Koozali.org: home of the SME Server

[Contrib] Snort for sme server 7.x

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« on: February 27, 2006, 02:43:23 PM »
Hello every one,

I've finished some rpms for sme server 7.0.
I've made a full installation of snort on is last version 2.4.3.
Two other rpms come with it, oinkmaster and guardian.
oinkmaster: keep snort rules up-to-date
guardian: black list bad ip adress

You can find the howto at this adress howto

Regards.

achandra

Good Deal
« Reply #1 on: February 27, 2006, 08:41:06 PM »
Ill give it a try tonight - write up is clear and looks good.

Offline gregswallow

  • *
  • 651
  • +1/-0
[Contrib] Snort for sme server 7.x
« Reply #2 on: February 28, 2006, 09:25:49 AM »
Mastersleepy, I'd like it if you could create an account in the bug tracker and request a new subcategory for your contrib.  You can do that here:
http://bugs.contribs.org/enter_bug.cgi?product=SME%20Server%20bug%20tracker

We are going to have an addons and addons-testing repository for official contribs soon, and I think yours will be a popular one.

Looks great!

achandra

Questions
« Reply #3 on: February 28, 2006, 08:54:16 PM »
Okay got the install completed.

Does this version have a web frontend to monitor from?

Also does it install any thing into the panel or no?

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #4 on: February 28, 2006, 09:25:45 PM »
to Greg:
Ok Greg I'll will following your link.

to achandra:
Normally acid will still have to work,  but I don't test it.
No new panel have been develop, I think there is no need.

I will keep you up-to-date with my test of acid.

Regards.

Offline gregswallow

  • *
  • 651
  • +1/-0
[Contrib] Snort for sme server 7.x
« Reply #5 on: February 28, 2006, 11:42:03 PM »
Quote from: "MasterSleepy"

I will keep you up-to-date with my test of acid.


Acid seems to be unmaintained.  Base seems to be more popular, and there are rpms:
https://sourceforge.net/project/showfiles.php?group_id=103348&package_id=128846

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #6 on: March 01, 2006, 09:14:53 PM »
Thanks for info greg.

I'll adapt to fit with current config.

Regards

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #7 on: March 06, 2006, 05:34:37 AM »
Hello all,

I've finished base rpm for sme server.
Howto have been modified.
http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39#step8

Regards.

colwyn

Oinkmaster Rules
« Reply #8 on: March 06, 2006, 05:29:32 PM »
MasterSleepy,

I appreicate all your hard work on this contrib and found the install easy to do. My one question though is how can I check to see that it has downloaded the new ruleset successfully using the oinkcode that I provided ?

Thanks,

Colwyn

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #9 on: March 06, 2006, 08:02:00 PM »
You'll receive an email ton admin account.
It's a cron task, so output will be send to admin.

Regards.

Offline tm255e

  • 10
  • +0/-0
SME 7pre4
« Reply #10 on: March 08, 2006, 12:23:30 PM »
Hi, should this work on version 7pre4, as i have installed as per the howto but nothing seems to be getting logged.
Any help appreciated.

Steve.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #11 on: March 09, 2006, 06:09:24 AM »
Hello,

Is you service snortd well started?
Code: [Select]
service snortd status
if it's not started try launching manually with the command
Code: [Select]
/usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii
and post the error message.

Thanks.

TO greg:
I've created a bug 906 to create new component but it seems that I made something wrong, could you tell me my mistake??

Thanks.

Offline tm255e

  • 10
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #12 on: March 09, 2006, 10:23:31 AM »
Well snort was running when i last looked, this morning i checked the status and it is stopping and starting.

so i ran
/usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii

this is the output.

[root@rocky bleeding]# /usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii
Running in IDS mode
 
Initializing Network Interface eth0
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE
    Server Data Inspection Limit: -1
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 443 980
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: YES
      Oversize Dir Length: 3000
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = root
database: password is set
database: database name = snort_log
database:          host = localhost
database:   sensor name = 10.10.1.1
database:     sensor id = 2
database: schema version = 106
database: using the "log" facility
ERROR: Warning: /etc/snort/rules/bleeding-drop-BLOCK.rules(40) => Unknown keyword ' fwsam' in rule!
Fatal Error, Quitting..
[root@rocky bleeding]#

i have removed the bleeding rules and now snort is running again, i will check later to see if anything is being logged.

Also it says at the top "Decoding Ethernet on interface eth0", interface eth0 is my internal network, should it not be watching eth1 (external)

Thanks for you help.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #13 on: March 10, 2006, 06:02:40 AM »
Hello,

I've already have that problem with bleeding rules. quiet strange...
The better way for the moment is your solution by deactivate bleeding rules update.

For eth0: it was just for the test to look at error message.
By starting service, it will listen on output interface.

Regards.

thefff-fr

[Contrib] Snort for sme server 7.x
« Reply #14 on: March 10, 2006, 03:22:13 PM »
Hello,

I have tested this contrib, and it doesn't work.
After the install, i got a message that say the file contening the rule was bad. I rename etc/snort/rules to ruless , and snort say no error message. Is ther a way ?


In French,

J'ai un message d'erreur au lancement de snort, comme quoi le fichier contenant la regle est en erreur. J'ai place des # devant toutes le lignes du fichiers, et c'est un autre fichier contenant les regles que snort m'indique en erreur. J'ai donc renommé etc/snort/rules en ruless, et là, plus d'erreur, snort demarre sans soucis. Mais pas de regles de charger ?

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #15 on: March 13, 2006, 05:43:26 AM »
Hello,

It's quiet strangle because that part of the config file are generate automaticly when snort start and it depends on rules you have in your rules directory.

I'll take a look at that.

Thanks for feedback.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[UPDATED] snort 2.4.4
« Reply #16 on: May 08, 2006, 08:15:02 AM »
Hello all,

Great thanks to androme http://www.androme.org who compile snort on his last version 2.4.4.
This version include some bug fixing in install script.
So the better way to upgrade is to remove old one first
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=270

Regards.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #17 on: May 08, 2006, 11:07:13 AM »
Hi,

I followed your howto but somehowe when I go to BASE the msqldatabase isn't complete.
It is complaining that there is no snort_log.iphdr table.

Is there something I can do to fix this?

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #18 on: May 08, 2006, 11:20:34 AM »
Hello,

You can try to remove base contribs, re download it and reinstall it.

Can you put the message that base application give?

Regads.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #19 on: May 08, 2006, 03:25:02 PM »
Hi,

I reinstalled BASE but still the same.....

here is the error :

Code: [Select]
The underlying database snort_log@localhost appears to be incomplete/invalid
Database ERROR:Table 'snort_log.iphdr' doesn't exist


It might be an older version. Only alert databases created by Snort 1.7-beta0 or later are supported


Thanx

Peter

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #20 on: May 08, 2006, 03:34:38 PM »
Hi again,

I just looked at the logfile and it seems not to work with mysql???

I placed the logfile on my site so you can have a look at it.

http://smitti.mine.nu/snort.txt


Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #21 on: May 08, 2006, 03:44:02 PM »
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #22 on: May 08, 2006, 05:33:22 PM »
Quote from: "MasterSleepy"
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.


Thanx I wil wait :D

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #23 on: May 09, 2006, 08:26:44 AM »
Hello all,

Here is a new version,
several bug fix have been made
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewsdownload&orderby=dateD

Regards.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #24 on: May 09, 2006, 08:51:35 AM »
Great it worked perfectly now  :-D

Peter

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #25 on: May 09, 2006, 09:19:52 AM »
Quote from: "smitti"
Great it worked perfectly now  :-D


Hi again,

I was to quick with my last reply...
snort is quiting because of an error :

Code: [Select]
2006-05-09 09:07:33.312436500 ERROR: ERROR /etc/snort/rules/community-dos.rules(7): Couldn't resolve hostname /1
2006-05-09 09:07:33.312571500 Fatal Error, Quitting..
2006-05-09 09:07:35.867129500 WARNING in /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork line 25.
2006-05-09 09:07:36.089330500 WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
2006-05-09 09:07:36.089345500  at /sbin/e-smith/expand-template line 45
2006-05-09 09:07:36.242631500 Running in IDS mode


Is there somthing I need to change in the template?
And I also looked in the community-dos.rules but I am a noob about this stuff  :-(

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #26 on: May 09, 2006, 10:24:48 AM »
Hi smitti,

Are you in gateway mode?

Can you give me the result of the following command

Code: [Select]
db configuration show ExternalIP

Code: [Select]
cat /etc/snort/snort.conf | grep "var HOME_NET"

that will help me to debug that template.

thanks

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #27 on: May 09, 2006, 10:34:17 AM »
Hi,

No I am in serveronly mode but got all ports forwarded to the server.
The server is behind a thomson adsl modem.

The first command gives no result :

Code: [Select]
[root@ibm-server ~]# db configuration show ExternalIP
[root@ibm-server ~]#


The second one :

Code: [Select]
[root@ibm-server ~]# cat /etc/snort/snort.conf | grep "var HOME_NET"
# var HOME_NET 10.1.1.0/24
# var HOME_NET $eth0_ADDRESS
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
var HOME_NET [127.0.0.1/1,10.0.0.0/24,/1]
[root@ibm-server ~]#


Is it a problem when its in server only mode?
I am using this setup because the wifi is in the modem....
Before this I always used gateway mode.

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #28 on: May 09, 2006, 10:39:46 AM »
OK I'll adapt the template to pay attention to server-only.
A new version will be available soon.

Thanks for feedback.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[UPDATE] Snort for smeserver
« Reply #29 on: July 18, 2006, 08:57:12 AM »
Hello,

Here is the last version of snort for sme server 7.
I used lastest snort version, 2.6.
The new rpm correct also server-only mode.
Here is the howto:
http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39

The rpm :
smeserver-snort-2.6.0-1.i386.rpm
smeserver-snort-2.6.0-1.src.rpm

I suggest to remove old rpm before installing the new one.

Regards.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #30 on: July 18, 2006, 10:56:04 PM »
thanx.....

Going to try it soon, I am of on a holliday next friday.
Hope to test it before.........

Peter

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #31 on: July 22, 2006, 06:18:44 AM »
Thanks much MasterSleepy!

I installed the new version and it seems to have cleared up some problems I was having before.

Server-Only Mode

Thank you very much for this great contribution!

G

rich

[Contrib] Snort for sme server 7.x
« Reply #32 on: August 02, 2006, 03:44:44 PM »
MasterSleepy

I installed your contribs and seem to have everything working.
I set up oinkmaster to grab the rules, it did . . .
it restarted and it is logging to the alerts file and the MYSQL DB
Only problem is when I go to my server via https to the /base directory I don't see any alerts listed. If I enter into the admin within /base and go into the "cache and Status" section (which I can just fine) I see there is a listing of "Total Events: 1636"

yet nothing shows in the web interface of /base

I have verified that the /var/log/snort/alerts file IS indeed working.
It is, and Guardian is going a good job of blocking people (I even accidentially blocked myself once)


So, I assume (and now I see) that /base uses the sql file only.
So I assumed I had SQL errors so I looked at /var/log/snortd/current and see the following errors:

@4000000044d0ab780b766514 database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ab780b76789c database: Problem inserting a new signature 'BAD-TRAFFIC udp port 0 traffic': INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('BAD-TRAFFIC udp port 0 traffic',1,3,9,525,1)
@4000000044d0ab780b85eda4 database: mysql_error: Duplicate entry '0-1' for key 1
@4000000044d0ab780b8608fc SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 1, 2)
@4000000044d0ab780b9589bc database: mysql_error: Duplicate entry '0-2' for key 1
@4000000044d0ab780b95a12c SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 2, 3)
@4000000044d0ab780ba3e584 database: mysql_error: Duplicate entry '0-3' for key 1
@4000000044d0ab780ba3fcf4 SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 3, 4)


I assume my tables aren't quite right.
I am not much of a SQL hack, but I rekon I could try to manually create some of the tables and fields to get this working?

Any advice?
Is there a way to rebuild my DB from here?

Thanks!

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #33 on: August 02, 2006, 07:24:48 PM »
After reading the last post, I went back to my test box and took another look.

I too have the same problem.  Here are the last few lines from my log:

Code: [Select]
@4000000044d0ae4d24d2336c database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ae4d357d32fc database: mysql_error: Unknown column 'sig_gid' in 'field list'
@4000000044d0ae4d357d3eb4 SQL=INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('DNS SPOOF query response with TTL of 1 min. and no authority',1,2,4,254,1)
@4000000044d0ae4d3581f9a4 database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ae4d3582055c database: Problem inserting a new signature 'DNS SPOOF query response with TTL of 1 min. and no authority': INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('DNS SPOOF query response with TTL of 1 min. and no authority',1,2,4,254,1)


G

rich

[Contrib] Snort for sme server 7.x
« Reply #34 on: August 02, 2006, 07:52:48 PM »
I got mine working . . .
I used myphpadmin and I went into the "signature" row and added the "sig_gid"  as a field  (I just copied the attributes of the "sig_sid" field) and snort immediately began to propigate it.

All is now well although I am guessing I need to do that to the snort_archive db too. (which I have not done)

rich

[Contrib] Snort for sme server 7.x
« Reply #35 on: August 03, 2006, 02:37:41 PM »
Once again, thanks MasterSleepy for this great contrib.

But, I have a couple more questions if I may . . .

I see in the /etc/guardian.conf that logging is enabled . .  .

# Guardian's log file
LogFile         /var/log/guardian.log


but the /var/log/guardian.log is not there.
I manually created it and guardian still does not log to it.

The reason I was wanting to see the log was to more fully understand what guardian is doing and why. I am black holing IP addresses upon identifying a TCP based signature. Most of my alerts are ICMP though and I see guardian is not acting on those events (which is probably the best anyway)
But, how does one go about tweaking guardian?
All I see to tweak is the /etc/guardian.ignore file (which I have edited and works - this is AFTER black holing my own IP)

Also . . .

I have enabled to community rules thus far.
I have not enabled any other rules.
I ran nessus (win32 version - maybe that's the issue) against the box running snort and got VERY few alerts from the scan.
I ran nesssus against my firewall and it lit up like a christmas tree and clearly identified the nessus scan as a hostile port scan and emailed alerts right out.

It seems that my Netscreen Firewall has more IDS detection capability than the brand new snort box.
I'm sure I just need to enable more rules.
It does look like the preprosessors are mostly all active and I should have seen that port scan.

Any further info or advice would be greatly appreciated.

Thanks!

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #36 on: August 03, 2006, 02:59:20 PM »
Hello all,

There is a problem with the last version of snort and mysql db.
For the moment the only solution I have is to deactivate mysql support.
Code: [Select]
db configuration setprop snortd mysql disabled
service snortd restart

I'll correct the package to include rich mysql solution soon

For tuning guardian, it's not guardian you have to tune, with guardian you can put white list of some ip.
The rest have to been tuned in snort rules to not rise alert on your icmp problem.
But I'm not an expert of snort rules.

Regards.

rich

[Contrib] Snort for sme server 7.x
« Reply #37 on: August 03, 2006, 03:29:27 PM »
Thanks for the info . . .

But, the problem may not just be with MYSQL . .
I went back and looked at the /var/log/snort/alerts file and don't see much picked up there from the nessus scan either.
I'm not sure it's just the DB not getting the events.

Thanks for your effort.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[UPDATE] Snort for smeserver
« Reply #38 on: August 07, 2006, 10:54:57 AM »
Hello all,

Here is a new version of snort rpm.
smeserver-snort-2.6.0-2.i386.rpm
smeserver-snort-2.6.0-2.src.rpm
This version correct db problem.

I've update guardian contrib also to correct log problem.
smeserver-guardiand-1.7-2.noarch.rpm
smeserver-guardiand-1.7-2.src.rpm

Regards.

rich

[Contrib] Snort for sme server 7.x
« Reply #39 on: August 07, 2006, 01:54:54 PM »
Thanks MasterSleepy . . .

I'll give this one a shot tonight.
Over the weekend I had removed your last versions, then installed the RHEL rpm of snort  2.6.0-1 which is better but still seems to act oddly depending on how you start it and which switches you give it.

I had everything working pretty well until I authored some pass rules, then gave it the -o flag

Also trying to get the portscanignore list established seems to have freaked it out.

Thanks again!

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #40 on: August 07, 2006, 04:33:51 PM »
Hi MasterSleepy,

Thanks again for your efforts.

I tried downloading the new snort RPM 3 times with different browsers, but I get this error every time:

Quote
[root@sol ~]# rpm -Uvh smeserver-snort-2.6.0-2.i386.rpm
error: smeserver-snort-2.6.0-2.i386.rpm: MD5 digest: BAD Expected(6158d5f97961a0d1f9dd71548ace232b) != (b7a5caf19cb7c320c65edc5afa5ca4db)
error: smeserver-snort-2.6.0-2.i386.rpm cannot be installed


G

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #41 on: August 09, 2006, 09:32:17 AM »
Hello sonoracomm,

problem has been solved by uploading a fresh new rpm.
Now it should be good.

Regards.

Offline Appesteijn

  • **
  • 62
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #42 on: August 09, 2006, 01:09:04 PM »
Hi,

I installed these rpm's on a fresh-SME7.0 server.
/var/log/guardian.log is missing, I used 'touch /var/log/guardian.log' to correct this. It seems guardian is now working fine.

Only snort isn't picking up any alerts, /var/log/snortd and /var/log/snort are empty and the base-page hasn't got any alerts. Also I couldn't find any snort-logfiles in the server-manager.

$HOME_NET and $External_NET are both ok, and I downloaded the latest rules through oinkmaster.
............

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #43 on: August 09, 2006, 02:04:52 PM »
Hello,

I check for the guardian.log, normally all error goes to /var/log/guardiand/current

For snort, by default all report goes to mysql except alert that goes to /var/log/snort/alert
Normally you should see some alerts coming in that file.
Please assure that snort is running well.
Code: [Select]
ps -ef|pgrep snort

regards.

Offline Appesteijn

  • **
  • 62
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #44 on: August 09, 2006, 02:46:37 PM »
Hi MasterSleepy,

thx for the quick reply. Snort is running.

If MySQL is being 'filled'  by snort then that should be visible through the Base-page? So if I see no alerts here, something is wrong?

regards.
............

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #45 on: August 09, 2006, 08:17:36 PM »
Hi again,

I got the new packages installed and everything seemed to go well.

However, nothing shows in BASE.  

There is no /var/log/snort/alert log.

This is all I get in /var/log/guardiand/current:

Quote
@4000000044da24c1231fff2c OS shows Linux
@4000000044da24c123200ae4 Warning! HostIpAddr is undefined! Attempting to guess..
@4000000044da24c123488dfc Got it.. your HostIpAddr is 192.168.2.2
@4000000044da24c1234895cc Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
@4000000044da24c123489d9c My ip address and interface are: 192.168.2.2 eth0
@4000000044da24c12348a184 Loaded 0 addresses from /etc/guardian.ignore
@4000000044da24c12348a56c Running in debug mode..


repeaded many times.

Does this suite work for Server Only mode?  Almost all my (clients') servers are installed that way, with only certain ports forwarded into the server.  Are there specific settings recommended for Server Only mode?

I'm sorry to be the problem child...I'm new to IDS.

Thank you again, (Michael) everyone.

G

Offline Appesteijn

  • **
  • 62
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #46 on: August 09, 2006, 09:14:49 PM »
Hi,

guardiand/current logfile is flooding with this message:

2006-08-09 18:10:57.304659500 OS shows Linux
2006-08-09 18:10:57.304665500 Warning! HostIpAddr is undefined! Attempting to guess..
2006-08-09 18:10:57.309559500 Got it.. your HostIpAddr is 145.99.100.100
2006-08-09 18:10:57.309566500 My ip address and interface are: 145.99.100.100 eth1
2006-08-09 18:10:57.309569500 Loaded 2 addresses from /etc/guardian.ignore
2006-08-09 18:10:57.309571500 Becoming a daemon..

Every 2 seconds...
............

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #47 on: August 11, 2006, 07:02:32 AM »
Though my messages were a bit different, my logs were filling fast and my server was constantly busy.

I had to uninstall the rpms.

Is there some way I can help in troubleshooting this?

Thanks again for all your efforts,

G

innorevtech

snort on 7
« Reply #48 on: August 18, 2006, 02:20:09 AM »
MasterSleepy... I followed your directions and have installed Snort on SME 7. And its been running for almost a week now, with NO logs at all. I keep checking base to see if anything has been detected and there is nothing in the cache. Is anyone else experiencing this problem? I'd installed (using your directions) on previous versions of SME and everything worked great. Please help.

here is my guardian log:
@4000000044e4f08b14495df4 OS shows Linux
@4000000044e4f08b1449794c Warning! HostIpAddr is undefined! Attempting to guess..
@4000000044e4f08b14aaf654 Got it.. your HostIpAddr is 100.100.100.100
@4000000044e4f08b14ab11ac Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
@4000000044e4f08b14ab214c My ip address and interface are: 100.100.100.100 ppp0
@4000000044e4f08b14ab2d04 Loaded 0 addresses from /etc/guardian.ignore
@4000000044e4f08b14ab38bc Running in debug mode..

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
[Contrib] Snort for sme server 7.x
« Reply #49 on: August 22, 2006, 08:04:10 AM »
Same problem here!

My guardian log:

Code: [Select]

2006-08-21 23:31:16.991932500 OS shows Linux
2006-08-21 23:31:16.991938500 Warning! HostIpAddr is undefined! Attempting to guess..


(Running server/gateway mode)

Offline smeghead

  • *
  • 557
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #50 on: August 22, 2006, 05:25:10 PM »
..................

innorevtech

no IDS
« Reply #51 on: August 22, 2006, 09:56:09 PM »
i checked out the information on that other forum, and i didn't find any of it to be useful in solving the problem. i hope that mastersleepy can provide a solution.

Offline cool34000

  • *
  • 339
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #52 on: August 23, 2006, 01:34:13 AM »
Hi there !

I'm having a huge 100% cpu utilisation all the time with the last rpm smeserver-snort-2.6.0-2.i386.rpm and all up to date rpms needed

I've deinstalled all the needed rpms, suppressed folders and sql bases as told on the download area and cpu utilisation gets back to 2% !!!

I tryed another install, with the old rpm version smeserver-snort-2.4.4-2.i386.rpm. cpu utilisation is better, but still it's at 35-50% all the time...
Is that normal ??? Normally, i'm near 2-10% max...

Then, i tested a scan+vulnerabilities probe (server-only, scan from lan) and snort+guardiand didn't blacklist me... Is that normal too ?

konsa

snort 2.6.0.2 and smeserver 7
« Reply #53 on: October 11, 2006, 07:43:57 PM »
here my situation:

smeserver-snort-2.6.0-2
smeserver-base-1.2.2-1
smeserver-oinkmaster-1.2-1

and

[root@goldrake ~]# ps ux | grep snort
root      1482  2.6  0.1  2872  304 ?        Ss   13:02  10:36 runsvdir -P /service log: var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?
root      1686 12.7  0.0  3228  224 ?        Rs   13:02  51:02 runsv snortd
root      5162  0.0  0.9  9252 2836 ?        S    13:04   0:00 /usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii -p
root      8063  0.0  0.2  4508  608 pts/1    S+   19:43   0:00 grep snort

in i access base webpage i see empy alarm....

database is correcly made

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
bug report submitted
« Reply #54 on: October 12, 2006, 04:08:11 AM »
Same exact issue here. New bug report submitted:

http://bugs.contribs.org/show_bug.cgi?id=1976


Craig Jensen

Offline jahlewis

  • *
  • 151
  • +0/-0
    • http://www.arachnerd.com/
[Contrib] Snort for sme server 7.x
« Reply #55 on: January 14, 2007, 08:20:13 PM »
I'm having the same issue as Konsa

Code: [Select]
[root@gluon snort]# ps ux | grep snort
root      2140  0.4  0.0  2816  304 ?        Ss   13:16   0:16 runsvdir -P /service log: /log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?...
root      2488  1.4  0.0  3232  212 ?        Ss   13:16   0:53 runsv snortd
root     17649  0.0  0.0  4744  588 pts/0    S+   14:16   0:00 grep snort


I'm running:
smeserver-base-1.2.2-1.noarch.rpm
smeserver-guardiand-1.7-3.noarch.rpm
smeserver-oinkmaster-1.2-1.noarch.rpm
smeserver-snort-2.6.0-2.i386.rpm

And did create and modify the /etc/snort/guardianlog file as cjensen suggests

I also did a chown smelog:smelog /var/log/snortd with no luck

restarting snortd does append /var/log/snortd/current...
............

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #56 on: January 15, 2007, 01:21:41 PM »
Hello all,

A new version will be soon available.
Soon means when I have enough time.

The new version will use lastest version of snort 2.6 branch.
I'll also test more sme service feature so maybe that kind of problem will be solved.

Will be back.
Regards.