Koozali.org: home of the SME Server

[CONTRIB UPDATE] Snort for smeserver 7.x

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[CONTRIB UPDATE] Snort for smeserver 7.x
« on: January 23, 2007, 10:49:07 AM »
Hello All,

I've finished updating of snort installation contrib for smeserver 7.x
RPM :
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=315&ttitle=smeserver-snort-2.6.1.2-1.i386.rpm

sRPM :
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=316&ttitle=smeserver-snort-2.6.1.2-1.src.rpm
Be sure tu uninstalle old contrib first and check for directory /var/service/snortd has been removed.

This new version install lastest version of snort available (2.6.1.2) and is better integrated within smeserver.
It contians also a script that relaunch guardian if it's install.

A new version of guardian is also available
RPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=274&ttitle=smeserver-guardiand-1.7-4.noarch.rpm

sRPM :
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=275&ttitle=smeserver-guardiand-1.7-4.src.rpm
Before install new version, pay attention to uninstall old contrib first and to assure that directory /var/service/guardiand has been removed.

Oinkmaster must also be updated with the last version
RPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=272&ttitle=smeserver-oinkmaster-1.2-2.noarch.rpm

sRPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=273&ttitle=smeserver-oinkmaster-1.2-2.src.rpm

Concerning Base, nothing has changed:
RPM :
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=276

sRPM :
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=277

Regards

Offline jahlewis

  • *
  • 151
  • +0/-0
    • http://www.arachnerd.com/
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #1 on: January 23, 2007, 04:49:18 PM »
Merci!!! I uninstalled the older versions, and installed these.  No problems.

I did the following to:
1) Log external attacks to my box
2) Attempt to have BASE report portscans

Is this correct?  If not, any suggestions as to what I should to to make the above work?

Code: [Select]
- edit snort configs
        mkdir -p /etc/e-smith/templates-custom/etc/snort/snort.conf
        pico /etc/e-smith/templates-custom/etc/snort/snort.conf/10OutherNet
                var EXTERNAL_NET !HOME
        pico /etc/e-smith/templates-custom/etc/snort/snort.conf/11Portscan
                # JNL Enable PortScan reporting
                preprocessor stream4: detect_scans detect_state_problems
                preprocessor stream4_reassemble: ports all
                preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log
                preprocessor portscan-ignorehosts: $DNS_SERVERS
        touch /var/log/snort/portscan.log
        chown snort:snort /var/log/snort/portscan.log
        expand-template /etc/snort/snort.conf
        service snortd restart
............

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #2 on: January 23, 2007, 08:22:54 PM »
Hello,

Try to modified template 10Part02
In this template you should find a line with
Code: [Select]
preprocessor stream4: disable_evasion_alerts
Replace this line with lines you give
Code: [Select]
               # JNL Enable PortScan reporting
                preprocessor stream4: detect_scans detect_state_problems
                preprocessor stream4_reassemble: ports all
                preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log
                preprocessor portscan-ignorehosts: $DNS_SERVERS


Regards.

Offline okepc

  • ****
  • 118
  • +0/-0
    • http://www.okepc.nl
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #3 on: February 21, 2007, 09:36:34 AM »
This morning logrotate was eating 100% cpu load.
It was working through the snort logs in /var/log/snort
This was goin on for couple of hours.
I would like to disable the logging to /var/log snort and keep the logging to mysql.
How should i do this?

Dirk

Offline Daniel B.

  • *
  • 1,700
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #4 on: February 21, 2007, 09:45:34 AM »
Yesterday, I've learned of a remotely exploitable vulnerability in snort (quite dangerous, it's a buffer overflow). Are you planning to upgrade your fantastic contrib to 2.6.2 ?
C'est la fin du monde !!! :lol:

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #5 on: February 21, 2007, 10:30:27 AM »
Hello,

I'll try to build a new rpm today to integrate version 2.6.1.3 and to solve logrotate prblem.

Regards.

Offline holck

  • *
  • 322
  • +1/-0
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #6 on: February 21, 2007, 10:35:26 AM »
Quote from: "okepc"
This morning logrotate was eating 100% cpu load.
It was working through the snort logs in /var/log/snort
This was goin on for couple of hours.
I would like to disable the logging to /var/log snort and keep the logging to mysql.
How should i do this?

Dirk

I also experienced this. It seemed that the logrotate program kept gzip-ing the log files again and again, thus creating files like TCP:12345-80, TCP:12345-80.gz, TCP:12345-80.gz.gz etc. As a workaround I have changed this line in /etc/logrotate.d/snort:
Code: [Select]
/var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*
to
Code: [Select]
/var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert
......

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #7 on: February 21, 2007, 10:43:20 AM »
You are totally right holck and that is whath I'll modified in the rpm.

After check this vulnerability, it only touch DCE/RPC preprocessor.
Or this preprocessor is not active by default in the original rpm.

The new version will come today or tomorrow.

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[UPDATED] smeserver-snort-2.6.1.3
« Reply #8 on: February 21, 2007, 08:38:55 PM »
Hello all,

As promise, here is the new version of smeserver-snort.
Based on version 2.6.1.3 of snort to correct lastest security alert.
It correct also logrotate problem.

RPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=315&ttitle=smeserver-snort-2.6.1.3-1.i386.rpm

sRPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=316&ttitle=smeserver-snort-2.6.1.3-1.src.rpm

To Install, if you have version 2.6.1.2 installed, remove old rpm with
Code: [Select]
rpm -e smeserver-snort --nodeps
After install the new one.

If you have oldest version installed, remove it first and assure that directory :
/var/service/snortd/
/var/log/snort/
/var/log/snortd/
has been removed or remove it manually.

Regards.

Offline Daniel B.

  • *
  • 1,700
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #9 on: February 23, 2007, 11:59:47 AM »
Thanks for your contrib. I've just tested to upgrade from 2.6.1.2 to 2.6.1.3. I first remove the old one with rpm -e --nodeps smeserver-snort, then I erase the needed directory (logs) and I've installed the new one. But I have some warning about satabases which cannot be created because they allready exists, which is normal as the uninstall of the previous version warns us that the databses are not droped. My question is, can I ignore this error, will the new rpm continu filling the old databases?
C'est la fin du monde !!! :lol:

Offline MasterSleepy

  • *
  • 386
  • +0/-0
    • http://www.vanhees.cc
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #10 on: February 23, 2007, 02:15:54 PM »
Hello,

Yes db schema still the same.
Error message are totally normal.

Regards.

Offline jahlewis

  • *
  • 151
  • +0/-0
    • http://www.arachnerd.com/
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #11 on: February 23, 2007, 03:27:34 PM »
I'm looking forward to trying out this version soon.  I uninstalled the older version due to the logrotate issues.  I'm ready to reinstall, but before i do...

To the Snort users on this list, here are some questions I'd love answers for

1) What do I need to do to enable tracking of port scanning in BASE?  My attempts earlier in this thread did not work.  Are any of you doing it?

2) What would be required to set up another sensor on the external interface?  The default snort.conf is set up to monitor internal traffic.  I'd love to have another sensor monitoring the external interface to get a better picture of stuff happening on the outside, but is easily identified within BASE by sensor.

3) What do you all use to manage signatures?  Do you do it by hand?  Use a third party tool that is web based?  Client based?
............

Offline okepc

  • ****
  • 118
  • +0/-0
    • http://www.okepc.nl
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #12 on: February 23, 2007, 05:00:49 PM »
The crontrib in my case is scanning external interface.
For getting the portscan to work:

preprocessor sfportscan: proto { all } \
scan_type { all } \
sense_level { low }

This is from the snort manual and suggested by the base developers

I have set it up before, and it worked.

Put this somewhere below "preprocessor stream4: disable_evasion_alerts"

Gonna test it myself later this day.

Offline Dirk

  • *
  • 20
  • +0/-0
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #13 on: February 23, 2007, 05:33:15 PM »
Yep here it is.
Make a custom template from 10part02

Paste the folowing code below: "preprocessor flow: stats_interval 0 hash 2"
Code: [Select]

{
$OUT .= "preprocessor sfportscan: proto { all } \\ \n";
$OUT .= "    scan_type { all } \\ \n";
$OUT .= "    sense_level { low } \ \n";
}


Expand the template snort.conf

Restart snort and portscan detection is working!

Offline Dirk

  • *
  • 20
  • +0/-0
[CONTRIB UPDATE] Snort for smeserver 7.x
« Reply #14 on: February 23, 2007, 06:01:44 PM »
On second thought put it on medium i got more results that way.

Check it through this website https://www.grc.com/x/ne.dll?rh1dkyd2

And see results in base afterwards.