Topic: Howto snort 2.1.1 + Acid

[MasterSleepy]

Hello,

I just finish an howto and some rpm for the installation of snort 2.1.1 and Acid on a SME-server 6.0 or greater.

http://vanhees.homeip.net/index.php?module=ContentExpress&func=display&ceid=19

Regards

[Anonymous]

I'll try this out.  Do you have any suggestions on how to update the signatures on a regular basis?

[Anonymous]

when installing sme-acid i get the following:
Preparing...                ########################################### [100%]
   1:sme-acid               error: unpacking of archive failed on file /opt/administration/acid/acid_main.php;40618538: cpio: read failed - Bad file descriptor

[MasterSleepy]

Hello,

It seems that your download have a problem, try to redownload the rpm.
I've make a test for a test server and download the link that was specified in the howto and there is no problem.

Regards.

[jahlewis]

ok, redownloaded and installed fine

started snort, and could access acid interface no problem

I edited /etc/sysconfig/snort to have it use eth1 (my external nic) and restarted snortd

I'm seeing alerts in /var/log/snort

But nothing in acid

I see no output plugin setting in /etc/snort/snort.conf, nor any reference to it in /etc/sysconfig/snort

Nor did I see any access settings for the snort_log db in phpMyAdmin

I added a snort user, and gave it admin priv's to the snort_log db, and added a output line in snort.conf, but got this when restarting snortd

Mar 24 08:43:19 gluon snort: command line overrides rules file alert plugin!

So how do I find out what that output plugin line is (to troubleshoot why alerts aren't being entered into snort_log/acid?

Is portscanning on?  Will it show up in acid?

Thanks

[MasterSleepy]

Hi,

Normally you don't have to change file /etc/sysconfig/snort, all settings are made in /etc/snort/snort.conf.

For problem with mysql,
In your /etc/snort/snort.conf at line 457 you should have an entry like :
output database: log, mysql, use...

That is the configuration for the output. This option is initialized at the installation of the package sme-snort-0.1-1.

Regards,

[MasterSleepy]

OK I apologize, I made a mistake.

Just forgot to change some things else.

I have update sme-snort-0.1-1

Please update the installed contrib and relaunch snort.

Thanks

[Anonymous]

ok, downloaded sme-snort-0.1.1.noarch.rpm

#rpm -e sme-snort sme-acid

# rpm -Uvh sme-snort-0.1-1.noarch.rpm sme-acid-0.1-1.noarch.rpm
Preparing...                ########################################### [100%]
file /etc/rc.d/init.d/snortd from install of sme-snort-0.1-1 conflicts with file from package snort-2.1.1-1

Now I can't install sme-snort...

[MasterSleepy]

Remove the old one
rpm -e sme-snort-0.1-1

and install the new one

rpm -ivh --force sme-snort-0.1-1.noarch.rpm

I have update the doc to signal this command.

[jahlewis]

I've done so.  Snort is running, and logging alerts to /var/log/snort/

However, there is still no uncommented output entry in snort.conf, nor is there a user setup for snort_log in mysql

How is snort supposed to access snort_log?  Could you send me the output line to jlewis@arachnerd.org?

Thanks.

[MasterSleepy]

Snort-myqsl is configured to access mysql DB with root login and password is find and integrated.
I have add an option to control mysql output.
check with
/sbin/e-smith/db configuration print snortd

You should have
snortd=service|InitscriptOrder|97|mysql|enabled|status|enabled

If you have
snortd=service|InitscriptOrder|97|mysql|disabled|status|enabled

make :
/sbin/e-smith/db configuration setprop snortd mysql enabled
/sbin/e-smith/expand-template /etc/snort/snort.conf

and restart snortd.

Regards.

[jahlewis]

[root@gluon snort]# /sbin/e-smith/db configuration print snortd
snortd=service|InitscriptOrder|97|mysql|enabled|status|enabled

however, nothing was being updated to the db

using msql_setpermissions, I added a snort user and gave access to snort_log, i then added
output database: log, mysql, user=snort password=???? dbname=snort_log host=localhost
to /etc/snort/snort.conf

now eth0 shows up in db as a sensor, so that's working

NOw... how to I force snort to use eth1, not eth0?
I edited /etc/sysconfig/snort, to no avail, do I need to manually edit /etc/init.d/snortd?

Thanks for your help and for the packages.

[MasterSleepy]

Hi jahlewis,
You don't have to create a new mysql user.
Normally, all mysql access are configured during the rpm install.
Except one things, after installing sme-snort, make :
/sbin/e-smith/expand-template /etc/snort/snort.conf

You don't have to do anything else.

Regards,

[wyron]

You don't have to do anything else.

Well, Master Sleepy, I'm not so sure about that.
Since I created a download ibay for the community last night, and can see that its rather heavily visited, I installed Snort and Acid too, just now, to keep track of the traffic on my server.
I also did the expand-template thing but still the  number of sensors is 0 ?

[Anonymous]

I´m having the same problem. The snort logfiles are filled up, but the mysql db is not updated.

[jahlewis]

Except one things, after installing sme-snort, make :
/sbin/e-smith/expand-template /etc/snort/snort.conf

That did it.  Correctly put in networking info for HOME_NET and EXTERNAL_NET, and correctly put in the output settings

However, I needed to hack /etc/init.d/snortd to get it to start up on eth1 instead of eth0 (which is my internal nic), replacing all the if statements before and in the start function with:
######################################
# Now to the real heart of the matter:

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd $LOGDIR
        daemon /usr/sbin/snort -D -o -i eth1 -u snort -g snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;

Now everything is working fine.

Have you thought about incorporating oinkmaster.pl to keep the rules updated?

The coolest would be a server-manager panel allowing you to configure the snort.conf file, and to specify the startup options...

Or..., as I'm about to do, I can go and use IDS Policy Manager to manage the conf and rulesets (http://www.activeworx.com)

[MasterSleepy]

Hi,

You are right, I have updated the howto.
Thanks for the help.

sme-snort install a cron task to weekly update snort-rules.

Regards.

[wyron]

Aah, updating as per your new howto did all the difference.
Now I see what its all about !

[wykyd]

Well thanx for the how to, it installed great and it all seems to be running.

I edited the the snort conf as you said

if [ "$INTERFACE"X = "X" ]; then
   INTERFACE="-i ppp0"
else
#   INTERFACE="-i $INTERFACE"
 INTERFACE="-i ppp0"
fi
 and

daemon /usr/sbin/snort -D $INTERFACE -u $USER -g $GROUP $CONF

thats stright from my config.

Now just asking but I got my first three hits from my own IP as the source?

They are

[bugtraq]nessus[snort] WEB-PHP viewtopic.php access    2004-03-31 23:46:32 xxx.xxx.xxx.xxx:36361 69.9.12.50:80 TCP    
bugtraq]nessus[snort] WEB-PHP viewtopic.php access 2004-03-31 23:46:46 xxx.xxx.xxx.xxx:36362 69.9.12.50:80 TCP  
[bugtraq]nessus[snort] WEB-PHP viewtopic.php access    2004-03-31 23:56:41 xxx.xxx.xxx.xxx:36405 69.9.12.50:80 TCP  

the bug track said it was from

phpBB Viewtopic.PHP SQL Injection Vulnerability

So is this right? Why is my IP the source that it is blocking?

[MasterSleepy]

Hi,

I saw that problem recently.
I will make a new version of sme-snort shortly.
It will corrige some other bug in the rpm.

Regards.

[wykyd]

Well I checked it this morning and it is logging properly.

But everytime I visit this forum and everytime I open a thread I get an event in snort ?

But anyway, small issue. It is logging so I guess it is right

[wyron]

Well, it's working, but I have no log to rotate.
The entry in my cron-daily log-rotation reads:
---
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
---
The entries are, however, added up and viewable in Acid ???

[MasterSleepy]

Hi,

I have made several correction in rpm sme-snort and sme-acid.
The doc is up to date.

Please remove old package before install new version.

http://vanhees.homeip.net/index.php?module=ContentExpress&func=display&ceid=19

Regards.

[wykyd]

OK I downloaded then and will set them up tonight.

What did you change?

[MasterSleepy]

Now the archive database is created,
expanding snort config file is now automatic,
OuterneIF configuration in config and init script is automatic for those who have version 6.0 or greater of the SME,
I add in the internal adresse, the adresse of outerneIF, to reduce some alert that comme with that IP as source.

Well it almost every things.

Regards.

[ajkeane]

I am getting the following error when installing sme-snort-0.2-1.noarch.rpm

WARNING in /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting: Use of uninitialized value in string eq at /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting line 20.
WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
 at /sbin/e-smith/expand-template line 49

Tony

[MasterSleepy]

Hello ajkeane,

To solve the probleme, just type the following command :
/sbin/e-smith/expand-template /etc/snort/snort.conf

or install the new version, I've just make the modification so that problem don't arrive in the futur.

Thanks for testing.
Regards.

[ajkeane]

This was installing the new version. I had the old version running and have uninstalled to get up to the latest version.

I will download the RPM again and give it another go. Will let you know how I get on.

Tony

[ajkeane]

I have downloaded the latest RPM again and reinstalled and no error messages. Looks like its working I will wait and see if anything starts being reported.

Thanks for the great help.

Tony

[electroman00]

Tony

Are you installing to the 6.01.01 custom?

Richard

[ajkeane]

Yes

I am installing on 6.01-01 custom.

Tony

[wykyd]

---
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
---
The entries are, however, added up and viewable in Acid ???

I am getting this to, I am also running the new rpm's.

It still gives me an event when I come tot his forum to.

But everything is fine in ACID though, Its logging away quite well.

[MasterSleepy]

Hi,

Could you tell me wath kind of alert do you have?
Is that a "http_inspect"?

Regards.

[Appesteijn]

Maybe a little off-topic, but does anyone know if this version of snort works in combination with the trevor-mitel-guardian-1.7.rpm ?

[ajkeane]

I had it installed and it was reporting that it was blocking the I.P.s I never actually checked the logs to see what it was doing though.

In short yes it seems to work.

Tony

[Appesteijn]

Ok, good to hear. I've just installed it and i'm getting weird e-mail's from guardian:

Guardian has blocked ip: eth1. (instead of e.g. 123.456.789.102)

I've tried the ./db configuration set ExternalInterface eth1 and also eth0, but none worked. Should I check the Interface's in snort.conf?

$HOME_NET and EXTERNALIP are both correct. Still snort is mostly logging my internal ipadresses.

[wykyd]

Hi,

Could you tell me wath kind of alert do you have?
Is that a "http_inspect"?

Regards.

WEB-PHP viewtopic.php access web-application
http://www.securityfocus.com/bid/7979

phpBB Viewtopic.PHP SQL Injection Vulnerability

bugtraq id 7979
object  
class Input Validation Error
cve CAN-2003-0486
 
remote Yes
local No
published Jun 19, 2003
updated Jun 28, 2003
vulnerable phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.5


I get it everytime I come to this site and browsae the forums.

[mrjhb3]

I have just installed this package and am seeing the below errors during install:

/var/tmp/rpm-tmp.32310: ehco: command not found

WARNING in /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting: Use of uninitialized value in string eq at /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting line 20.

WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
 at /sbin/e-smith/expand-template line 49

I ran the expand-template a second time and I didn't get the error.  

Could there be a typo in the rpm (ehco instead of echo)?  I get this on every install I do.

Thanks,

JB

[MasterSleepy]

Hi,

I think that you install an old version.
Try to re download sme-snort and retry.
That kind of problem was solve with the new one.

Regards.

[mrjhb3]

Master Sleepy,

I did download the latest versions.
Here is what I have installed on SME 6.01-01

sme-snort-0.2-1
snort-mysql-2.1.1-1
sme-acid-0.2-1
snort-2.1.1-1

I'll re-download them and install it again and see what I get.

JB

[mrjhb3]

I see the possible issue.

sme-snort is at 0.2-2, but the howto states
0.2-1.  I didn't bother to look in the download section to see if there were any newer files.  I'll re-install and see what I get.  

Thanks again,

JB

[SoundSailor]

Just installed as per your "How To". Worked as advertised. Thanks Michel for a great effort.

[Drifting]

Tony

Are you installing to the 6.01.01 custom?

Richard

Not sure about Tony, but the install went well on my custom ISO sme server. All I would like now is the Guardian program  

Paul.

[ajkeane]

As previously stated I have guardian installed and it is working. Only issue is that I get messages saying thet 127.0.0.1 has been blocked.

Tony

[guest]

A workaround could be to add 127.0.0.1 to /etc/guardian.ignore

[Crome]

Will this howto work with Snort 2.1.2?

[Crome]

Ok,

A lot of posts on this subject but I'm not sure how to proceed. I've got the following RPMS installed:

snort-mysql-2.1.1-1
snort-2.1.1-1
sme-snort-0.2-2
sme-acid-0.2-1

Now, I've got 2 problems:
- I'm pretty sure only traffic from eth0 is being watched. How do I change this? It isn't very clear from all the verious posts?
- I get the following error from my daily cron job:

/etc/cron.daily/logrotate:

error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log

What shall I do?

[MasterSleepy]

Hello,

Edit the file /etc/logrotate.d/snort
and replace the line
/var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*log

by
/var/log/snort/alert

Regards.

[Crome]

That works indeed. But what about the other problem?

- I'm pretty sure only traffic from eth0 is being watched. How do I change this? It isn't very clear from all the verious posts?

[MasterSleepy]

Hi,

The interface, snort listen on is given by the result of that command :
/sbin/e-smith/db configuration getprop ExternalInterface Name

That is in the script /etc/rc.d/init.d/snortd

You can also have the interface snort listen on by typing ps -ef at command prompt and you should have something like :
snort    24895     1  0 14:00 ?        00:00:02 /usr/sbin/snort -D -i ppp0 -u snort -g snort -c /etc/snort/snort.conf

Here for me it's ppp0.

regards.

[Mark R]

Hi All,

I have installed Snort and Acid ref. Sleepy SME tutorial, should i have a control panel for snort??? acid is workin ok

Thanks

[Crome]

The interface, snort listen on is given by the result of that command :
/sbin/e-smith/db configuration getprop ExternalInterface Name

It returns ppp0 so that's good.

You can also have the interface snort listen on by typing ps -ef at command prompt and you should have something like :
snort    24895     1  0 14:00 ?        00:00:02 /usr/sbin/snort -D -i ppp0 -u snort -g snort -c /etc/snort/snort.conf

Here for me it's ppp0.

For me too so that looks good. The only problem is that when I checked for running processes on snort, no snort daemon was running. I'm guessing something goes wrong when I change IP-address? Is there any logfile I could check to see if snortd is crashing?

I greatly appreciate your help!

[Crome]

I have installed Snort and Acid ref. Sleepy SME tutorial, should i have a control panel for snort??? acid is workin ok

There's no control panel for Snort in the server manager...

[Crome]

I checked out my /etc/snort/snort.conf and I found the following:

Code: [Select]

var HOME_NET [127.0.0.1/1,192.168.0.0/24,192.168.0.0/24,195.144.82.7/1]

var EXTERNAL_NET 195.144.82.7

Is this right? My current IP-address is being assigned to both variables? Where's the logic in this?

[MasterSleepy]

That config file is regenerated when the ip adresse change.
Snort stop when he lost the ip, service will restart after ip has change.

Normally every thing is automatical, normally  

[rexgaylord]

Is there a way to re-create the snort_log.  mysql has poassword set to yes and it didn't get created during install.  I was able to set the user and password in acid_conf.php, but it wasn't there so when I created manually I got an error that it had to be created during the install.  None of the packages will uninstall, so I have to go forward.

[elorenz]

Hi Michael,
I have looked for the sme-snort and sme-acid noarch rpms in your site and can´t find them, only src rpms.
Can you point me to the right spot?
Regards,

[elorenz]

Hi Michael,
I have looked for the sme-snort and sme-acid noarch rpms in your site and can´t find them, only src rpms.
Can you point me to the right spot?
Regards,

Hi Michael,
Thanks for placing the  noarch.rpm's on your sites download area.
I have istalled the packages and it's working fine, but I had to manually expand the snort.conf template before ACID could show the correct sensor count.
Best regards to you and many thanks for your great work,
Ernesto

[Knuddi]

Hi,

I have installed as per:
http://vanhees.homeip.net/index.php?module=ContentExpress&func=display&ceid=19

and see in my messagelog many of these:

Sep  9 13:18:21 gateway snort: database: mysql_error: Warning:  Some non-transactional changed tables couldn't be rolled back SQL=ROLLBACK
Sep  9 13:18:28 gateway snort: database: mysql_error: Can't open file: 'data.MYD'. (errno: 145) SQL=INSERT INTO data (sid,cid,data_payload) VALUES ('1','1804','304C02010004067075626C6963A03F02020E3E0201000201003033300F060B2B060102011903020105010500300F060B2B060102011903050101010500300F060B2B060102011903050102010500')
Sep  9 13:18:28 gateway snort: database: mysql_error: Warning:  Some non-transactional changed tables couldn't be rolled back SQL=ROLLBACK

As if a database entry is missing? Any good suggestions?

[MasterSleepy]

Hello,

Can you check if the database has been created?

Regards.

[Knuddi]

A mysqlshow command shows:

| snort_archive    |
| snort_log        |

Was that what is expected?

/Jesper

[MasterSleepy]

Database are correct. hhhmmmm

Could you check config file of snort(/etc/snort/snort.conf) at line +-457 you should have something like

Code: [Select]

output database: log, mysql, user=root password=blablablablablablabla  dbname=snort_log host=localhost
If you don't have that, try

Code: [Select]

/sbin/e-smith/expand-template /etc/snort/snort.conf

After your config file should be OK

Regards.

[Knuddi]

And I had that entry - tried to expand the template anyways but the errors are still there.

[MasterSleepy]

Hello,

Sep  9 13:18:21 gateway snort: database: mysql_error: Warning:  Some non-transactional changed tables couldn't be rolled back SQL=ROLLBACK

that message is pretty strange, did you upgrade your mysql server??

Regards.

[Knuddi]

Not as far as I know - I am running 3.23.56.

Should I uninstall everything and try again?

[MasterSleepy]

Yes maybe it is the best solution.

[Cyrus]

So can anyone tell me where I can download the version of guardian which will work on this installation please?

I have had a quick search and cant seem to find it anywhere?

Thanks,

Cyrus

[MasterSleepy]

Hello,

I use trevor-mitel-guardian-1.0-2.noarch.rpm.
You can find it Here

Regards.

[Knuddi]

MasterSleepy,

Are you running 6.0.x? Do you know what has changed to the 2.0.1 which is also present in that location? It is supposed to be for 5.6

[MasterSleepy]

I still running a 5.6.
But guardian is perl script so it have to work on 6.x.
on my 5.6 I have change startup script for

Code: [Select]


#!/bin/sh
#
# guardiand         Start/Stop the Guardian daemon.
#
# chkconfig: 2345 40 60

# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
  start)
        echo -n "Starting guardian daemon: "
        daemon guardiand -c /etc/guardian.conf
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/guardian
        ;;
  stop)
        echo -n "Stopping guardian daemon: "
        killproc guardiand
        RETVAL=$?
        rm -f /var/lock/subsys/guardian && rm -f /var/lock/guardian
        echo
        ;;
  status)
        status guardiand
        RETVAL=$?
        ;;
  restart)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
  *)
        echo "Usage: $0 {start|stop|status|restart}"
        exit 1
esac

exit 0


So I havea better control of the process.

If you have dyn IP adress you have to had restart of guardiand service after renew of IP.

regards.

[Cyrus]

Hello,

I use trevor-mitel-guardian-1.0-2.noarch.rpm.
You can find it Here

Regards.

Thanks for that, muchly appreciated!

[doyen]

Snort is installed and running well on SME 6.0.1, however when graphs are pulled from ACID they stop at year 2004. SME-snort-2.3-2.1 & sme-acid-0.2-1 installed no problems. Is there a more recent file for sme-acid or are the graph parameters originating from another rpm? Any assistance would be greatly appreciated - gt

[mudra]

I have snort up and running well, BUT the graphs do not go past 2004, just like the previous contributor.

Anyone have a workaround, OR know if it is possible to install BASE on SME SERVER 6.5rc1.

TIA

Mudra

[Curly]

(a bit late)

I've editted two files to include more years, both of them in the directory /opt/administration/acid. The two files are acid_graph_form.php and acid_stat_time.php. Somewhere inside is an array with the years, I changed them so now I can select the years 2003 through 2008.