Koozali.org formerly Contribs.org

[Contrib] Snort for sme server 7.x

[Contrib] Snort for sme server 7.x
« Reply #15 on: March 13, 2006, 05:43:26 AM »
Hello,

It's quiet strangle because that part of the config file are generate automaticly when snort start and it depends on rules you have in your rules directory.

I'll take a look at that.

Thanks for feedback.

[UPDATED] snort 2.4.4
« Reply #16 on: May 08, 2006, 08:15:02 AM »
Hello all,

Great thanks to androme http://www.androme.org who compile snort on his last version 2.4.4.
This version include some bug fixing in install script.
So the better way to upgrade is to remove old one first
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=270

Regards.

[Contrib] Snort for sme server 7.x
« Reply #17 on: May 08, 2006, 11:07:13 AM »
Hi,

I followed your howto but somehowe when I go to BASE the msqldatabase isn't complete.
It is complaining that there is no snort_log.iphdr table.

Is there something I can do to fix this?

Peter

[Contrib] Snort for sme server 7.x
« Reply #18 on: May 08, 2006, 11:20:34 AM »
Hello,

You can try to remove base contribs, re download it and reinstall it.

Can you put the message that base application give?

Regads.

[Contrib] Snort for sme server 7.x
« Reply #19 on: May 08, 2006, 03:25:02 PM »
Hi,

I reinstalled BASE but still the same.....

here is the error :

Code: [Select]
The underlying database snort_log@localhost appears to be incomplete/invalid
Database ERROR:Table 'snort_log.iphdr' doesn't exist


It might be an older version. Only alert databases created by Snort 1.7-beta0 or later are supported


Thanx

Peter

[Contrib] Snort for sme server 7.x
« Reply #20 on: May 08, 2006, 03:34:38 PM »
Hi again,

I just looked at the logfile and it seems not to work with mysql???

I placed the logfile on my site so you can have a look at it.

http://smitti.mine.nu/snort.txt


Peter

[Contrib] Snort for sme server 7.x
« Reply #21 on: May 08, 2006, 03:44:02 PM »
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.

[Contrib] Snort for sme server 7.x
« Reply #22 on: May 08, 2006, 05:33:22 PM »
Quote from: "MasterSleepy"
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.


Thanx I wil wait :D

Peter

[Contrib] Snort for sme server 7.x
« Reply #23 on: May 09, 2006, 08:26:44 AM »
Hello all,

Here is a new version,
several bug fix have been made
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewsdownload&orderby=dateD

Regards.

[Contrib] Snort for sme server 7.x
« Reply #24 on: May 09, 2006, 08:51:35 AM »
Great it worked perfectly now  :-D

Peter

[Contrib] Snort for sme server 7.x
« Reply #25 on: May 09, 2006, 09:19:52 AM »
Quote from: "smitti"
Great it worked perfectly now  :-D


Hi again,

I was to quick with my last reply...
snort is quiting because of an error :

Code: [Select]
2006-05-09 09:07:33.312436500 ERROR: ERROR /etc/snort/rules/community-dos.rules(7): Couldn't resolve hostname /1
2006-05-09 09:07:33.312571500 Fatal Error, Quitting..
2006-05-09 09:07:35.867129500 WARNING in /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork line 25.
2006-05-09 09:07:36.089330500 WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
2006-05-09 09:07:36.089345500  at /sbin/e-smith/expand-template line 45
2006-05-09 09:07:36.242631500 Running in IDS mode


Is there somthing I need to change in the template?
And I also looked in the community-dos.rules but I am a noob about this stuff  :-(

Peter

[Contrib] Snort for sme server 7.x
« Reply #26 on: May 09, 2006, 10:24:48 AM »
Hi smitti,

Are you in gateway mode?

Can you give me the result of the following command

Code: [Select]
db configuration show ExternalIP

Code: [Select]
cat /etc/snort/snort.conf | grep "var HOME_NET"

that will help me to debug that template.

thanks

[Contrib] Snort for sme server 7.x
« Reply #27 on: May 09, 2006, 10:34:17 AM »
Hi,

No I am in serveronly mode but got all ports forwarded to the server.
The server is behind a thomson adsl modem.

The first command gives no result :

Code: [Select]
[root@ibm-server ~]# db configuration show ExternalIP
[root@ibm-server ~]#


The second one :

Code: [Select]
[root@ibm-server ~]# cat /etc/snort/snort.conf | grep "var HOME_NET"
# var HOME_NET 10.1.1.0/24
# var HOME_NET $eth0_ADDRESS
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
var HOME_NET [127.0.0.1/1,10.0.0.0/24,/1]
[root@ibm-server ~]#


Is it a problem when its in server only mode?
I am using this setup because the wifi is in the modem....
Before this I always used gateway mode.

Peter

[Contrib] Snort for sme server 7.x
« Reply #28 on: May 09, 2006, 10:39:46 AM »
OK I'll adapt the template to pay attention to server-only.
A new version will be available soon.

Thanks for feedback.

[UPDATE] Snort for smeserver
« Reply #29 on: July 18, 2006, 08:57:12 AM »
Hello,

Here is the last version of snort for sme server 7.
I used lastest snort version, 2.6.
The new rpm correct also server-only mode.
Here is the howto:
http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39

The rpm :
smeserver-snort-2.6.0-1.i386.rpm
smeserver-snort-2.6.0-1.src.rpm

I suggest to remove old rpm before installing the new one.

Regards.