Koozali.org: home of the SME Server

[Contrib] Snort for sme server 7.x

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #45 on: August 09, 2006, 08:17:36 PM »
Hi again,

I got the new packages installed and everything seemed to go well.

However, nothing shows in BASE.  

There is no /var/log/snort/alert log.

This is all I get in /var/log/guardiand/current:

Quote
@4000000044da24c1231fff2c OS shows Linux
@4000000044da24c123200ae4 Warning! HostIpAddr is undefined! Attempting to guess..
@4000000044da24c123488dfc Got it.. your HostIpAddr is 192.168.2.2
@4000000044da24c1234895cc Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
@4000000044da24c123489d9c My ip address and interface are: 192.168.2.2 eth0
@4000000044da24c12348a184 Loaded 0 addresses from /etc/guardian.ignore
@4000000044da24c12348a56c Running in debug mode..


repeaded many times.

Does this suite work for Server Only mode?  Almost all my (clients') servers are installed that way, with only certain ports forwarded into the server.  Are there specific settings recommended for Server Only mode?

I'm sorry to be the problem child...I'm new to IDS.

Thank you again, (Michael) everyone.

G

Offline Appesteijn

  • **
  • 62
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #46 on: August 09, 2006, 09:14:49 PM »
Hi,

guardiand/current logfile is flooding with this message:

2006-08-09 18:10:57.304659500 OS shows Linux
2006-08-09 18:10:57.304665500 Warning! HostIpAddr is undefined! Attempting to guess..
2006-08-09 18:10:57.309559500 Got it.. your HostIpAddr is 145.99.100.100
2006-08-09 18:10:57.309566500 My ip address and interface are: 145.99.100.100 eth1
2006-08-09 18:10:57.309569500 Loaded 2 addresses from /etc/guardian.ignore
2006-08-09 18:10:57.309571500 Becoming a daemon..

Every 2 seconds...
............

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[Contrib] Snort for sme server 7.x
« Reply #47 on: August 11, 2006, 07:02:32 AM »
Though my messages were a bit different, my logs were filling fast and my server was constantly busy.

I had to uninstall the rpms.

Is there some way I can help in troubleshooting this?

Thanks again for all your efforts,

G

innorevtech

snort on 7
« Reply #48 on: August 18, 2006, 02:20:09 AM »
MasterSleepy... I followed your directions and have installed Snort on SME 7. And its been running for almost a week now, with NO logs at all. I keep checking base to see if anything has been detected and there is nothing in the cache. Is anyone else experiencing this problem? I'd installed (using your directions) on previous versions of SME and everything worked great. Please help.

here is my guardian log:
@4000000044e4f08b14495df4 OS shows Linux
@4000000044e4f08b1449794c Warning! HostIpAddr is undefined! Attempting to guess..
@4000000044e4f08b14aaf654 Got it.. your HostIpAddr is 100.100.100.100
@4000000044e4f08b14ab11ac Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
@4000000044e4f08b14ab214c My ip address and interface are: 100.100.100.100 ppp0
@4000000044e4f08b14ab2d04 Loaded 0 addresses from /etc/guardian.ignore
@4000000044e4f08b14ab38bc Running in debug mode..

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
[Contrib] Snort for sme server 7.x
« Reply #49 on: August 22, 2006, 08:04:10 AM »
Same problem here!

My guardian log:

Code: [Select]

2006-08-21 23:31:16.991932500 OS shows Linux
2006-08-21 23:31:16.991938500 Warning! HostIpAddr is undefined! Attempting to guess..


(Running server/gateway mode)

Offline smeghead

  • *
  • 557
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #50 on: August 22, 2006, 05:25:10 PM »
..................

innorevtech

no IDS
« Reply #51 on: August 22, 2006, 09:56:09 PM »
i checked out the information on that other forum, and i didn't find any of it to be useful in solving the problem. i hope that mastersleepy can provide a solution.

Offline cool34000

  • *
  • 339
  • +0/-0
[Contrib] Snort for sme server 7.x
« Reply #52 on: August 23, 2006, 01:34:13 AM »
Hi there !

I'm having a huge 100% cpu utilisation all the time with the last rpm smeserver-snort-2.6.0-2.i386.rpm and all up to date rpms needed

I've deinstalled all the needed rpms, suppressed folders and sql bases as told on the download area and cpu utilisation gets back to 2% !!!

I tryed another install, with the old rpm version smeserver-snort-2.4.4-2.i386.rpm. cpu utilisation is better, but still it's at 35-50% all the time...
Is that normal ??? Normally, i'm near 2-10% max...

Then, i tested a scan+vulnerabilities probe (server-only, scan from lan) and snort+guardiand didn't blacklist me... Is that normal too ?

konsa

snort 2.6.0.2 and smeserver 7
« Reply #53 on: October 11, 2006, 07:43:57 PM »
here my situation:

smeserver-snort-2.6.0-2
smeserver-base-1.2.2-1
smeserver-oinkmaster-1.2-1

and

[root@goldrake ~]# ps ux | grep snort
root      1482  2.6  0.1  2872  304 ?        Ss   13:02  10:36 runsvdir -P /service log: var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?
root      1686 12.7  0.0  3228  224 ?        Rs   13:02  51:02 runsv snortd
root      5162  0.0  0.9  9252 2836 ?        S    13:04   0:00 /usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii -p
root      8063  0.0  0.2  4508  608 pts/1    S+   19:43   0:00 grep snort

in i access base webpage i see empy alarm....

database is correcly made

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
bug report submitted
« Reply #54 on: October 12, 2006, 04:08:11 AM »
Same exact issue here. New bug report submitted:

http://bugs.contribs.org/show_bug.cgi?id=1976


Craig Jensen

Offline jahlewis

  • *
  • 151
  • +0/-0
    • http://www.arachnerd.com/
[Contrib] Snort for sme server 7.x
« Reply #55 on: January 14, 2007, 08:20:13 PM »
I'm having the same issue as Konsa

Code: [Select]
[root@gluon snort]# ps ux | grep snort
root      2140  0.4  0.0  2816  304 ?        Ss   13:16   0:16 runsvdir -P /service log: /log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?...
root      2488  1.4  0.0  3232  212 ?        Ss   13:16   0:53 runsv snortd
root     17649  0.0  0.0  4744  588 pts/0    S+   14:16   0:00 grep snort


I'm running:
smeserver-base-1.2.2-1.noarch.rpm
smeserver-guardiand-1.7-3.noarch.rpm
smeserver-oinkmaster-1.2-1.noarch.rpm
smeserver-snort-2.6.0-2.i386.rpm

And did create and modify the /etc/snort/guardianlog file as cjensen suggests

I also did a chown smelog:smelog /var/log/snortd with no luck

restarting snortd does append /var/log/snortd/current...
............

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[Contrib] Snort for sme server 7.x
« Reply #56 on: January 15, 2007, 01:21:41 PM »
Hello all,

A new version will be soon available.
Soon means when I have enough time.

The new version will use lastest version of snort 2.6 branch.
I'll also test more sme service feature so maybe that kind of problem will be solved.

Will be back.
Regards.