Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: MasterSleepy on February 27, 2006, 02:43:23 PM
-
Hello every one,
I've finished some rpms for sme server 7.0.
I've made a full installation of snort on is last version 2.4.3.
Two other rpms come with it, oinkmaster and guardian.
oinkmaster: keep snort rules up-to-date
guardian: black list bad ip adress
You can find the howto at this adress howto (http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39)
Regards.
-
Ill give it a try tonight - write up is clear and looks good.
-
Mastersleepy, I'd like it if you could create an account in the bug tracker and request a new subcategory for your contrib. You can do that here:
http://bugs.contribs.org/enter_bug.cgi?product=SME%20Server%20bug%20tracker
We are going to have an addons and addons-testing repository for official contribs soon, and I think yours will be a popular one.
Looks great!
-
Okay got the install completed.
Does this version have a web frontend to monitor from?
Also does it install any thing into the panel or no?
-
to Greg:
Ok Greg I'll will following your link.
to achandra:
Normally acid will still have to work, but I don't test it.
No new panel have been develop, I think there is no need.
I will keep you up-to-date with my test of acid.
Regards.
-
I will keep you up-to-date with my test of acid.
Acid seems to be unmaintained. Base seems to be more popular, and there are rpms:
https://sourceforge.net/project/showfiles.php?group_id=103348&package_id=128846
-
Thanks for info greg.
I'll adapt to fit with current config.
Regards
-
Hello all,
I've finished base rpm for sme server.
Howto have been modified.
http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39#step8
Regards.
-
MasterSleepy,
I appreicate all your hard work on this contrib and found the install easy to do. My one question though is how can I check to see that it has downloaded the new ruleset successfully using the oinkcode that I provided ?
Thanks,
Colwyn
-
You'll receive an email ton admin account.
It's a cron task, so output will be send to admin.
Regards.
-
Hi, should this work on version 7pre4, as i have installed as per the howto but nothing seems to be getting logged.
Any help appreciated.
Steve.
-
Hello,
Is you service snortd well started?
service snortd status
if it's not started try launching manually with the command
/usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii
and post the error message.
Thanks.
TO greg:
I've created a bug 906 to create new component but it seems that I made something wrong, could you tell me my mistake??
Thanks.
-
Well snort was running when i last looked, this morning i checked the status and it is stopping and starting.
so i ran
/usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii
this is the output.
[root@rocky bleeding]# /usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii
Running in IDS mode
Initializing Network Interface eth0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Server Data Inspection Limit: -1
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 443 980
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: YES
Oversize Dir Length: 3000
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
database: compiled support for ( mysql )
database: configured to use mysql
database: user = root
database: password is set
database: database name = snort_log
database: host = localhost
database: sensor name = 10.10.1.1
database: sensor id = 2
database: schema version = 106
database: using the "log" facility
ERROR: Warning: /etc/snort/rules/bleeding-drop-BLOCK.rules(40) => Unknown keyword ' fwsam' in rule!
Fatal Error, Quitting..
[root@rocky bleeding]#
i have removed the bleeding rules and now snort is running again, i will check later to see if anything is being logged.
Also it says at the top "Decoding Ethernet on interface eth0", interface eth0 is my internal network, should it not be watching eth1 (external)
Thanks for you help.
-
Hello,
I've already have that problem with bleeding rules. quiet strange...
The better way for the moment is your solution by deactivate bleeding rules update.
For eth0: it was just for the test to look at error message.
By starting service, it will listen on output interface.
Regards.
-
Hello,
I have tested this contrib, and it doesn't work.
After the install, i got a message that say the file contening the rule was bad. I rename etc/snort/rules to ruless , and snort say no error message. Is ther a way ?
In French,
J'ai un message d'erreur au lancement de snort, comme quoi le fichier contenant la regle est en erreur. J'ai place des # devant toutes le lignes du fichiers, et c'est un autre fichier contenant les regles que snort m'indique en erreur. J'ai donc renommé etc/snort/rules en ruless, et là , plus d'erreur, snort demarre sans soucis. Mais pas de regles de charger ?
-
Hello,
It's quiet strangle because that part of the config file are generate automaticly when snort start and it depends on rules you have in your rules directory.
I'll take a look at that.
Thanks for feedback.
-
Hello all,
Great thanks to androme http://www.androme.org who compile snort on his last version 2.4.4.
This version include some bug fixing in install script.
So the better way to upgrade is to remove old one first
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=270
Regards.
-
Hi,
I followed your howto but somehowe when I go to BASE the msqldatabase isn't complete.
It is complaining that there is no snort_log.iphdr table.
Is there something I can do to fix this?
Peter
-
Hello,
You can try to remove base contribs, re download it and reinstall it.
Can you put the message that base application give?
Regads.
-
Hi,
I reinstalled BASE but still the same.....
here is the error :
The underlying database snort_log@localhost appears to be incomplete/invalid
Database ERROR:Table 'snort_log.iphdr' doesn't exist
It might be an older version. Only alert databases created by Snort 1.7-beta0 or later are supported
Thanx
Peter
-
Hi again,
I just looked at the logfile and it seems not to work with mysql???
I placed the logfile on my site so you can have a look at it.
http://smitti.mine.nu/snort.txt
Peter
-
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.
-
OK it appear that there is a big problem with executable file.
I'll check that after work and give a new version asap.
Thanx I wil wait :D
Peter
-
Hello all,
Here is a new version,
several bug fix have been made
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewsdownload&orderby=dateD
Regards.
-
Great it worked perfectly now :-D
Peter
-
Great it worked perfectly now :-D
Hi again,
I was to quick with my last reply...
snort is quiting because of an error :
2006-05-09 09:07:33.312436500 ERROR: ERROR /etc/snort/rules/community-dos.rules(7): Couldn't resolve hostname /1
2006-05-09 09:07:33.312571500 Fatal Error, Quitting..
2006-05-09 09:07:35.867129500 WARNING in /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/snort/snort.conf/05LocalNetwork line 25.
2006-05-09 09:07:36.089330500 WARNING: Template processing succeeded for //etc/snort/snort.conf: 1 fragment generated warnings
2006-05-09 09:07:36.089345500 at /sbin/e-smith/expand-template line 45
2006-05-09 09:07:36.242631500 Running in IDS mode
Is there somthing I need to change in the template?
And I also looked in the community-dos.rules but I am a noob about this stuff :-(
Peter
-
Hi smitti,
Are you in gateway mode?
Can you give me the result of the following command
db configuration show ExternalIP
cat /etc/snort/snort.conf | grep "var HOME_NET"
that will help me to debug that template.
thanks
-
Hi,
No I am in serveronly mode but got all ports forwarded to the server.
The server is behind a thomson adsl modem.
The first command gives no result :
[root@ibm-server ~]# db configuration show ExternalIP
[root@ibm-server ~]#
The second one :
[root@ibm-server ~]# cat /etc/snort/snort.conf | grep "var HOME_NET"
# var HOME_NET 10.1.1.0/24
# var HOME_NET $eth0_ADDRESS
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
var HOME_NET [127.0.0.1/1,10.0.0.0/24,/1]
[root@ibm-server ~]#
Is it a problem when its in server only mode?
I am using this setup because the wifi is in the modem....
Before this I always used gateway mode.
Peter
-
OK I'll adapt the template to pay attention to server-only.
A new version will be available soon.
Thanks for feedback.
-
Hello,
Here is the last version of snort for sme server 7.
I used lastest snort version, 2.6.
The new rpm correct also server-only mode.
Here is the howto:
http://www.vanhees.cc/index.php?module=ContentExpress&func=display&ceid=39
The rpm :
smeserver-snort-2.6.0-1.i386.rpm (http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=302&ttitle=smeserver-snort-2.6.0-1.i386.rpm)
smeserver-snort-2.6.0-1.src.rpm (http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=303&ttitle=smeserver-snort-2.6.0-1.src.rpm)
I suggest to remove old rpm before installing the new one.
Regards.
-
thanx.....
Going to try it soon, I am of on a holliday next friday.
Hope to test it before.........
Peter
-
Thanks much MasterSleepy!
I installed the new version and it seems to have cleared up some problems I was having before.
Server-Only Mode
Thank you very much for this great contribution!
G
-
MasterSleepy
I installed your contribs and seem to have everything working.
I set up oinkmaster to grab the rules, it did . . .
it restarted and it is logging to the alerts file and the MYSQL DB
Only problem is when I go to my server via https to the /base directory I don't see any alerts listed. If I enter into the admin within /base and go into the "cache and Status" section (which I can just fine) I see there is a listing of "Total Events: 1636"
yet nothing shows in the web interface of /base
I have verified that the /var/log/snort/alerts file IS indeed working.
It is, and Guardian is going a good job of blocking people (I even accidentially blocked myself once)
So, I assume (and now I see) that /base uses the sql file only.
So I assumed I had SQL errors so I looked at /var/log/snortd/current and see the following errors:
@4000000044d0ab780b766514 database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ab780b76789c database: Problem inserting a new signature 'BAD-TRAFFIC udp port 0 traffic': INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('BAD-TRAFFIC udp port 0 traffic',1,3,9,525,1)
@4000000044d0ab780b85eda4 database: mysql_error: Duplicate entry '0-1' for key 1
@4000000044d0ab780b8608fc SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 1, 2)
@4000000044d0ab780b9589bc database: mysql_error: Duplicate entry '0-2' for key 1
@4000000044d0ab780b95a12c SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 2, 3)
@4000000044d0ab780ba3e584 database: mysql_error: Duplicate entry '0-3' for key 1
@4000000044d0ab780ba3fcf4 SQL=INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES (0, 3, 4)
I assume my tables aren't quite right.
I am not much of a SQL hack, but I rekon I could try to manually create some of the tables and fields to get this working?
Any advice?
Is there a way to rebuild my DB from here?
Thanks!
-
After reading the last post, I went back to my test box and took another look.
I too have the same problem. Here are the last few lines from my log:
@4000000044d0ae4d24d2336c database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ae4d357d32fc database: mysql_error: Unknown column 'sig_gid' in 'field list'
@4000000044d0ae4d357d3eb4 SQL=INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('DNS SPOOF query response with TTL of 1 min. and no authority',1,2,4,254,1)
@4000000044d0ae4d3581f9a4 database: mysql_error: Unknown column 'sig_gid' in 'where clause'
@4000000044d0ae4d3582055c database: Problem inserting a new signature 'DNS SPOOF query response with TTL of 1 min. and no authority': INSERT INTO signature (sig_name,sig_class_id,sig_priority,sig_rev,sig_sid,sig_gid) VALUES ('DNS SPOOF query response with TTL of 1 min. and no authority',1,2,4,254,1)
G
-
I got mine working . . .
I used myphpadmin and I went into the "signature" row and added the "sig_gid" as a field (I just copied the attributes of the "sig_sid" field) and snort immediately began to propigate it.
All is now well although I am guessing I need to do that to the snort_archive db too. (which I have not done)
-
Once again, thanks MasterSleepy for this great contrib.
But, I have a couple more questions if I may . . .
I see in the /etc/guardian.conf that logging is enabled . . .
# Guardian's log file
LogFile /var/log/guardian.log
but the /var/log/guardian.log is not there.
I manually created it and guardian still does not log to it.
The reason I was wanting to see the log was to more fully understand what guardian is doing and why. I am black holing IP addresses upon identifying a TCP based signature. Most of my alerts are ICMP though and I see guardian is not acting on those events (which is probably the best anyway)
But, how does one go about tweaking guardian?
All I see to tweak is the /etc/guardian.ignore file (which I have edited and works - this is AFTER black holing my own IP)
Also . . .
I have enabled to community rules thus far.
I have not enabled any other rules.
I ran nessus (win32 version - maybe that's the issue) against the box running snort and got VERY few alerts from the scan.
I ran nesssus against my firewall and it lit up like a christmas tree and clearly identified the nessus scan as a hostile port scan and emailed alerts right out.
It seems that my Netscreen Firewall has more IDS detection capability than the brand new snort box.
I'm sure I just need to enable more rules.
It does look like the preprosessors are mostly all active and I should have seen that port scan.
Any further info or advice would be greatly appreciated.
Thanks!
-
Hello all,
There is a problem with the last version of snort and mysql db.
For the moment the only solution I have is to deactivate mysql support.
db configuration setprop snortd mysql disabled
service snortd restart
I'll correct the package to include rich mysql solution soon
For tuning guardian, it's not guardian you have to tune, with guardian you can put white list of some ip.
The rest have to been tuned in snort rules to not rise alert on your icmp problem.
But I'm not an expert of snort rules.
Regards.
-
Thanks for the info . . .
But, the problem may not just be with MYSQL . .
I went back and looked at the /var/log/snort/alerts file and don't see much picked up there from the nessus scan either.
I'm not sure it's just the DB not getting the events.
Thanks for your effort.
-
Hello all,
Here is a new version of snort rpm.
smeserver-snort-2.6.0-2.i386.rpm (http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=302)
smeserver-snort-2.6.0-2.src.rpm (http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=303)
This version correct db problem.
I've update guardian contrib also to correct log problem.
smeserver-guardiand-1.7-2.noarch.rpm (http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=274)
smeserver-guardiand-1.7-2.src.rpm (http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=275)
Regards.
-
Thanks MasterSleepy . . .
I'll give this one a shot tonight.
Over the weekend I had removed your last versions, then installed the RHEL rpm of snort 2.6.0-1 which is better but still seems to act oddly depending on how you start it and which switches you give it.
I had everything working pretty well until I authored some pass rules, then gave it the -o flag
Also trying to get the portscanignore list established seems to have freaked it out.
Thanks again!
-
Hi MasterSleepy,
Thanks again for your efforts.
I tried downloading the new snort RPM 3 times with different browsers, but I get this error every time:
[root@sol ~]# rpm -Uvh smeserver-snort-2.6.0-2.i386.rpm
error: smeserver-snort-2.6.0-2.i386.rpm: MD5 digest: BAD Expected(6158d5f97961a0d1f9dd71548ace232b) != (b7a5caf19cb7c320c65edc5afa5ca4db)
error: smeserver-snort-2.6.0-2.i386.rpm cannot be installed
G
-
Hello sonoracomm,
problem has been solved by uploading a fresh new rpm.
Now it should be good.
Regards.
-
Hi,
I installed these rpm's on a fresh-SME7.0 server.
/var/log/guardian.log is missing, I used 'touch /var/log/guardian.log' to correct this. It seems guardian is now working fine.
Only snort isn't picking up any alerts, /var/log/snortd and /var/log/snort are empty and the base-page hasn't got any alerts. Also I couldn't find any snort-logfiles in the server-manager.
$HOME_NET and $External_NET are both ok, and I downloaded the latest rules through oinkmaster.
-
Hello,
I check for the guardian.log, normally all error goes to /var/log/guardiand/current
For snort, by default all report goes to mysql except alert that goes to /var/log/snort/alert
Normally you should see some alerts coming in that file.
Please assure that snort is running well.
ps -ef|pgrep snort
regards.
-
Hi MasterSleepy,
thx for the quick reply. Snort is running.
If MySQL is being 'filled' by snort then that should be visible through the Base-page? So if I see no alerts here, something is wrong?
regards.
-
Hi again,
I got the new packages installed and everything seemed to go well.
However, nothing shows in BASE.
There is no /var/log/snort/alert log.
This is all I get in /var/log/guardiand/current:
@4000000044da24c1231fff2c OS shows Linux
@4000000044da24c123200ae4 Warning! HostIpAddr is undefined! Attempting to guess..
@4000000044da24c123488dfc Got it.. your HostIpAddr is 192.168.2.2
@4000000044da24c1234895cc Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
@4000000044da24c123489d9c My ip address and interface are: 192.168.2.2 eth0
@4000000044da24c12348a184 Loaded 0 addresses from /etc/guardian.ignore
@4000000044da24c12348a56c Running in debug mode..
repeaded many times.
Does this suite work for Server Only mode? Almost all my (clients') servers are installed that way, with only certain ports forwarded into the server. Are there specific settings recommended for Server Only mode?
I'm sorry to be the problem child...I'm new to IDS.
Thank you again, (Michael) everyone.
G
-
Hi,
guardiand/current logfile is flooding with this message:
2006-08-09 18:10:57.304659500 OS shows Linux
2006-08-09 18:10:57.304665500 Warning! HostIpAddr is undefined! Attempting to guess..
2006-08-09 18:10:57.309559500 Got it.. your HostIpAddr is 145.99.100.100
2006-08-09 18:10:57.309566500 My ip address and interface are: 145.99.100.100 eth1
2006-08-09 18:10:57.309569500 Loaded 2 addresses from /etc/guardian.ignore
2006-08-09 18:10:57.309571500 Becoming a daemon..
Every 2 seconds...
-
Though my messages were a bit different, my logs were filling fast and my server was constantly busy.
I had to uninstall the rpms.
Is there some way I can help in troubleshooting this?
Thanks again for all your efforts,
G
-
MasterSleepy... I followed your directions and have installed Snort on SME 7. And its been running for almost a week now, with NO logs at all. I keep checking base to see if anything has been detected and there is nothing in the cache. Is anyone else experiencing this problem? I'd installed (using your directions) on previous versions of SME and everything worked great. Please help.
here is my guardian log:
@4000000044e4f08b14495df4 OS shows Linux
@4000000044e4f08b1449794c Warning! HostIpAddr is undefined! Attempting to guess..
@4000000044e4f08b14aaf654 Got it.. your HostIpAddr is 100.100.100.100
@4000000044e4f08b14ab11ac Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
@4000000044e4f08b14ab214c My ip address and interface are: 100.100.100.100 ppp0
@4000000044e4f08b14ab2d04 Loaded 0 addresses from /etc/guardian.ignore
@4000000044e4f08b14ab38bc Running in debug mode..
-
Same problem here!
My guardian log:
2006-08-21 23:31:16.991932500 OS shows Linux
2006-08-21 23:31:16.991938500 Warning! HostIpAddr is undefined! Attempting to guess..
(Running server/gateway mode)
-
Take a look at:
http://community.smoothwall.org/forum/viewtopic.php?t=5702&postdays=0&postorder=asc&start=60
for a few things to try
-
i checked out the information on that other forum, and i didn't find any of it to be useful in solving the problem. i hope that mastersleepy can provide a solution.
-
Hi there !
I'm having a huge 100% cpu utilisation all the time with the last rpm smeserver-snort-2.6.0-2.i386.rpm and all up to date rpms needed
I've deinstalled all the needed rpms, suppressed folders and sql bases as told on the download area and cpu utilisation gets back to 2% !!!
I tryed another install, with the old rpm version smeserver-snort-2.4.4-2.i386.rpm. cpu utilisation is better, but still it's at 35-50% all the time...
Is that normal ??? Normally, i'm near 2-10% max...
Then, i tested a scan+vulnerabilities probe (server-only, scan from lan) and snort+guardiand didn't blacklist me... Is that normal too ?
-
here my situation:
smeserver-snort-2.6.0-2
smeserver-base-1.2.2-1
smeserver-oinkmaster-1.2-1
and
[root@goldrake ~]# ps ux | grep snort
root 1482 2.6 0.1 2872 304 ? Ss 13:02 10:36 runsvdir -P /service log: var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?
root 1686 12.7 0.0 3228 224 ? Rs 13:02 51:02 runsv snortd
root 5162 0.0 0.9 9252 2836 ? S 13:04 0:00 /usr/sbin/snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf -K ascii -p
root 8063 0.0 0.2 4508 608 pts/1 S+ 19:43 0:00 grep snort
in i access base webpage i see empy alarm....
database is correcly made
-
Same exact issue here. New bug report submitted:
http://bugs.contribs.org/show_bug.cgi?id=1976
Craig Jensen
-
I'm having the same issue as Konsa
[root@gluon snort]# ps ux | grep snort
root 2140 0.4 0.0 2816 304 ? Ss 13:16 0:16 runsvdir -P /service log: /log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?...
root 2488 1.4 0.0 3232 212 ? Ss 13:16 0:53 runsv snortd
root 17649 0.0 0.0 4744 588 pts/0 S+ 14:16 0:00 grep snort
I'm running:
smeserver-base-1.2.2-1.noarch.rpm
smeserver-guardiand-1.7-3.noarch.rpm
smeserver-oinkmaster-1.2-1.noarch.rpm
smeserver-snort-2.6.0-2.i386.rpm
And did create and modify the /etc/snort/guardianlog file as cjensen suggests
I also did a chown smelog:smelog /var/log/snortd with no luck
restarting snortd does append /var/log/snortd/current...
-
Hello all,
A new version will be soon available.
Soon means when I have enough time.
The new version will use lastest version of snort 2.6 branch.
I'll also test more sme service feature so maybe that kind of problem will be solved.
Will be back.
Regards.