tar.gz
sudo tar xvfvz snortrules-snapshot-2980.tar.gz -C /etc/snort
Move all new files from
/etc/snort/etc
to
/etc/snort
(and get rid of
/etc/snort/etc
folder that was
copied as well):
sudo cp ./*.conf* ../
sudo cp ./*.map ../
cd /etc/snort
sudo rm -Rf /etc/snort/etc
Now modify
/etc/snort/snort.conf
with any changes from the original
snort.conf
.
We want the new
snort.conf
in case it references any new rulesets.
Test the configuration file with Snort:
sudo snort -T -c /etc/snort/snort.conf
You can now run snort as you normally would (with a startup script or manually).
25
C
Apendix: Troubleshooting Barnyard2
If barnyard2 is having issues loading events, sometimes deleting all of snort’s unified2 event logs and recreate
the waldo file can help (you’ll loose the events that are saved there)
To do this:
sudo rm /var/log/snort/*
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
Other troubleshooting steps:
•
Reboot the server.
•
Be patient. When barnyard2 has a large number of events to process, it can take some time before
they show in the database (say you accidentally ran
sudo ping -i 0.001 10.0.0.104
for a minute,
generating upwards of 30,000 alerts on your snort server. This can take some time to process.
•
to check for events in the snort database:
mysql -u snort -p -D snort -e "select count(*) from event"
•
Are logs being written to /var/log/snort, in the form snort.u2.nnnnnnnnnn?
•
Check the system log
cat /var/log/syslog | grep barnyard
•
Check if the services are running
# upstart or systemD:
service snort status
service barnyard2 status
26
You've reached the end of your free preview.
Want to read all 28 pages?
- Spring '15
- DavidMauro
