Koozali.org: home of the SME Server

[Contrib] Snort for sme server 7.x

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« on: February 27, 2006, 02:43:23 PM »
Hello every one,

I've finished some rpms for sme server 7.0.
I've made a full installation of snort on is last version 2.4.3.
Two other rpms come with it, oinkmaster and guardian.
oinkmaster: keep snort rules up-to-date
guardian: black list bad ip adress

You can find the howto at this adress howto

Regards.

achandra

Good Deal
« Reply #1 on: February 27, 2006, 08:41:06 PM »
Ill give it a try tonight - write up is clear and looks good.

Offline gregswallow

  • *
  • 651
  • +1/-0
[Contrib] Snort for sme server 7.x
« Reply #2 on: February 28, 2006, 09:25:49 AM »
Mastersleepy, I'd like it if you could create an account in the bug tracker and request a new subcategory for your contrib.  You can do that here:
http://bugs.contribs.org/enter_bug.cgi?product=SME%20Server%20bug%20tracker

We are going to have an addons and addons-testing repository for official contribs soon, and I think yours will be a popular one.

Looks great!

achandra

Questions
« Reply #3 on: February 28, 2006, 08:54:16 PM »
Okay got the install completed.

Does this version have a web frontend to monitor from?

Also does it install any thing into the panel or no?

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #4 on: February 28, 2006, 09:25:45 PM »
to Greg:
Ok Greg I'll will following your link.

to achandra:
Normally acid will still have to work,  but I don't test it.
No new panel have been develop, I think there is no need.

I will keep you up-to-date with my test of acid.

Regards.

Offline gregswallow

  • *
  • 651
  • +1/-0
[Contrib] Snort for sme server 7.x
« Reply #5 on: February 28, 2006, 11:42:03 PM »
Quote from: "MasterSleepy"

I will keep you up-to-date with my test of acid.


Acid seems to be unmaintained.  Base seems to be more popular, and there are rpms:
https://sourceforge.net/project/showfiles.php?group_id=103348&package_id=128846

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #6 on: March 01, 2006, 09:14:53 PM »
Thanks for info greg.

I'll adapt to fit with current config.

Regards

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #7 on: March 06, 2006, 05:34:37 AM »
Hello all,

I've finished base rpm for sme server.
Howto have been modified.
http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39#step8

Regards.

colwyn

Oinkmaster Rules
« Reply #8 on: March 06, 2006, 05:29:32 PM »
MasterSleepy,

I appreicate all your hard work on this contrib and found the install easy to do. My one question though is how can I check to see that it has downloaded the new ruleset successfully using the oinkcode that I provided ?

Thanks,

Colwyn

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #9 on: March 06, 2006, 08:02:00 PM »
You'll receive an email ton admin account.
It's a cron task, so output will be send to admin.

Regards.

Offline tm255e

  • 10
  • +0/-0
SME 7pre4
« Reply #10 on: March 08, 2006, 12:23:30 PM »
Hi, should this work on version 7pre4, as i have installed as per the howto but nothing seems to be getting logged.
Any help appreciated.

Steve.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #11 on: March 09, 2006, 06:09:24 AM »
Hello,

Is you service snortd well started?
Code: [Select]
service snortd status
if it's not started try launching manually with the command
Code: [Select]
/usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii
and post the error message.

Thanks.

TO greg:
I've created a bug 906 to create new component but it seems that I made something wrong, could you tell me my mistake??

Thanks.

Offline tm255e

  • 10
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #12 on: March 09, 2006, 10:23:31 AM »
Well snort was running when i last looked, this morning i checked the status and it is stopping and starting.

so i ran
/usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii

this is the output.

[root@rocky bleeding]# /usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii
Running in IDS mode
 
Initializing Network Interface eth0
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE
    Server Data Inspection Limit: -1
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 443 980
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: YES
      Oversize Dir Length: 3000
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = root
database: password is set
database: database name = snort_log
database:          host = localhost
database:   sensor name = 10.10.1.1
database:     sensor id = 2
database: schema version = 106
database: using the "log" facility
ERROR: Warning: /etc/snort/rules/bleeding-drop-BLOCK.rules(40) => Unknown keyword ' fwsam' in rule!
Fatal Error, Quitting..
[root@rocky bleeding]#

i have removed the bleeding rules and now snort is running again, i will check later to see if anything is being logged.

Also it says at the top "Decoding Ethernet on interface eth0", interface eth0 is my internal network, should it not be watching eth1 (external)

Thanks for you help.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #13 on: March 10, 2006, 06:02:40 AM »
Hello,

I've already have that problem with bleeding rules. quiet strange...
The better way for the moment is your solution by deactivate bleeding rules update.

For eth0: it was just for the test to look at error message.
By starting service, it will listen on output interface.

Regards.

thefff-fr

[Contrib] Snort for sme server 7.x
« Reply #14 on: March 10, 2006, 03:22:13 PM »
Hello,

I have tested this contrib, and it doesn't work.
After the install, i got a message that say the file contening the rule was bad. I rename etc/snort/rules to ruless , and snort say no error message. Is ther a way ?


In French,

J'ai un message d'erreur au lancement de snort, comme quoi le fichier contenant la regle est en erreur. J'ai place des # devant toutes le lignes du fichiers, et c'est un autre fichier contenant les regles que snort m'indique en erreur. J'ai donc renommé etc/snort/rules en ruless, et là, plus d'erreur, snort demarre sans soucis. Mais pas de regles de charger ?