Trusty, Snort doesn't work with prelude

Bug #1303338 reported by Eric Teeter
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snort (Ubuntu)
New
Undecided
Unassigned

Bug Description

I was testing Trusty, with snort with prelude I get the following error message:

ERROR: /etc/snort/snort.conf(549) Unknown output plugin: "alert_prelude"

Seams like all packages the need to be installed are but not configured properly.

What would be a work around ?

Revision history for this message
Eric Teeter (teetere) wrote :
Download full text (3.8 KiB)

Output from snort test

Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynami...

Read more...

Revision history for this message
Eric Teeter (teetere) wrote :

Found the problem and work around

n the 2.9.3 version of Snort several output formats have been deprecated, including Prelude support. However, it remains possible to keep Snort as a Prelude agent through the use of Barnyard2, an open source interpreter for Snort unified2 binary output files.

After a standard install of Snort, get the sources of Barnyard2 from http://www.securixlive.com/barnyard2/download.php

The enable-prelude option was transferred to Barnyard2:

   $ ./configure --enable-prelude
   $ make
   $ make install

Then edit /etc/snort/barnyard2.conf with the following:

output alert_prelude: profile=snort

Finally edit /etc/snort/snort.conf to add unified2 output:

# unified2
output unified2: filename merged.log, limit 128

If you previously registered your sensor, you should be able to start Snort and Barnyard2 by using:

$ snort -c /etc/snort/snort.conf -i eth1
$ barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -a /var/log/snort/archived

(assuming you have created a /var/log/snort/archived directory to store your archived unified2 logs)

affects: ubuntu → snort (Ubuntu)
Revision history for this message
Eric Teeter (teetere) wrote : Re: [Bug 1303338] Re: Trusty, Snort doesn't work with prelude

Daniel:

Read my work around in https://bugs.launchpad.net/bugs/1303338, as Snort has been modified and they are not planning to support Prelude you will have to get
baryard2 set up to get snort to work with prelude.

Unless things change this is how to get it to work. As baryard2 is not in Ubuntu yet you will have manually install it, or find someone who has mad a package for it.

Eric

----- Original Message -----
From: "Daniel Llewellyn" <email address hidden>
To: <email address hidden>
Sent: Friday, September 12, 2014 9:02:43 PM
Subject: [Bug 1303338] Re: Trusty, Snort doesn't work with prelude

** Package changed: ubuntu => snort (Ubuntu)

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1303338

Title:
  Trusty, Snort doesn't work with prelude

Status in “snort” package in Ubuntu:
  New

Bug description:
  I was testing Trusty, with snort with prelude I get the following
  error message:

  ERROR: /etc/snort/snort.conf(549) Unknown output plugin:
  "alert_prelude"

  Seams like all packages the need to be installed are but not
  configured properly.

  What would be a work around ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snort/+bug/1303338/+subscriptions

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4765 / Virus Database: 4015/8202 - Release Date: 09/12/14

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4765 / Virus Database: 4015/8202 - Release Date: 09/12/14

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.