Topic: [contrib update] Snort 2.3.2 for sme

[MasterSleepy]

Hi all,

Due to change with snort rules, I've update snort rpm.

You can find rpm at following adress
http://www.vanhees.cc/modules.php?op=modload&name=Downloads&file=index&req=viewsdownload

I've update old rules update script to use gpl rules of snort.
I also modify some script so that now snort restart after ip change.

For the acid install, nothing has change and old Howto still available

Regards,

[whistleruk]

Thanks for that
All updated.

[yank]

Hi all,



For the acid install, nothing has change and old Howto still available

Regards,

Must be blind at both eyes.. cannot find one of the bin-rpm's you'e mentioned, in the acid howto...
the 0.2.2 version gave conflict errors ..
do I have to 'go to the source'?

snort-2.1.1-1.i386.rpm
snort-mysql-2.1.1-1.i386.rpm
 -> sme-snort-0.2-1.noarch.rpm <-
sme-acid-0.2-1.noarch.rpm
thx
--

[MasterSleepy]

Hello yank,

The howto is not uptodate. I have leak of time for the moment.
The only think you have to do is to install 2 rpm :
the one for snort 2.3.2
and
the one for acid

Regards.

[chris burnat]

Dear MasterSleepy,

The only think you have to do is to install 2 rpm :
the one for snort 2.3.2
and
the one for acid

I must be blind as well.  I have followed your instructions and here are the results:

[root@mail up250305]# rpm -Uvh sme-snort-2.3-2.src.rpm
   1:sme-snort              ########################################### [100%]
[root@mail up250305]# rpm -Uvh sme-snort-2.3-2.i386.rpm
Preparing...                ########################################### [100%]
file /etc/logrotate.d/snort from install of sme-snort-2.3-2 conflicts with file from package snort-2.1.1-1
file /etc/rc.d/init.d/snortd from install of sme-snort-2.3-2
## [.... and a lot more of these...]
file /usr/share/man/man8/snort.8.gz from install of sme-snort-2.3-2 conflicts with file from package snort-2.1.1-1

rpm -qa shows:
sme-snort-0.2-2
snort-2.1.1-1
snort-mysql-2.1.1-1
sme-acid-0.2-1

Where have I gone wrong?
Many thanks and regards.  chris.

[MasterSleepy]

Please remove old one first.

[chris burnat]

Please remove old one first.

all of them? in example:
sme-snort-0.2-2
snort-2.1.1-1
snort-mysql-2.1.1-1

Again, they are all dependent on each other, so remove --force?
many thanks.

[MasterSleepy]

Yes remove all of them.

for sme-snort-0.2-2 you have to force to uninstall it.
The other one should uninstall without forcing.

Regards.

[chris burnat]

Yes, done --nodeps and all is well.  Many thanks. Rgds. chris.

PS: restart snortd after upgrade.

[genzil]

Until MasterSleepy gets a chance to update his howto here is a short version.

[list=1]

• Remove old the version
  Code: [Select]
  rpm -e sme-snort-0.2-2 snort-2.1.1-1 snort-mysql-2.1.1-1
  If that doesn't work then you will need to use --force
  Code: [Select]
  rpm -e --force sme-snort-0.2-2 snort-2.1.1-1 snort-mysql-2.1.1-1
  
• Download sme-snort-2.3-2.i386.rpm and sme-acid-0.2-1.noarch.rpm to your server
  
• Install snort
  Code: [Select]
  rpm -Uvh sme-snort-2.3-2.i386.rpm
  
• Start snort
  Code: [Select]
  /etc/init.d/snortd start
  
• Install acid (only if you don't already have it installed)
  Code: [Select]
  rpm -Uvh sme-acid-0.2-1.noarch.rpm
  
• Now open your favorite browser at https://[your server]/acid/ Log you with admin loggin and password like server-manager
• Say thanks to MasterSleepy for making this so easy.[/list:o]

[chris burnat]

"Say thanks to MasterSleepy for making this so easy"
Indeed!  Merci MasterSleepy! And another vote of thanks to Genzil for making it so clear.

A question if I may.  logs today say:
/etc/cron.daily/logrotate:
error: error accessing /var/log/snort/*: No such file or directory
error: snort:4 glob failed for /var/log/snort/*/*log
/etc/cron.daily/sarg.daily.cron:

Previous /etc/logrotate.d/snort was:

/var/log/snort/alert  {
    daily
    rotate 7
    missingok
    compress
    postrotate
        /etc/init.d/snortd restart 1>/dev/null || true
    endscript
}

Now, after upgrade, it is:

/var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*log  {
    daily
    rotate 7
    missingok
    compress
    postrotate
        /etc/init.d/snortd restart 1>/dev/null || true
    endscript
}


Is this an issue?
Regards, chris

[yank]

Yes, the both of you; thanks for the fish...

[whistleruk]

Still Getting a weekly alert and this was from a  fresh install of SNORT using the above rpm's

Code: [Select]


/etc/cron.weekly/snort-update:

SETTING UP WORKING DIRECTORY
DOWNLOAD AND EXTRACT CURRENT RULE-SET
--04:22:41--  http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
           => Community-Rules.tar.gz'
Resolving www.snort.org... done.
Connecting to www.snort.org[199.107.65.177]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/octet-stream]

    0K ........                                                 50.98 KB/s

04:22:43 (50.98 KB/s) - Community-Rules.tar.gz' saved [8248]

--04:22:43--  http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz
           => snortrules-snapshot-2_1.tar.gz'
Resolving www.snort.org... done.
Connecting to www.snort.org[199.107.65.177]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
04:22:43 ERROR 404: Not Found.

STOP SNORTD SNORT-MYSQL SERVICE
Stopping snort: [ FAILED ]
COPY NEW RULES IN PLACE
START SNORTD SNORT-MYSQL SERVICE
Starting snort: [ FAILED ]
SHOW SNORTD STATUS
snort dead but subsys locked
FINISHED


[MasterSleepy]

Hy all,

RPM have been upgrade to solve several problem.
- logrotate problem
- rules update problem
- added process running check

Please remove old one before installing.
http://www.vanhees.cc/modules.php?op=modload&name=Downloads&file=index&req=viewsdownload

Regards.

[Appesteijn]

You should register at www.snort.org and then use the following wget line in update-rules:

wget http://www.snort.org/pub-bin/oinkmaster.cgi/Your_reg_code_here/snortrules-snapshot-2.1.tar.gz
tar zxvf snortrules-snapshot-2.1.tar.gz

instead of using:
http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz