Topic: Snort IDS and ACID howto

[Ari]

I've just finished a new howto on installing the Snort IDS and ACID (Analysis Console for Intrusion Databases) on the SME 5.1.2 server

Note: The test installation was done on a 'realtively' stock system (no major mods)

http://www.marari.net/downloads/snort/acid-howto.htm

As always, feedback would be appreciated. I'm sure the snort.conf and/or the snort command line could use a bit of 'tweaking'...

Cheers!
Ari

[guestHH]

well done Ari!

Regards,
guestHH

[Ari]

guestHH wrote:
>
> well done Ari!
>
> Regards,
> RequestedDeletion


Thanks!!


Ari

[Amir]

THANKS!.. i was looking to do this over the weekend, now its suddenly easier

[Ari Novikoff]

And it's become even easier yet!

Thanks to some contrib from Trevor Ouellette and a bit of bug hunting, the RPM has been updated to do a lot of the manual work. Setup is now 2 steps!!

http://www.marari.net/downloads/snort/acid-howto.htm

Source, of course, is always available. See the howto.

Cheers!
Ari

[tibor]

Ari:

Everything installed OK, I could see  Code Red alerts right away. The only problem I could see, the ACID did not display any port scans. I used Shields Up! port scan test (http://grc.com). Snort detected it, I could see spp_portscan entries in /var/logs/snort/alert, as well as new entries in /var/logs/snort/portscan.log,
but the Portscan Traffic in ACID stays on 0%. Is there anything else I should configure to enable portscans logging in MySQL?

Thanks,

Tibor

[Ari Novikoff]

There's a bit of tweaking, actually, that you can do in Acid.

The file you'll need to edit is (if you are running ari-mitel-acid-1.0.0-10.noarch.rpm) in /etc/e-smith/templates/opt/administration/acid/acid_conf.php

The file is called 00acid_conf.php and somewhere down the looooooooong config list is something for portscan... I believe it's an add-in module if memory serves me correctly...

Best off to visit the Acid home page and look for instructs...

http://www.cert.org/kb/acid/

Cheers!
Ari

[Darrin Domoney]

Ari,
     I tried to access your howto's and downloads and got an access denied error. Any ideas ?

Thanks,
Darrin

[Ari]

Darrin Domoney wrote:
>
> Ari,
>      I tried to access your howto's and downloads and got an
> access denied error. Any ideas ?
>
> Thanks,
> Darrin

How do you possibly expect me to be able to help you with this limited information? You may as well have asked me "How high is up?"

Can you please try to be a bit more SPECIFIC so that I can assess what -possibly- went wrong during your installation? i.e. When did the error occur? What did you do -EXACTLY- before the error occured.. etc.

[Darrin Domoney]

Ari,
     I know that you have been a valuable contributor to the e-smith community so I will chalk up your answer to having a bad day....
Again - I went to your web site using the web  link that you had posted in the forum and was unable to access anything. I would expect that this is just a minor config problem. I have not tried to install anything yet as I have been unable to access anything.
    In the future please read before responding.

Thanks,
Darrin

[Ari]

yeah.. I was having a bad day. Sorry.

The problem on my server is fixed (I moved things around and forgot that I had an ibay that shared the same name as a subdirectory which was calling all the problems).

download and go to town.

Ari

[Johnny]

Hi Ari,

Interesting contrib!! Took me a couple of days to get close to a working IDS system, but it's getting there now. I'll outline the changes I've made in an effort to hopefully get some help ironing out a couple of problems.

Running the install straight from the how-to barfed everywhere, seeming to centre round the inability to detect the external ip (ippp0) and its desire to declare a non-existant eth1.

After a little rooting around, I came across /etc/guardian.conf, and altered the entry for 'Interface' to 'eth0'. Next I edited /etc/snort/snort.conf, removing the external ip it inserted at 'var HOME_NET' and declared my internal network.

After rebooting, the command #service --status-all declared 'snort is stopped' and 'No Pluto running!'. If I use the command snort -d -h 192.168.168.0/24 -c snort.conf &, everything works fine, i.e logging info appears via the web interface when I run test scans.

My questions are...
1. What is Pluto for and how do I start it? Do I need it?
2. How do I automate the snort deamon? I think this relates to the eth1 error below. Is the path to snort.conf correct? ( I found another in ..templates/etc/snort/snort.conf/00snort.conf )
3. I declared the variable $portscan_file = "/var/log/snort/portscan.log"; in the 00acid_conf.php file as you suggested, but the portscan.log file is still empty,although the file has been created, any suggestions? The web interface gives the error 'PORTSCAN EVENT ERROR: No file was specified in the $portscan_file variable'

Here is the error message I get on boot-up...

May  1 02:26:27 big-cahunha modprobe: modprobe: Can't locate module eth1
May  1 02:26:27 big-cahunha snort-mysql: ioctl(SIOC*MTU):No such device
May  1 02:26:27 big-cahunha snort-mysql: Automagic MTU discovery failed. Using default 1500
May  1 02:26:27 big-cahunha snort-mysql: FATAL ERROR: ERROR: OpenPcap() device eth1 open:  ^Iioctl: No such device
May  1 02:26:27 big-cahunha snortd: snort-mysql startup failed
May  1 02:26:27 big-cahunha sysmonitor: Starting system monitor:
May  1 02:26:27 big-cahunha sysmonitor: OK
Wed May  1 02:26:28 BST 2002 System monitor daemon started.
May  1 02:26:28 big-cahunha sysmonitor:
May  1 02:26:28 big-cahunha rc: Starting sysmonitor:  succeeded
May  1 02:26:28 big-cahunha guardian.pl: OS shows Linux
May  1 02:26:28 big-cahunha guardian.pl: Warning! HostIpAddr is undefined! Attempting to guess..
May  1 02:26:28 big-cahunha guardian.pl: Got it.. your HostIpAddr is 192.168.168.1
May  1 02:26:28 big-cahunha guardian.pl: My ip address and interface are: 192.168.168.1 eth0
May  1 02:26:28 big-cahunha guardian.pl: Loaded 0 addresses from /etc/guardian.ignore
May  1 02:26:28 big-cahunha guardian.pl: Becoming a daemon..
May  1 02:26:28 big-cahunha guardiand: guardian.pl startup succeeded

Wheeeeww, that took a while
Hope at least some of it makes sense...

[Ari Novikoff]

Johnny >
> My questions are...

> 2. How do I automate the snort deamon? I think this relates
> to the eth1 error below. Is the path to snort.conf correct? (
> I found another in
> ..templates/etc/snort/snort.conf/00snort.conf )

snort.conf is located in /etc/snort - the 00snort.conf file is a template fragment.
The correct path is: /etc/snort/snort.conf


> 3. I declared the variable $portscan_file =
> "/var/log/snort/portscan.log"; in the 00acid_conf.php file as
> you suggested, but the portscan.log file is still
> empty,although the file has been created, any suggestions?
> The web interface gives the error 'PORTSCAN EVENT ERROR: No
> file was specified in the $portscan_file variable'

Portscan is an add-in module that is not part of this contrib. When I have some time I'll get working on it.

Just a couple of points if I may...

1) The contrib was designed to run on the Mitel SME server v5.X or the ESSG 4.1.2  with a relatively "stock" installation. If your system has been heavily modified, I can't really help you as there's too many variables.

2) Aside from a couple of minor glitches in some of the initial releases of this contrib, there have been no major problems installing and/or using it and I have received emails from numerous people saying that the how-to was flawless.

Having said that, I would be inclined to believe that your installation is far from stock and/or standard.

Am I close?




>
> Here is the error message I get on boot-up...
>
> May  1 02:26:27 big-cahunha modprobe: modprobe: Can't locate
> module eth1
> May  1 02:26:27 big-cahunha snort-mysql: ioctl(SIOC*MTU):No
> such device
> May  1 02:26:27 big-cahunha snort-mysql: Automagic MTU
> discovery failed. Using default 1500
> May  1 02:26:27 big-cahunha snort-mysql: FATAL ERROR: ERROR:
> OpenPcap() device eth1 open:  ^Iioctl: No such device
> May  1 02:26:27 big-cahunha snortd: snort-mysql startup failed
> May  1 02:26:27 big-cahunha sysmonitor: Starting system
> monitor:
> May  1 02:26:27 big-cahunha sysmonitor: OK
> Wed May  1 02:26:28 BST 2002 System monitor daemon started.
> May  1 02:26:28 big-cahunha sysmonitor:
> May  1 02:26:28 big-cahunha rc: Starting sysmonitor:  succeeded
> May  1 02:26:28 big-cahunha guardian.pl: OS shows Linux
> May  1 02:26:28 big-cahunha guardian.pl: Warning! HostIpAddr
> is undefined! Attempting to guess..
> May  1 02:26:28 big-cahunha guardian.pl: Got it.. your
> HostIpAddr is 192.168.168.1
> May  1 02:26:28 big-cahunha guardian.pl: My ip address and
> interface are: 192.168.168.1 eth0
> May  1 02:26:28 big-cahunha guardian.pl: Loaded 0 addresses
> from /etc/guardian.ignore
> May  1 02:26:28 big-cahunha guardian.pl: Becoming a daemon..
> May  1 02:26:28 big-cahunha guardiand: guardian.pl startup
> succeeded
>
> Wheeeeww, that took a while
> Hope at least some of it makes sense...

[hanscees]

hmm,
my snort says it cannot find the /root.snortrc file?

[Johnny]

Yes, I must confess!!

There are more than a couple of 'additional features' provided by the fine contributors to SME , it's just unfortunate that the reality of linux' interdependencies is far flung from the modular heaven we were promised, lol...

I guess the search continues for a working IDS enabled system.

Regards,
             Johnny