Brakertech « tech problems: solvedBrakertech

barnyard2 won’t log to database – how to fix it

posted this in Defense, IDS, Linux, Redhat Centos, Server Setup, Ubuntu on June 4th, 2013

What to do when barnyard2 won’t log to the database….

Are you seeing something like this?

[SignatureReferencePullDataStore()]: No Reference found in database ...

1	[SignatureReferencePullDataStore()]: No Reference found in database ...

Full text:

# /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2/
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = some.hostname:eth0
database:      sensor id = 1
database:     sensor cid = 2
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 < *-
 / ,,_  \  Version 2.1.13 (Build 327)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/barnyard2.waldo'

# /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo

Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "/etc/barnyard2.conf"

+[ Signature Suppress list ]+

----------------------------

+[No entry in Signature Suppress List]+

----------------------------

+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]

Log directory = /var/log/barnyard2/

INFO database: Defaulting Reconnect/Transaction Error limit to 10

INFO database: Defaulting Reconnect sleep time to 5 second

[SignatureReferencePullDataStore()]: No Reference found in database ...

database: compiled support for (mysql)

database: configured to use mysql

database: schema version = 107

database: host = localhost

database: user = snort

database: database name = snort

database: sensor name = some.hostname:eth0

database: sensor id = 1

database: sensor cid = 2

database: data encoding = hex

database: detail level = full

database: ignore_bpf = no

database: using the "log" facility

--== Initialization Complete ==--

______ -*> Barnyard2 < *-

/ ,,_ \ Version 2.1.13 (Build 327)

|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/barnyard2.waldo'

Take a look at how you are running snort Wrong Way examples

/usr/sbin/snort -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

1	/usr/sbin/snort -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

/usr/sbin/snort -A -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

1	/usr/sbin/snort -A -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Right Way

 /usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

1	/usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

What’s causing this problem?

You have enabled one or more of these switches when running snort: -A -b

add two network interfaces in ubuntu 12.04

posted this in Linux, Server Setup, Ubuntu on May 31st, 2013

To add two network interface in ubuntu 12.04 edit /etc/network/interfaces:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 10.1.0.102
netmask 255.255.255.0
network 10.1.0.0
broadcast 10.1.0.255

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet dhcp

auto eth1

iface eth1 inet static

address 10.1.0.102

netmask 255.255.255.0

network 10.1.0.0

broadcast 10.1.0.255

Now run:

/etc/init.d/networking restart
netstat -rn

1 2	/etc/init.d/networking restart netstat -rn

If you’d like traffic that arrives on eth1 to also exit on eth1 (if your default route happens to be on eth0) then follow these steps: Note: We are assuming in this scenario that eth1′s ip address is 10.1.0.102

echo "creating a new policy routing table entry within the /etc/iproute2/rt_tables"
echo "1 admin" >> /etc/iproute2/rt_tables

echo "adding entries to our new admin table"
ip route add 10.1.0.0 dev eth1 src 10.1.0.102 table admin
ip route add default via 10.1.0.1 dev eth1 table admin

echo "view of ip rule table before change are applied"
ip rule

echo "applying the rules on the admin table"
ip rule add from 10.1.0.102/32 table admin
ip rule add to 10.1.0.102/32 table admin

echo "view of ip rule table after change are applied"
ip rule

echo "flushing ip routing cache"
ip route flush cache

echo "creating a new policy routing table entry within the /etc/iproute2/rt_tables"

echo "1 admin" >> /etc/iproute2/rt_tables

echo "adding entries to our new admin table"

ip route add 10.1.0.0 dev eth1 src 10.1.0.102 table admin

ip route add default via 10.1.0.1 dev eth1 table admin

echo "view of ip rule table before change are applied"

ip rule

echo "applying the rules on the admin table"

ip rule add from 10.1.0.102/32 table admin

ip rule add to 10.1.0.102/32 table admin

echo "view of ip rule table after change are applied"

ip rule

echo "flushing ip routing cache"

ip route flush cache

egrep valid ip address

posted this in Linux, Redhat Centos, Server Setup, Ubuntu on May 20th, 2013

Example to egrep valid ip address

To egrep all valid ip addresses in current directory:

egrep -r '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' .

1	egrep -r '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' .

Neo4j Couldn’t get file lock

posted this in neo4j on May 8th, 2013

Problem

A non-root user is running Neo4j and you are seeing locking errors in the log file

Symptom

May 8, 2013 6:20:31 PM java.util.prefs.FileSystemPreferences checkLockFile0ErrorCode
WARNING: Could not lock User prefs.  Unix error code 2.
May 8, 2013 6:20:31 PM java.util.prefs.FileSystemPreferences syncWorld
WARNING: Couldn't flush user prefs: java.util.prefs.BackingStoreException: Couldn't get file lock.
May 8, 2013 6:21:01 PM java.util.prefs.FileSystemPreferences checkLockFile0ErrorCode
WARNING: Could not lock User prefs.  Unix error code 2.
May 8, 2013 6:21:01 PM java.util.prefs.FileSystemPreferences syncWorld
WARNING: Couldn't flush user prefs: java.util.prefs.BackingStoreException: Couldn't get file lock.
May 8, 2013 6:21:31 PM java.util.prefs.FileSystemPreferences checkLockFile0ErrorCode
WARNING: Could not lock User prefs.  Unix error code 2.
May 8, 2013 6:21:31 PM java.util.prefs.FileSystemPreferences syncWorld
WARNING: Couldn't flush user prefs: java.util.prefs.BackingStoreException: Couldn't get file lock."

May 8, 2013 6:20:31 PM java.util.prefs.FileSystemPreferences checkLockFile0ErrorCode

WARNING: Could not lock User prefs. Unix error code 2.

May 8, 2013 6:20:31 PM java.util.prefs.FileSystemPreferences syncWorld

WARNING: Couldn't flush user prefs: java.util.prefs.BackingStoreException: Couldn't get file lock.

May 8, 2013 6:21:01 PM java.util.prefs.FileSystemPreferences checkLockFile0ErrorCode

WARNING: Could not lock User prefs. Unix error code 2.

May 8, 2013 6:21:01 PM java.util.prefs.FileSystemPreferences syncWorld

WARNING: Couldn't flush user prefs: java.util.prefs.BackingStoreException: Couldn't get file lock.

May 8, 2013 6:21:31 PM java.util.prefs.FileSystemPreferences checkLockFile0ErrorCode

WARNING: Could not lock User prefs. Unix error code 2.

May 8, 2013 6:21:31 PM java.util.prefs.FileSystemPreferences syncWorld

WARNING: Couldn't flush user prefs: java.util.prefs.BackingStoreException: Couldn't get file lock."

Cause

The non-root ID that is being used to start the Neo4j instance does not have a user_home directory. Therefore this non-root ID is unable to access the root user’s “/etc/.java/.systemPrefs”. This produces the aforementioned . . . → Read More: Neo4j Couldn’t get file lock

Howto make Mongo SSL on Ubuntu 12.04

posted this in Linux, Mongo, Ubuntu on May 3rd, 2013

To make Mongo DB SSL on Ubuntu 12.04 you need to either purchase it or compile from source.

To make compiling from source easy here’s a script to help you out!

Mongo Compile SSL from Source Script

Note: Make sure you are not running an EC2 Small instance or you will run out of space! . . . → Read More: Howto make Mongo SSL on Ubuntu 12.04

neo4j SSL howto

posted this in Linux, Redhat Centos, Server Setup, Ubuntu on May 2nd, 2013

Getting SSL to work with neo4j can be very frustrating. The crux of the problem is that their documentation isn’t very robust.

Here’s what they don’t tell you:

Both the cert and the key MUST be in DER format!

example to convert a PEM formatted crt key to a der formatted crt key openssl x509 . . . → Read More: neo4j SSL howto

convert valid godaddy cert key to java keystore for tomcat

posted this in Linux, Redhat Centos, Server Setup, Tomcat, Ubuntu on April 30th, 2013

I spend hours trying to figure this out and here are the fruits of my labor

Howto: Import valid cert and key into a java keystore

note: use the same password in each step

Step 1: Export your key and cert to pkcs12 format

openssl pkcs12 -export -inkey some.key -in some.crt -out some.p12

1	openssl pkcs12 -export -inkey some.key -in some.crt -out some.p12

Step 2: Import p12 file to java key store

keytool -importkeystore -srckeystore some.p12 -srcstoretype PKCS12 -destkeystore truststore.jks

1	keytool -importkeystore -srckeystore some.p12 -srcstoretype PKCS12 -destkeystore truststore.jks

Export Omnigraffle License

posted this in Software on April 11th, 2013

Howto Export Omnigraffle License Steps Open up terminal Browse to /Users/<your user name>/Library/Application Support/Omni Group/Software Licenses You should see a file ending in “.omnilicense” (that’s your license file!) Take note of the file permissions Copy it to a safe place!

phone laws driving headphones

posted this in Other on April 6th, 2013

By State: phone laws driving headphones

Ever wondered if it is legal to wear headphones while driving in a particular state? Wonder no more!

Alabama

No prohibition on wearing of headsets while driving.

Alaska

Wearing an audio headset or earplugs is not permitted while driving.

Exempts headsets when used and designed to improve a driver’s . . . → Read More: phone laws driving headphones

Mandiant Highlighter – Log and Text File Viewer Review

posted this in Apache, Defense, Forensics, Security on March 25th, 2013

Product Review - Mandiant Highlighter

Today we are looking at Mandiant Highlighter; Log and Text File Viewer

Product home page can be found here

Cost: Free!

Overview

MANDIANT Highlighter is a log file analysis tool. Highlighter provides a graphical component to log analysis that helps the analyst identify patterns. Highlighter also provides a number of features aimed at . . . → Read More: Mandiant Highlighter – Log and Text File Viewer Review

Brakertech

barnyard2 won’t log to database – how to fix it

add two network interfaces in ubuntu 12.04

egrep valid ip address

Neo4j Couldn’t get file lock

Howto make Mongo SSL on Ubuntu 12.04

neo4j SSL howto

convert valid godaddy cert key to java keystore for tomcat

Export Omnigraffle License

phone laws driving headphones

Mandiant Highlighter – Log and Text File Viewer Review

Search Brakertech

dEFENSE

Hacking

Security

Search Brakertech

dEFENSE

Hacking

Tags

Security