Koozali.org: home of the SME Server

[Contrib] Snort for sme server 7.x

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
[Contrib] Snort for sme server 7.x
« Reply #30 on: July 18, 2006, 10:56:04 PM »
thanx.....

Going to try it soon, I am of on a holliday next friday.
Hope to test it before.........

Peter

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #31 on: July 22, 2006, 06:18:44 AM »
Thanks much MasterSleepy!

I installed the new version and it seems to have cleared up some problems I was having before.

Server-Only Mode

Thank you very much for this great contribution!

G

rich

[Contrib] Snort for sme server 7.x
« Reply #32 on: August 02, 2006, 03:44:44 PM »
MasterSleepy

I installed your contribs and seem to have everything working.
I set up oinkmaster to grab the rules, it did . . .
it restarted and it is logging to the alerts file and the MYSQL DB
Only problem is when I go to my server via https to the /base directory I don't see any alerts listed. If I enter into the admin within /base and go into the "cache and Status" section (which I can just fine) I see there is a listing of "Total Events: 1636"

yet nothing shows in the web interface of /base

I have verified that the /var/log/snort/alerts file IS indeed working.
It is, and Guardian is going a good job of blocking people (I even accidentially blocked myself once)


So, I assume (and now I see) that /base uses the sql file only.
So I assumed I had SQL errors so I looked at /var/log/snortd/current and see the following errors:

@4000000044d0ab780b766514 database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ab780b76789c database: Problem inserting a new signature 'BAD-TRAFFIC udp port 0 traffic': INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('BAD-TRAFFIC udp port 0 traffic',1,3,9,525,1)
@4000000044d0ab780b85eda4 database: mysql_error: Duplicate entry '0-1' for key 1
@4000000044d0ab780b8608fc SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 1, 2)
@4000000044d0ab780b9589bc database: mysql_error: Duplicate entry '0-2' for key 1
@4000000044d0ab780b95a12c SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 2, 3)
@4000000044d0ab780ba3e584 database: mysql_error: Duplicate entry '0-3' for key 1
@4000000044d0ab780ba3fcf4 SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 3, 4)


I assume my tables aren't quite right.
I am not much of a SQL hack, but I rekon I could try to manually create some of the tables and fields to get this working?

Any advice?
Is there a way to rebuild my DB from here?

Thanks!

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #33 on: August 02, 2006, 07:24:48 PM »
After reading the last post, I went back to my test box and took another look.

I too have the same problem.  Here are the last few lines from my log:

Code: [Select]
@4000000044d0ae4d24d2336c database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ae4d357d32fc database: mysql_error: Unknown column 'sig_gid' in 'field list'
@4000000044d0ae4d357d3eb4 SQL=INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('DNS SPOOF query response with TTL of 1 min. and no authority',1,2,4,254,1)
@4000000044d0ae4d3581f9a4 database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ae4d3582055c database: Problem inserting a new signature 'DNS SPOOF query response with TTL of 1 min. and no authority': INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('DNS SPOOF query response with TTL of 1 min. and no authority',1,2,4,254,1)


G

rich

[Contrib] Snort for sme server 7.x
« Reply #34 on: August 02, 2006, 07:52:48 PM »
I got mine working . . .
I used myphpadmin and I went into the "signature" row and added the "sig_gid"  as a field  (I just copied the attributes of the "sig_sid" field) and snort immediately began to propigate it.

All is now well although I am guessing I need to do that to the snort_archive db too. (which I have not done)

rich

[Contrib] Snort for sme server 7.x
« Reply #35 on: August 03, 2006, 02:37:41 PM »
Once again, thanks MasterSleepy for this great contrib.

But, I have a couple more questions if I may . . .

I see in the /etc/guardian.conf that logging is enabled . .  .

# Guardian's log file
LogFile         /var/log/guardian.log


but the /var/log/guardian.log is not there.
I manually created it and guardian still does not log to it.

The reason I was wanting to see the log was to more fully understand what guardian is doing and why. I am black holing IP addresses upon identifying a TCP based signature. Most of my alerts are ICMP though and I see guardian is not acting on those events (which is probably the best anyway)
But, how does one go about tweaking guardian?
All I see to tweak is the /etc/guardian.ignore file (which I have edited and works - this is AFTER black holing my own IP)

Also . . .

I have enabled to community rules thus far.
I have not enabled any other rules.
I ran nessus (win32 version - maybe that's the issue) against the box running snort and got VERY few alerts from the scan.
I ran nesssus against my firewall and it lit up like a christmas tree and clearly identified the nessus scan as a hostile port scan and emailed alerts right out.

It seems that my Netscreen Firewall has more IDS detection capability than the brand new snort box.
I'm sure I just need to enable more rules.
It does look like the preprosessors are mostly all active and I should have seen that port scan.

Any further info or advice would be greatly appreciated.

Thanks!

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #36 on: August 03, 2006, 02:59:20 PM »
Hello all,

There is a problem with the last version of snort and mysql db.
For the moment the only solution I have is to deactivate mysql support.
Code: [Select]
db configuration setprop snortd mysql disabled
service snortd restart

I'll correct the package to include rich mysql solution soon

For tuning guardian, it's not guardian you have to tune, with guardian you can put white list of some ip.
The rest have to been tuned in snort rules to not rise alert on your icmp problem.
But I'm not an expert of snort rules.

Regards.

rich

[Contrib] Snort for sme server 7.x
« Reply #37 on: August 03, 2006, 03:29:27 PM »
Thanks for the info . . .

But, the problem may not just be with MYSQL . .
I went back and looked at the /var/log/snort/alerts file and don't see much picked up there from the nessus scan either.
I'm not sure it's just the DB not getting the events.

Thanks for your effort.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[UPDATE] Snort for smeserver
« Reply #38 on: August 07, 2006, 10:54:57 AM »
Hello all,

Here is a new version of snort rpm.
smeserver-snort-2.6.0-2.i386.rpm
smeserver-snort-2.6.0-2.src.rpm
This version correct db problem.

I've update guardian contrib also to correct log problem.
smeserver-guardiand-1.7-2.noarch.rpm
smeserver-guardiand-1.7-2.src.rpm

Regards.

rich

[Contrib] Snort for sme server 7.x
« Reply #39 on: August 07, 2006, 01:54:54 PM »
Thanks MasterSleepy . . .

I'll give this one a shot tonight.
Over the weekend I had removed your last versions, then installed the RHEL rpm of snort  2.6.0-1 which is better but still seems to act oddly depending on how you start it and which switches you give it.

I had everything working pretty well until I authored some pass rules, then gave it the -o flag

Also trying to get the portscanignore list established seems to have freaked it out.

Thanks again!

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #40 on: August 07, 2006, 04:33:51 PM »
Hi MasterSleepy,

Thanks again for your efforts.

I tried downloading the new snort RPM 3 times with different browsers, but I get this error every time:

Quote
[root@sol ~]# rpm -Uvh smeserver-snort-2.6.0-2.i386.rpm
error: smeserver-snort-2.6.0-2.i386.rpm: MD5 digest: BAD Expected(6158d5f97961a0d1f9dd71548ace232b) != (b7a5caf19cb7c320c65edc5afa5ca4db)
error: smeserver-snort-2.6.0-2.i386.rpm cannot be installed


G

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #41 on: August 09, 2006, 09:32:17 AM »
Hello sonoracomm,

problem has been solved by uploading a fresh new rpm.
Now it should be good.

Regards.

Offline Appesteijn

  • **
  • 62
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #42 on: August 09, 2006, 01:09:04 PM »
Hi,

I installed these rpm's on a fresh-SME7.0 server.
/var/log/guardian.log is missing, I used 'touch /var/log/guardian.log' to correct this. It seems guardian is now working fine.

Only snort isn't picking up any alerts, /var/log/snortd and /var/log/snort are empty and the base-page hasn't got any alerts. Also I couldn't find any snort-logfiles in the server-manager.

$HOME_NET and $External_NET are both ok, and I downloaded the latest rules through oinkmaster.
............

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #43 on: August 09, 2006, 02:04:52 PM »
Hello,

I check for the guardian.log, normally all error goes to /var/log/guardiand/current

For snort, by default all report goes to mysql except alert that goes to /var/log/snort/alert
Normally you should see some alerts coming in that file.
Please assure that snort is running well.
Code: [Select]
ps -ef|pgrep snort

regards.

Offline Appesteijn

  • **
  • 62
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #44 on: August 09, 2006, 02:46:37 PM »
Hi MasterSleepy,

thx for the quick reply. Snort is running.

If MySQL is being 'filled'  by snort then that should be visible through the Base-page? So if I see no alerts here, something is wrong?

regards.
............