Topic: Snorting around E-smith

[Luke Drumm]

Hi,

Has anybody successfully deployed snort onto their e-smith systems? I know there have been one or two posts on this subject previously but still no word on their outcome.

Regards,
Luke

[Shad L. Lords]

I currently have Snort, PortSentry, and LogCheck installed and working great.  

It alerts me to probes and attacks (blocks the sender) and emails me details of events that is thinks are out of the ordinary.

There are a log of machines that have been compromised and are scanning for port 111 out there.  It is nice to know that my e-smith server is just that much more secure.

-Shad

[Justin]

I was the one working on the Snort rpm. I had a finished working product at one time but then redesigned my focus based on a different look at the functionality I was trying to achieve.

The rpm I am trying to finish now - installs Snort, Arachnids, and the ARIS upload client for the ARIS service at aris.securityfocus.com.

There are two agents running - one externally used for Attack Detection and one running on the internal interface specific to e-smith settings looking for Intrusion Detection. The internal rule set is based on some detailed threat modelling based on e-smith's detailed release of the e-smith security system.

I was previously using Arachnids to get my external interface snort rules downloaded from Whitehats.org but due to recent circumstance I again have to re-think how I want to set the whole thing up.

If you want to give it a go just using the regular snort rpm it isn't too difficult, and I will help where I can.

Justin.

[Luke Drumm]

Thanks for the responses. I'll give it a go and see what I come up with.

Cheers,
Luke

[Luke Drumm]

Hi,

Would you happen to know where I can get my hands on the rpm for libpq.so.2.0 ?

Regards,
Luke

[Stephen Davis]

Where can one find this package?

[Luke Drumm]

I found most of the snort stuff at one of the rpmfind sites (eg. rpmfind.userfriendly.org).

The official site can be found at www.snort.org

Regards,
Luke