O/S « BrakertechBrakertech

barnyard2 won’t log to database – how to fix it

posted this in Defense, IDS, Linux, Redhat Centos, Server Setup, Ubuntu on June 4th, 2013

What to do when barnyard2 won’t log to the database….

Are you seeing something like this?

[SignatureReferencePullDataStore()]: No Reference found in database ...

1	[SignatureReferencePullDataStore()]: No Reference found in database ...

Full text:

# /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2/
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = some.hostname:eth0
database:      sensor id = 1
database:     sensor cid = 2
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 < *-
 / ,,_  \  Version 2.1.13 (Build 327)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/barnyard2.waldo'

# /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo

Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "/etc/barnyard2.conf"

+[ Signature Suppress list ]+

----------------------------

+[No entry in Signature Suppress List]+

----------------------------

+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]

Log directory = /var/log/barnyard2/

INFO database: Defaulting Reconnect/Transaction Error limit to 10

INFO database: Defaulting Reconnect sleep time to 5 second

[SignatureReferencePullDataStore()]: No Reference found in database ...

database: compiled support for (mysql)

database: configured to use mysql

database: schema version = 107

database: host = localhost

database: user = snort

database: database name = snort

database: sensor name = some.hostname:eth0

database: sensor id = 1

database: sensor cid = 2

database: data encoding = hex

database: detail level = full

database: ignore_bpf = no

database: using the "log" facility

--== Initialization Complete ==--

______ -*> Barnyard2 < *-

/ ,,_ \ Version 2.1.13 (Build 327)

|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/barnyard2.waldo'

Take a look at how you are running snort Wrong Way examples

/usr/sbin/snort -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

1	/usr/sbin/snort -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

/usr/sbin/snort -A -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

1	/usr/sbin/snort -A -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Right Way

 /usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

1	/usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

What’s causing this problem?

You have enabled one or more of these switches when running snort: -A -b

add two network interfaces in ubuntu 12.04

posted this in Linux, Server Setup, Ubuntu on May 31st, 2013

To add two network interface in ubuntu 12.04 edit /etc/network/interfaces:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 10.1.0.102
netmask 255.255.255.0
network 10.1.0.0
broadcast 10.1.0.255

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet dhcp

auto eth1

iface eth1 inet static

address 10.1.0.102

netmask 255.255.255.0

network 10.1.0.0

broadcast 10.1.0.255

Now run:

/etc/init.d/networking restart
netstat -rn

1 2	/etc/init.d/networking restart netstat -rn

If you’d like traffic that arrives on eth1 to also exit on eth1 (if your default route happens to be on eth0) then follow these steps: Note: We are assuming in this scenario that eth1′s ip address is 10.1.0.102

echo "creating a new policy routing table entry within the /etc/iproute2/rt_tables"
echo "1 admin" >> /etc/iproute2/rt_tables

echo "adding entries to our new admin table"
ip route add 10.1.0.0 dev eth1 src 10.1.0.102 table admin
ip route add default via 10.1.0.1 dev eth1 table admin

echo "view of ip rule table before change are applied"
ip rule

echo "applying the rules on the admin table"
ip rule add from 10.1.0.102/32 table admin
ip rule add to 10.1.0.102/32 table admin

echo "view of ip rule table after change are applied"
ip rule

echo "flushing ip routing cache"
ip route flush cache

echo "creating a new policy routing table entry within the /etc/iproute2/rt_tables"

echo "1 admin" >> /etc/iproute2/rt_tables

echo "adding entries to our new admin table"

ip route add 10.1.0.0 dev eth1 src 10.1.0.102 table admin

ip route add default via 10.1.0.1 dev eth1 table admin

echo "view of ip rule table before change are applied"

ip rule

echo "applying the rules on the admin table"

ip rule add from 10.1.0.102/32 table admin

ip rule add to 10.1.0.102/32 table admin

echo "view of ip rule table after change are applied"

ip rule

echo "flushing ip routing cache"

ip route flush cache

egrep valid ip address

posted this in Linux, Redhat Centos, Server Setup, Ubuntu on May 20th, 2013

Example to egrep valid ip address

To egrep all valid ip addresses in current directory:

egrep -r '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' .

1	egrep -r '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' .

Howto make Mongo SSL on Ubuntu 12.04

posted this in Linux, Mongo, Ubuntu on May 3rd, 2013

To make Mongo DB SSL on Ubuntu 12.04 you need to either purchase it or compile from source.

To make compiling from source easy here’s a script to help you out!

Mongo Compile SSL from Source Script

Note: Make sure you are not running an EC2 Small instance or you will run out of space! . . . → Read More: Howto make Mongo SSL on Ubuntu 12.04

neo4j SSL howto

posted this in Linux, Redhat Centos, Server Setup, Ubuntu on May 2nd, 2013

Getting SSL to work with neo4j can be very frustrating. The crux of the problem is that their documentation isn’t very robust.

Here’s what they don’t tell you:

Both the cert and the key MUST be in DER format!

example to convert a PEM formatted crt key to a der formatted crt key openssl x509 . . . → Read More: neo4j SSL howto

convert valid godaddy cert key to java keystore for tomcat

posted this in Linux, Redhat Centos, Server Setup, Tomcat, Ubuntu on April 30th, 2013

I spend hours trying to figure this out and here are the fruits of my labor

Howto: Import valid cert and key into a java keystore

note: use the same password in each step

Step 1: Export your key and cert to pkcs12 format

openssl pkcs12 -export -inkey some.key -in some.crt -out some.p12

1	openssl pkcs12 -export -inkey some.key -in some.crt -out some.p12

Step 2: Import p12 file to java key store

keytool -importkeystore -srckeystore some.p12 -srcstoretype PKCS12 -destkeystore truststore.jks

1	keytool -importkeystore -srckeystore some.p12 -srcstoretype PKCS12 -destkeystore truststore.jks

download http directory

posted this in FreeBSD, Linux on March 10th, 2013

Here’s a quick note on how to download the contents of an http directory via command line.

Using lftp to download an HTTP directory

Forget wget, lftp is what you covet!

What is lftp?

LFTP is a sophisticated ftp/http client, and a file transfer program supporting a number of network protocols. Like BASH, it has . . . → Read More: download http directory

connectsock.c struct hostent has no member named h_addr compile error

posted this in C on March 1st, 2013

Recently I was trying to compile connectsock.c from Internetworking With TCP/IP Volume III: Client-Server Programming and Applications, Linux/POSIX Socket Version (with D. Stevens), 2000. 0-13-032071-4

Compile Error

connectsock.c: In function connectsock:
connectsock.c:52:28: error: struct hostent has no member named h_addr

1 2	connectsock.c: In function connectsock: connectsock.c:52:28: error: struct hostent has no member named h_addr

Solution? Modify the Make file!

Before:

DEFS =
CFLAGS = -W -pedantic -ansi -g ${DEFS} ${INCLUDE}

1 2	DEFS = CFLAGS = -W -pedantic -ansi -g ${DEFS} ${INCLUDE}

After:

DEFS =
CFLAGS =-W-pedantic-ansi-g $ {DEFS} $ {INCLUDE}-D_GNU_SOURCE

1 2	DEFS = CFLAGS =-W-pedantic-ansi-g $ {DEFS} $ {INCLUDE}-D_GNU_SOURCE

curl on windows with https

posted this in Windows on February 3rd, 2013

The easiest way to get curl on windows with HTTPS is to simply download and install the git package then add

c:\Program Files (x86)\Git\bin

1	c:\Program Files (x86)\Git\bin

as an environment variable to allow you to run curl from anywhere.

Don’t forget when running curl commands in a DOS prompt to use double quotes.

Example:

curl https://www.cloudflare.com/api_json.html -d "a=fpurge_ts" -d "tkn=<apikey>" -d "email=<username>" -d "z=domain" -d "v=1"

{"response":{"fpurge_ts":1359831767},"result":"success","msg":null,"attributes":{"cooldown":20}}</username></apikey>

curl https://www.cloudflare.com/api_json.html -d "a=fpurge_ts" -d "tkn=<apikey>" -d "email=<username>" -d "z=domain" -d "v=1"

{"response":{"fpurge_ts":1359831767},"result":"success","msg":null,"attributes":{"cooldown":20}}</username></apikey>

nginx code igniter remove index.php prefix

posted this in nginx, Redhat Centos, Server Setup, Ubuntu on January 30th, 2013

Objective

Remove the index.php prefix from your nginx code igniter instance.

Assumptions In your main nginx conf file you define how php is called (unix socket or ip:port) You will replace foo.example.com with whatever your domain name is The proper logging path will be defined per your system as opposed to the location i have . . . → Read More: nginx code igniter remove index.php prefix

Brakertech