Topic: Snort IDS and ACID howto

[Ari]

I've just finished a new howto on installing the Snort IDS and ACID (Analysis Console for Intrusion Databases) on the SME 5.1.2 server

Note: The test installation was done on a 'realtively' stock system (no major mods)

http://www.marari.net/downloads/snort/acid-howto.htm

As always, feedback would be appreciated. I'm sure the snort.conf and/or the snort command line could use a bit of 'tweaking'...

Cheers!
Ari

[guestHH]

well done Ari!

Regards,
guestHH

[Ari]

guestHH wrote:
>
> well done Ari!
>
> Regards,
> RequestedDeletion


Thanks!!


Ari

[Amir]

THANKS!.. i was looking to do this over the weekend, now its suddenly easier

[Ari Novikoff]

And it's become even easier yet!

Thanks to some contrib from Trevor Ouellette and a bit of bug hunting, the RPM has been updated to do a lot of the manual work. Setup is now 2 steps!!

http://www.marari.net/downloads/snort/acid-howto.htm

Source, of course, is always available. See the howto.

Cheers!
Ari

[tibor]

Ari:

Everything installed OK, I could see  Code Red alerts right away. The only problem I could see, the ACID did not display any port scans. I used Shields Up! port scan test (http://grc.com). Snort detected it, I could see spp_portscan entries in /var/logs/snort/alert, as well as new entries in /var/logs/snort/portscan.log,
but the Portscan Traffic in ACID stays on 0%. Is there anything else I should configure to enable portscans logging in MySQL?

Thanks,

Tibor

[Ari Novikoff]

There's a bit of tweaking, actually, that you can do in Acid.

The file you'll need to edit is (if you are running ari-mitel-acid-1.0.0-10.noarch.rpm) in /etc/e-smith/templates/opt/administration/acid/acid_conf.php

The file is called 00acid_conf.php and somewhere down the looooooooong config list is something for portscan... I believe it's an add-in module if memory serves me correctly...

Best off to visit the Acid home page and look for instructs...

http://www.cert.org/kb/acid/

Cheers!
Ari

[Darrin Domoney]

Ari,
     I tried to access your howto's and downloads and got an access denied error. Any ideas ?

Thanks,
Darrin

[Ari]

Darrin Domoney wrote:
>
> Ari,
>      I tried to access your howto's and downloads and got an
> access denied error. Any ideas ?
>
> Thanks,
> Darrin

How do you possibly expect me to be able to help you with this limited information? You may as well have asked me "How high is up?"

Can you please try to be a bit more SPECIFIC so that I can assess what -possibly- went wrong during your installation? i.e. When did the error occur? What did you do -EXACTLY- before the error occured.. etc.

[Darrin Domoney]

Ari,
     I know that you have been a valuable contributor to the e-smith community so I will chalk up your answer to having a bad day....
Again - I went to your web site using the web  link that you had posted in the forum and was unable to access anything. I would expect that this is just a minor config problem. I have not tried to install anything yet as I have been unable to access anything.
    In the future please read before responding.

Thanks,
Darrin

[Ari]

yeah.. I was having a bad day. Sorry.

The problem on my server is fixed (I moved things around and forgot that I had an ibay that shared the same name as a subdirectory which was calling all the problems).

download and go to town.

Ari

[Johnny]

Hi Ari,

Interesting contrib!! Took me a couple of days to get close to a working IDS system, but it's getting there now. I'll outline the changes I've made in an effort to hopefully get some help ironing out a couple of problems.

Running the install straight from the how-to barfed everywhere, seeming to centre round the inability to detect the external ip (ippp0) and its desire to declare a non-existant eth1.

After a little rooting around, I came across /etc/guardian.conf, and altered the entry for 'Interface' to 'eth0'. Next I edited /etc/snort/snort.conf, removing the external ip it inserted at 'var HOME_NET' and declared my internal network.

After rebooting, the command #service --status-all declared 'snort is stopped' and 'No Pluto running!'. If I use the command snort -d -h 192.168.168.0/24 -c snort.conf &, everything works fine, i.e logging info appears via the web interface when I run test scans.

My questions are...
1. What is Pluto for and how do I start it? Do I need it?
2. How do I automate the snort deamon? I think this relates to the eth1 error below. Is the path to snort.conf correct? ( I found another in ..templates/etc/snort/snort.conf/00snort.conf )
3. I declared the variable $portscan_file = "/var/log/snort/portscan.log"; in the 00acid_conf.php file as you suggested, but the portscan.log file is still empty,although the file has been created, any suggestions? The web interface gives the error 'PORTSCAN EVENT ERROR: No file was specified in the $portscan_file variable'

Here is the error message I get on boot-up...

May  1 02:26:27 big-cahunha modprobe: modprobe: Can't locate module eth1
May  1 02:26:27 big-cahunha snort-mysql: ioctl(SIOC*MTU):No such device
May  1 02:26:27 big-cahunha snort-mysql: Automagic MTU discovery failed. Using default 1500
May  1 02:26:27 big-cahunha snort-mysql: FATAL ERROR: ERROR: OpenPcap() device eth1 open:  ^Iioctl: No such device
May  1 02:26:27 big-cahunha snortd: snort-mysql startup failed
May  1 02:26:27 big-cahunha sysmonitor: Starting system monitor:
May  1 02:26:27 big-cahunha sysmonitor: OK
Wed May  1 02:26:28 BST 2002 System monitor daemon started.
May  1 02:26:28 big-cahunha sysmonitor:
May  1 02:26:28 big-cahunha rc: Starting sysmonitor:  succeeded
May  1 02:26:28 big-cahunha guardian.pl: OS shows Linux
May  1 02:26:28 big-cahunha guardian.pl: Warning! HostIpAddr is undefined! Attempting to guess..
May  1 02:26:28 big-cahunha guardian.pl: Got it.. your HostIpAddr is 192.168.168.1
May  1 02:26:28 big-cahunha guardian.pl: My ip address and interface are: 192.168.168.1 eth0
May  1 02:26:28 big-cahunha guardian.pl: Loaded 0 addresses from /etc/guardian.ignore
May  1 02:26:28 big-cahunha guardian.pl: Becoming a daemon..
May  1 02:26:28 big-cahunha guardiand: guardian.pl startup succeeded

Wheeeeww, that took a while
Hope at least some of it makes sense...

[Ari Novikoff]

Johnny >
> My questions are...

> 2. How do I automate the snort deamon? I think this relates
> to the eth1 error below. Is the path to snort.conf correct? (
> I found another in
> ..templates/etc/snort/snort.conf/00snort.conf )

snort.conf is located in /etc/snort - the 00snort.conf file is a template fragment.
The correct path is: /etc/snort/snort.conf


> 3. I declared the variable $portscan_file =
> "/var/log/snort/portscan.log"; in the 00acid_conf.php file as
> you suggested, but the portscan.log file is still
> empty,although the file has been created, any suggestions?
> The web interface gives the error 'PORTSCAN EVENT ERROR: No
> file was specified in the $portscan_file variable'

Portscan is an add-in module that is not part of this contrib. When I have some time I'll get working on it.

Just a couple of points if I may...

1) The contrib was designed to run on the Mitel SME server v5.X or the ESSG 4.1.2  with a relatively "stock" installation. If your system has been heavily modified, I can't really help you as there's too many variables.

2) Aside from a couple of minor glitches in some of the initial releases of this contrib, there have been no major problems installing and/or using it and I have received emails from numerous people saying that the how-to was flawless.

Having said that, I would be inclined to believe that your installation is far from stock and/or standard.

Am I close?




>
> Here is the error message I get on boot-up...
>
> May  1 02:26:27 big-cahunha modprobe: modprobe: Can't locate
> module eth1
> May  1 02:26:27 big-cahunha snort-mysql: ioctl(SIOC*MTU):No
> such device
> May  1 02:26:27 big-cahunha snort-mysql: Automagic MTU
> discovery failed. Using default 1500
> May  1 02:26:27 big-cahunha snort-mysql: FATAL ERROR: ERROR:
> OpenPcap() device eth1 open:  ^Iioctl: No such device
> May  1 02:26:27 big-cahunha snortd: snort-mysql startup failed
> May  1 02:26:27 big-cahunha sysmonitor: Starting system
> monitor:
> May  1 02:26:27 big-cahunha sysmonitor: OK
> Wed May  1 02:26:28 BST 2002 System monitor daemon started.
> May  1 02:26:28 big-cahunha sysmonitor:
> May  1 02:26:28 big-cahunha rc: Starting sysmonitor:  succeeded
> May  1 02:26:28 big-cahunha guardian.pl: OS shows Linux
> May  1 02:26:28 big-cahunha guardian.pl: Warning! HostIpAddr
> is undefined! Attempting to guess..
> May  1 02:26:28 big-cahunha guardian.pl: Got it.. your
> HostIpAddr is 192.168.168.1
> May  1 02:26:28 big-cahunha guardian.pl: My ip address and
> interface are: 192.168.168.1 eth0
> May  1 02:26:28 big-cahunha guardian.pl: Loaded 0 addresses
> from /etc/guardian.ignore
> May  1 02:26:28 big-cahunha guardian.pl: Becoming a daemon..
> May  1 02:26:28 big-cahunha guardiand: guardian.pl startup
> succeeded
>
> Wheeeeww, that took a while
> Hope at least some of it makes sense...

[hanscees]

hmm,
my snort says it cannot find the /root.snortrc file?

[Johnny]

Yes, I must confess!!

There are more than a couple of 'additional features' provided by the fine contributors to SME , it's just unfortunate that the reality of linux' interdependencies is far flung from the modular heaven we were promised, lol...

I guess the search continues for a working IDS enabled system.

Regards,
             Johnny

[booker]

Hey,

I'm amazed at all the success outlined here. I have not even been able to find the RPMS listed as downloads needed. I went to rpmfind.

Thanks for any help

[booker]

I found all the RPMS installed them and everything went perfectly I think. Thank you Ari.

[Garret]

Has anybody been able to get port scanning to show on acid well?

Thanks

Garret

[sabu]

ok, to who ever can help me...

i followed the exact howto and now my httpd is not working

i try to start it back up again:

[root@stypel /root]# /usr/sbin/httpd
Syntax error on line 1893 of /etc/httpd/conf/httpd.conf:
Invalid command 'php_flag', perhaps mis-spelled or defined by a module not included in the server configuration
[root@stypel /root]#

so, then i edit /etc/httpd/conf/httpd.conf and change this:
    php_flag magic_quotes_gpc  on
    php_flag track_vars        on
to this:
    #php_flag magic_quotes_gpc  on
    #php_flag track_vars        on

i then start the httpd daemon and everything else works fine, but when i try and reach http://192.168.0.1/acid or http://www/acid (192.168.0.1 being my servers ip), i get "You are not authorized to view this page" in IE.

what to do?

note: i upgraded php and horde and imp, or something like that using one of the guides, then while trying to update blades (using 5.1.2), i got conflict errors, so i had to uninstall some stuff...


thanks,

sabu

[sabu]

now, come to think about it
ever since, i've updated my blades and had to uninstall imp and php my www/stats being phpSysInfo has not been working, it just lists the directory and it's contents, and when i goto www/stats/index.php, it still doesn't work.

i've gone back to the PHP upgrade page, tried to upgrade it again...
but still no success. im going to try and upgrade imp, because thats what i had installed last time and had to uninstall.

lets just hope this is a success

[Guy McLean]

I can't help with your httpd problem but the correct address for acid is https://www.yourservername/acid.

Guy

[sabu]

well, that was a start...

i got to the part where it was checking on security, i clicked yes, after that instead of loading the php page, it asked me if i wanted to download it. yes, my php is corrupt, broken, stuffed or however you want to put it. because the same thing happens with phpSysInfo. Can someone help me reinstall it,

thanks
sabu

[Cyrus Bharda]

Hello, I followed Ari's snort+ACID howto here:
 
http://marari.net/downloads/snort/acid-howto.htm
 
to the letter, I even cut and pasted all the commands in so I didnt make and
spelling mistakes, the ACID page works fine, but it display's 0 detects, so
I typed this:
 
[root@esmith root]# service snortd status
snort-mysql is stopped

so I tryed starting it:
 
[root@esmith root]# service snortd start
Starting snort: Initializing Output Plugins!
                                                           [ FAILED ]
 
Even restarting didnt work:
 
[root@esmith root]# service snortd restart
Stopping snort:                                            [ FAILED ]
Starting snort: Initializing Output Plugins!
                                                           [ FAILED ]

What have I done wrong?
 
My system is 5.5 U3 and I did install the 5.5 specifice files as well as the
guardian module, and in the order specified in your howto, still it does not
work, tryed rebooting even, nothing!!
 
Any help would be greatly appreciated!!
 
Thanks for your time!
 
Cyrus Bharda

[Cyrus Bharda]

Just some more info, I was pouring through logs to find out why it isnt starting and found this in my messages log:

Feb  5 09:18:09 esmith snort-mysql: Initializing Output Plugins!
Feb  5 09:18:10 esmith snort-mysql: ioctl(SIOC*MTU):No such device
Feb  5 09:18:10 esmith snort-mysql: Automagic MTU discovery failed. Using default 1500
Feb  5 09:18:10 esmith snort-mysql: FATAL ERROR: ERROR: OpenPcap() device eth1 open:  ^Ibind: No such device
Feb  5 09:18:10 esmith snortd: snort-mysql startup failed


Any idea's what all that means?

Thanks again in advance!

Cyrus Bharda

[michael]

hi all,

i have succesfully installed ari's snort contrib - thx ari !

but snort is "snorting"  only on the internal interface eth0.
i am using dsl over ppp0 with a dynamic ip - so i need to tell
snort this dynamic ip.

BUT HOW ?

this seems the same reason for this:

rpm -ivh trevor-mitel-guardian-2.0-1.noarch.rpm
Preparing...                ########################################### [100%]
   1:trevor-mitel-guardian  ########################################### [100%]

Installation complete.
Starting guardian: OS shows Linux
Warning! HostIpAddr is undefined! Attempting to guess..
Couldn't figure out the ip address
[ FAILED ]

The logfile can be found at /var/log/guardian.log
Configuration file is found at /etc/guardian.conf

By default, guardian will block the IP and mail the
administrator account.  To change these actions edit
the /bin/guardian_block.sh file.

PLEASE NOTE: This RPM is for use with SME Server 5.6
and subsequent releases using the linux 2.4 kernel and
iptables. Use on earlier versions of the SME server
will not work.