiBdOyB0aGVuCgkJCWVjaG8gInJlLWNyZWF0aW5nICRSRU ZGSUxFIgoJCQljYXQgJENVUlJF
TlRDT05GIHwgZ3JlcCAtaCAnXmNvbmZpZyByZWZlcmVuY2UnID 4iJFJFRkZJTEUudG1wIgoJCQlt
diAtZiAiJFJFRkZJTEUiICIkUkVGRklMRS5nb29kIgoJCQltdi AtZiAiJFJFRkZJTEUudG1wIiAi
JFJFRkZJTEUiCgkJICAgIGZpCgkgICAgZWxzZQoJCSAgICBlY2 hvICJTdGlsbCB1c2luZyBvcmln
aW5hbCBjb25maWciCgkgICAgZmkKCWRvbmUKCWtpbGxwcm9jIG 11ZHBpdCAtSFVQCgllY2hvCiAg
ICBmaQogICAgcmV0dXJuICRSRVRWQUwKfQoKCgpjYXNlICIkMS IgaW4KCXN0YXJ0KQoJICAgIHN0
YXJ0CgkgICAgOzsKCQoJc3RvcCkKCSAgICBzdG9wCgkgICAgOz sKCQoJc3RhdHVzKQoJICAgIHN0
YXR1cyBtdWRwaXQKCSAgICA7OwoJcmVsb2FkKQoJICAgIHJlbG 9hZAoJICAgIDs7CglyZXN0YXJ0
KQoJICAgIHN0b3AKCSAgICBzdGFydAoJICAgIDs7Cgljb25kcm VzdGFydCkKCSAgICBpZiBbICJ4
YHBpZG9mIG11ZHBpdGAiICE9IHggXTsgdGhlbgoJCXN0b3AKCQ lzdGFydAoJICAgIGZpCgkgICAg
OzsKCQoJKikKCSAgICBlY2hvICQiVXNhZ2U6ICQwIHtzdGFydH xzdG9wfHJlbG9hZHxyZXN0YXJ0
fGNvbmRyZXN0YXJ0fHN0YXR1c30iCgkgICAgZXhpdCAxCgplc2 FjCgpleGl0ICRSRVRWQUwK

--==========8FC2D8330617D11D73AC==========--



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users