Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: MasterSleepy on January 23, 2007, 10:49:07 AM
-
Hello All,
I've finished updating of snort installation contrib for smeserver 7.x
RPM :
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=315&ttitle=smeserver-snort-2.6.1.2-1.i386.rpm
sRPM :
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=316&ttitle=smeserver-snort-2.6.1.2-1.src.rpm
Be sure tu uninstalle old contrib first and check for directory /var/service/snortd has been removed.
This new version install lastest version of snort available (2.6.1.2) and is better integrated within smeserver.
It contians also a script that relaunch guardian if it's install.
A new version of guardian is also available
RPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=274&ttitle=smeserver-guardiand-1.7-4.noarch.rpm
sRPM :
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=275&ttitle=smeserver-guardiand-1.7-4.src.rpm
Before install new version, pay attention to uninstall old contrib first and to assure that directory /var/service/guardiand has been removed.
Oinkmaster must also be updated with the last version
RPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=272&ttitle=smeserver-oinkmaster-1.2-2.noarch.rpm
sRPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=273&ttitle=smeserver-oinkmaster-1.2-2.src.rpm
Concerning Base (http://sourceforge.net/projects/secureideas), nothing has changed:
RPM :
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=276
sRPM :
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=277
Regards
-
Merci!!! I uninstalled the older versions, and installed these. No problems.
I did the following to:
1) Log external attacks to my box
2) Attempt to have BASE report portscans
Is this correct? If not, any suggestions as to what I should to to make the above work?
- edit snort configs
mkdir -p /etc/e-smith/templates-custom/etc/snort/snort.conf
pico /etc/e-smith/templates-custom/etc/snort/snort.conf/10OutherNet
var EXTERNAL_NET !HOME
pico /etc/e-smith/templates-custom/etc/snort/snort.conf/11Portscan
# JNL Enable PortScan reporting
preprocessor stream4: detect_scans detect_state_problems
preprocessor stream4_reassemble: ports all
preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
touch /var/log/snort/portscan.log
chown snort:snort /var/log/snort/portscan.log
expand-template /etc/snort/snort.conf
service snortd restart
-
Hello,
Try to modified template 10Part02
In this template you should find a line with
preprocessor stream4: disable_evasion_alerts
Replace this line with lines you give
# JNL Enable PortScan reporting
preprocessor stream4: detect_scans detect_state_problems
preprocessor stream4_reassemble: ports all
preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
Regards.
-
This morning logrotate was eating 100% cpu load.
It was working through the snort logs in /var/log/snort
This was goin on for couple of hours.
I would like to disable the logging to /var/log snort and keep the logging to mysql.
How should i do this?
Dirk
-
Yesterday, I've learned of a remotely exploitable vulnerability in snort (quite dangerous, it's a buffer overflow). Are you planning to upgrade your fantastic contrib to 2.6.2 ?
-
Hello,
I'll try to build a new rpm today to integrate version 2.6.1.3 and to solve logrotate prblem.
Regards.
-
This morning logrotate was eating 100% cpu load.
It was working through the snort logs in /var/log/snort
This was goin on for couple of hours.
I would like to disable the logging to /var/log snort and keep the logging to mysql.
How should i do this?
Dirk
I also experienced this. It seemed that the logrotate program kept gzip-ing the log files again and again, thus creating files like TCP:12345-80, TCP:12345-80.gz, TCP:12345-80.gz.gz etc. As a workaround I have changed this line in /etc/logrotate.d/snort:
/var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*
to
/var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert
-
You are totally right holck and that is whath I'll modified in the rpm.
After check this vulnerability, it only touch DCE/RPC preprocessor.
Or this preprocessor is not active by default in the original rpm.
The new version will come today or tomorrow.
-
Hello all,
As promise, here is the new version of smeserver-snort.
Based on version 2.6.1.3 of snort to correct lastest security alert.
It correct also logrotate problem.
RPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=315&ttitle=smeserver-snort-2.6.1.3-1.i386.rpm
sRPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=316&ttitle=smeserver-snort-2.6.1.3-1.src.rpm
To Install, if you have version 2.6.1.2 installed, remove old rpm with
rpm -e smeserver-snort --nodeps
After install the new one.
If you have oldest version installed, remove it first and assure that directory :
/var/service/snortd/
/var/log/snort/
/var/log/snortd/
has been removed or remove it manually.
Regards.
-
Thanks for your contrib. I've just tested to upgrade from 2.6.1.2 to 2.6.1.3. I first remove the old one with rpm -e --nodeps smeserver-snort, then I erase the needed directory (logs) and I've installed the new one. But I have some warning about satabases which cannot be created because they allready exists, which is normal as the uninstall of the previous version warns us that the databses are not droped. My question is, can I ignore this error, will the new rpm continu filling the old databases?
-
Hello,
Yes db schema still the same.
Error message are totally normal.
Regards.
-
I'm looking forward to trying out this version soon. I uninstalled the older version due to the logrotate issues. I'm ready to reinstall, but before i do...
To the Snort users on this list, here are some questions I'd love answers for
1) What do I need to do to enable tracking of port scanning in BASE? My attempts earlier in this thread did not work. Are any of you doing it?
2) What would be required to set up another sensor on the external interface? The default snort.conf is set up to monitor internal traffic. I'd love to have another sensor monitoring the external interface to get a better picture of stuff happening on the outside, but is easily identified within BASE by sensor.
3) What do you all use to manage signatures? Do you do it by hand? Use a third party tool that is web based? Client based?
-
The crontrib in my case is scanning external interface.
For getting the portscan to work:
preprocessor sfportscan: proto { all } \
scan_type { all } \
sense_level { low }
This is from the snort manual and suggested by the base developers
I have set it up before, and it worked.
Put this somewhere below "preprocessor stream4: disable_evasion_alerts"
Gonna test it myself later this day.
-
Yep here it is.
Make a custom template from 10part02
Paste the folowing code below: "preprocessor flow: stats_interval 0 hash 2"
{
$OUT .= "preprocessor sfportscan: proto { all } \\ \n";
$OUT .= " scan_type { all } \\ \n";
$OUT .= " sense_level { low } \ \n";
}
Expand the template snort.conf
Restart snort and portscan detection is working!
-
On second thought put it on medium i got more results that way.
Check it through this website https://www.grc.com/x/ne.dll?rh1dkyd2
And see results in base afterwards.
-
Hi !
I would like to add the function of port scanning...
I tryed Dirk's howto but it doesn't seem to work.
Here what I've done :
copy/paste the original template in template-custom and I've add the lines under "preprocessor flow etc." (set it to medium)
Done a "expand-template /etc/snort/snort.conf" and "service snortd restart" and went to shieldsup to test it but nothing was traced in BASE
What am I doing wrong ?
THX for any help !
[EDIT] Sorry, it's working, it seems that it's just taking time to log it into BASE !
-
Hello all,
I update snort contrib, so that it use lastest version, 2.6.1.5, of snort.
It also corrected a bug in serveronly mode.
RPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=315&ttitle=smeserver-snort-2.6.1.5-1.i386.rpm
sRPM:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=316&ttitle=smeserver-snort-2.6.1.5-1.src.rpm
You have to uninstall old version first with
rpm -e smeserver-snort --nodeps
After install the new one.
If you have oldest version installed, remove it first and assure that directory :
/var/service/snortd/
/var/log/snort/
/var/log/snortd/
has been removed or remove it manually.
Regards.
-
This is a great contrib!
Thanks a lot for your work!
I'm trying to install smeserver-snort today afternoon and i f i'll encounter a problem i'll let you know.
Thanks!
Zeno
-
I have just tried to install this, but I get the following error
======================= Activate sme snort ================================
======================= Creating snort_log database =======================
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: YES)'
======================= Creating snort_archive database ===================
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: YES)'
======================= Creating tables in snort_log ======================
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Any suggestion on what I'm doing wrong? mysql is running and the root password is the same as my sme admin password.
-
Hello,
Why did you change root password of mysql??
Please follow instruction to reset root password to default one.
http://wiki.contribs.org/MySQL#Login_as_MySQL_root_user.
Regards,
MasterSleepy.
-
Hi,
I just install this contrib. One thing i noticed is that eats a lot cpu load. Is there a minimum requirements for snort?
10461 snort 23 0 574m 145m 888 R 94.9 67.1 7:04.82 snort
using smeserver-snort-2.6.1.5-1
smeserver-base-1.2.2-1
smeserver-oinkmaster-1.2-2
smeserver-guardiand-1.7-4
i already reinstalled but still the same.
Regards,
Rocel