Koozali.org: home of the SME Server

[Contrib] Snort for sme server 7.x

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #15 on: March 13, 2006, 05:43:26 AM »
Hello,

It's quiet strangle because that part of the config file are generate automaticly when snort start and it depends on rules you have in your rules directory.

I'll take a look at that.

Thanks for feedback.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[UPDATED] snort 2.4.4
« Reply #16 on: May 08, 2006, 08:15:02 AM »
Hello all,

Great thanks to androme http://www.androme.org who compile snort on his last version 2.4.4.
This version include some bug fixing in install script.
So the better way to upgrade is to remove old one first
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=270

Regards.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #17 on: May 08, 2006, 11:07:13 AM »
Hi,

I followed your howto but somehowe when I go to BASE the msqldatabase isn't complete.
It is complaining that there is no snort_log.iphdr table.

Is there something I can do to fix this?

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #18 on: May 08, 2006, 11:20:34 AM »
Hello,

You can try to remove base contribs, re download it and reinstall it.

Can you put the message that base application give?

Regads.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #19 on: May 08, 2006, 03:25:02 PM »
Hi,

I reinstalled BASE but still the same.....

here is the error :

Code: [Select]
The underlying database snort_log@localhost appears to be incomplete/invalid
Database ERROR:Table 'snort_log.iphdr' doesn't exist


It might be an older version. Only alert databases created by Snort 1.7-beta0 or later are supported


Thanx

Peter

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #20 on: May 08, 2006, 03:34:38 PM »
Hi again,

I just looked at the logfile and it seems not to work with mysql???

I placed the logfile on my site so you can have a look at it.

http://smitti.mine.nu/snort.txt


Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #21 on: May 08, 2006, 03:44:02 PM »
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #22 on: May 08, 2006, 05:33:22 PM »
Quote from: "MasterSleepy"
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.


Thanx I wil wait :D

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #23 on: May 09, 2006, 08:26:44 AM »
Hello all,

Here is a new version,
several bug fix have been made
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewsdownload&orderby=dateD

Regards.

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #24 on: May 09, 2006, 08:51:35 AM »
Great it worked perfectly now  :-D

Peter

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #25 on: May 09, 2006, 09:19:52 AM »
Quote from: "smitti"
Great it worked perfectly now  :-D


Hi again,

I was to quick with my last reply...
snort is quiting because of an error :

Code: [Select]
2006-05-09 09:07:33.312436500 ERROR: ERROR /etc/snort/rules/community-dos.rules(7): Couldn't resolve hostname /1
2006-05-09 09:07:33.312571500 Fatal Error, Quitting..
2006-05-09 09:07:35.867129500 WARNING in /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork line 25.
2006-05-09 09:07:36.089330500 WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
2006-05-09 09:07:36.089345500  at /sbin/e-smith/expand-template line 45
2006-05-09 09:07:36.242631500 Running in IDS mode


Is there somthing I need to change in the template?
And I also looked in the community-dos.rules but I am a noob about this stuff  :-(

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #26 on: May 09, 2006, 10:24:48 AM »
Hi smitti,

Are you in gateway mode?

Can you give me the result of the following command

Code: [Select]
db configuration show ExternalIP

Code: [Select]
cat /etc/snort/snort.conf | grep "var HOME_NET"

that will help me to debug that template.

thanks

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #27 on: May 09, 2006, 10:34:17 AM »
Hi,

No I am in serveronly mode but got all ports forwarded to the server.
The server is behind a thomson adsl modem.

The first command gives no result :

Code: [Select]
[root@ibm-server ~]# db configuration show ExternalIP
[root@ibm-server ~]#


The second one :

Code: [Select]
[root@ibm-server ~]# cat /etc/snort/snort.conf | grep "var HOME_NET"
# var HOME_NET 10.1.1.0/24
# var HOME_NET $eth0_ADDRESS
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
var HOME_NET [127.0.0.1/1,10.0.0.0/24,/1]
[root@ibm-server ~]#


Is it a problem when its in server only mode?
I am using this setup because the wifi is in the modem....
Before this I always used gateway mode.

Peter

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #28 on: May 09, 2006, 10:39:46 AM »
OK I'll adapt the template to pay attention to server-only.
A new version will be available soon.

Thanks for feedback.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[UPDATE] Snort for smeserver
« Reply #29 on: July 18, 2006, 08:57:12 AM »
Hello,

Here is the last version of snort for sme server 7.
I used lastest snort version, 2.6.
The new rpm correct also server-only mode.
Here is the howto:
http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39

The rpm :
smeserver-snort-2.6.0-1.i386.rpm
smeserver-snort-2.6.0-1.src.rpm

I suggest to remove old rpm before installing the new one.

Regards.