Topic: Howto snort 2.1.1 + Acid

[jahlewis]

Except one things, after installing sme-snort, make :
/sbin/e-smith/expand-template /etc/snort/snort.conf

That did it.  Correctly put in networking info for HOME_NET and EXTERNAL_NET, and correctly put in the output settings

However, I needed to hack /etc/init.d/snortd to get it to start up on eth1 instead of eth0 (which is my internal nic), replacing all the if statements before and in the start function with:
######################################
# Now to the real heart of the matter:

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd $LOGDIR
        daemon /usr/sbin/snort -D -o -i eth1 -u snort -g snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;

Now everything is working fine.

Have you thought about incorporating oinkmaster.pl to keep the rules updated?

The coolest would be a server-manager panel allowing you to configure the snort.conf file, and to specify the startup options...

Or..., as I'm about to do, I can go and use IDS Policy Manager to manage the conf and rulesets (http://www.activeworx.com)

[MasterSleepy]

Hi,

You are right, I have updated the howto.
Thanks for the help.

sme-snort install a cron task to weekly update snort-rules.

Regards.

[wyron]

Aah, updating as per your new howto did all the difference.
Now I see what its all about !

[wykyd]

Well thanx for the how to, it installed great and it all seems to be running.

I edited the the snort conf as you said

if [ "$INTERFACE"X = "X" ]; then
   INTERFACE="-i ppp0"
else
#   INTERFACE="-i $INTERFACE"
 INTERFACE="-i ppp0"
fi
 and

daemon /usr/sbin/snort -D $INTERFACE -u $USER -g $GROUP $CONF

thats stright from my config.

Now just asking but I got my first three hits from my own IP as the source?

They are

[bugtraq]nessus[snort] WEB-PHP viewtopic.php access    2004-03-31 23:46:32 xxx.xxx.xxx.xxx:36361 69.9.12.50:80 TCP    
bugtraq]nessus[snort] WEB-PHP viewtopic.php access 2004-03-31 23:46:46 xxx.xxx.xxx.xxx:36362 69.9.12.50:80 TCP  
[bugtraq]nessus[snort] WEB-PHP viewtopic.php access    2004-03-31 23:56:41 xxx.xxx.xxx.xxx:36405 69.9.12.50:80 TCP  

the bug track said it was from

phpBB Viewtopic.PHP SQL Injection Vulnerability

So is this right? Why is my IP the source that it is blocking?

[MasterSleepy]

Hi,

I saw that problem recently.
I will make a new version of sme-snort shortly.
It will corrige some other bug in the rpm.

Regards.

[wykyd]

Well I checked it this morning and it is logging properly.

But everytime I visit this forum and everytime I open a thread I get an event in snort ?

But anyway, small issue. It is logging so I guess it is right

[wyron]

Well, it's working, but I have no log to rotate.
The entry in my cron-daily log-rotation reads:
---
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
---
The entries are, however, added up and viewable in Acid ???

[MasterSleepy]

Hi,

I have made several correction in rpm sme-snort and sme-acid.
The doc is up to date.

Please remove old package before install new version.

http://vanhees.homeip.net/index.php?module=ContentExpress&func=display&ceid=19

Regards.

[wykyd]

OK I downloaded then and will set them up tonight.

What did you change?

[MasterSleepy]

Now the archive database is created,
expanding snort config file is now automatic,
OuterneIF configuration in config and init script is automatic for those who have version 6.0 or greater of the SME,
I add in the internal adresse, the adresse of outerneIF, to reduce some alert that comme with that IP as source.

Well it almost every things.

Regards.

[ajkeane]

I am getting the following error when installing sme-snort-0.2-1.noarch.rpm

WARNING in /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting: Use of uninitialized value in string eq at /etc/e-smith/templates-custom//etc/snort/snort.conf/20OutputSetting line 20.
WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
 at /sbin/e-smith/expand-template line 49

Tony

[MasterSleepy]

Hello ajkeane,

To solve the probleme, just type the following command :
/sbin/e-smith/expand-template /etc/snort/snort.conf

or install the new version, I've just make the modification so that problem don't arrive in the futur.

Thanks for testing.
Regards.

[ajkeane]

This was installing the new version. I had the old version running and have uninstalled to get up to the latest version.

I will download the RPM again and give it another go. Will let you know how I get on.

Tony

[ajkeane]

I have downloaded the latest RPM again and reinstalled and no error messages. Looks like its working I will wait and see if anything starts being reported.

Thanks for the great help.

Tony

[electroman00]

Tony

Are you installing to the 6.01.01 custom?

Richard