If you have a system or network connected to the Internet, you become a target. Your network is being scanned for vulnerabilities. This may happen only once a month or twice a day, regardless, there are people out there probing your network and systems for weaknesses. It always good to know if someone is attempting to break into your network. You can compare this to having a camera monitoring your front door; without this camera you would never know who even attempted to pick your lock unsuccessfully. This is why we put an Intrusion Detection System (IDS). This documentation (http://www.root0.net/snort/) will show how you can protect yourself by installing an Intrusion Detection System with free available Software called Snort on a Linux System. :cool:

SECURITY: Snort installation

Who are you mysterious root0.net person ???

Thanks for the helpful tips ... :-)

Lady Linux

Who are you mysterious root0.net person ???
Just H-Sphere admin :D

Fixed some stupid remarks. :eek:
Snort installation script is working now.
Sorry for inconveniences.

anybody had any problems with this

mine stops at this point :)

Snort installation
Download
Install
[root@mail root]#

anybody had any problems with this


Worked ok with RHES ... Whatcha Running ??

LL

*sigh* The installation script supports RH 7.3 and RHES. No love for FreeBSD :(

Worked ok with RHES ... Whatcha Running ??

LL

RedHat 7.3

*sigh* The installation script supports RH 7.3 and RHES. No love for FreeBSD

Its not that hard of a script .. Maybe someone with a Freebsd box can bring the "Love" to It.

Lady Linux

Mine stops here too-

Snort installation
Download
Install

Running redhat 7.3

Any ideas?

you can install snort off FBSD ports, its easier than any script, u justm ight have to updat your dependancys.

vini

Mine stops here too-

Snort installation
Download
Install

Running redhat 7.3

Any ideas?

This problem already was fixed. Just download and run installation script again... :rolleyes:

Greetings roj:

Since you posted your script, snortsam and snort has new releases.

Will you be incorporating them as well?

Thank you.

This problem already was fixed. Just download and run installation script again... :rolleyes:

just tried again -- same thing... :confused:

Greetings roj:

Since you posted your script, snortsam and snort has new releases.

Will you be incorporating them as well?

Thank you.

Thanks. I'll check it, but it needs some time...

just tried again -- same thing... :confused:

Hm...
OK, try to download and run http://www.root0.net/snort/snort_inst.1.sh instead snort_inst.sh

Hm...
OK, try to download and run http://www.root0.net/snort/snort_inst.1.sh instead snort_inst.sh
getting closer-- I get this now-

Snort installation
Download
Install
error: failed dependencies:
libpcap.so.0.6.2 is needed by snort-mysql-sam-2.1.3-0

getting closer-- I get this now-

Snort installation
Download
Install
error: failed dependencies:
libpcap.so.0.6.2 is needed by snort-mysql-sam-2.1.3-0

Just install libpcap-0.6.2 RPM package.
Get it here:
ftp://fr2.rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/libpcap-0.6.2-12.i386.rpm
and after that run install script again...

Just install libpcap-0.6.2 RPM package.
Get it here:
ftp://fr2.rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/libpcap-0.6.2-12.i386.rpm
and after that run install script again...
all set- I just found it and installed before I read your reply-

Thanks!

Greetings roj:
Since you posted your script, snortsam and snort has new releases.
Will you be incorporating them as well?
Thank you.

We recreated Snort and SnortSam RPM packages and changed snort_install script
Current versions:
Snort-2.2.0
Snortsam-2.25

Greetings Roj:

We use Bastille for Linux to manage our iptables-based, software, firewall.

snortsam's default for iptables is based on http://www.snortsam.net/files/snortsam-v2_multi-threaded/README.iptables

which uses "iptables -I FORWARD -i eth1 -s {ip_addr_to_be_blocked} -j REJECT"

This doesn't work with Bastille ;-)

Per http://www.snortsam.net/files/snortsam-v2_multi-threaded/README.iptables, I can edit the one c file to get it to work.

Question: Your installation is based on an RPM vs. source. Can I just pull the source down from http://www.snortsam.net/ and build from there?

That way I can work on the source code.

If so, what defaults (directory locations, etc.) does the build in your RPM use?

Thank you.

Greetings Roj:

I don't know if this is the case with Snortsam 2.2.5 you have included, but I went ahead this evening and compiled Snortsam 2.2.6 from source (after using the rest of your package the other weekend).

It does work; though it turned out I didn't have to modify ssp_iptables.c per http://www.snortsam.net/files/snortsam-v2_multi-threaded/README.iptables

Even though http://www.snortsam.net/files/snortsam-v2_multi-threaded/README.iptables states there is only one iptables rule created (for the FORWARD chain), it actually creates one INPUT rule and one FORWARD rule.

So that works with Bastille-based management of iptables without modifications.

So far the system is working nicely; though my main complain is that the snortsam email alert as well as long entries (even on the most verbose setting) do not include the snort SID # or (even better) the snort (more english like) "msg"

I did contact the author of snortsam and the iptables plugin to see if that issue can be resolved.

I do thank you for putting together http://www.root0.net/snort/ along with the rpm and installation set up. It was very easy to follow and use.

Thank you!

Hi Roj:

From Frank Knobbe, the author of Snortsam when asked about the signature Id being 0 in the emai:

"You will have to use a Snort version that has the latest version of the
Snortsam plugin compiled into it. The latest Snortsam plugin patch can
get downloaded from http://www.snortsam.net/files/snort-plugin/snortsam-patch.tar.gz Alternatively, the precompiled binaries on the web site now all include the new plugin.

If you build Snort yourself, you need to update the Snortsam plugin and recompile Snort. The only plugin still works but does not transmit the SID while the new (or current) version of the plugin does."

I noticed that when I compile 2.2.6 from scratch I get SID always of 0.

If I use your version as is; then I don't get any SID.

Eg: Blocking host 24.97.203.43 (rrcs-24-97-203-43.nys.biz.rr.com) completely for 1800 seconds.

Your page states you have snort with the plugin compiled. Correct?

Have you tried rebuilding your rpm on the latest releases?

I'm using a loglevel 3 and no sid; which would be nice when some one calls asking why an IP is being blocked.

Thoughts?

Thank you.

I got this... Where do I go download this rpm?

Install
error: failed dependencies:
libc.so.6(GLIBC_2.3) is needed by snort-mysql-sam-2.2.0-0

Thanks

Greetings Yong:

The material states this is for RedHat Linux and CentOS.

If memory serves me correct, you are con FreeBSD. Correct?

Thank you.

Hi,

I got an mixture of FreeBSD as well as Redhat Linux... I am now trying to install it on a Redhat Linux WS2.1 platform...

Any idea? :>

Hi Yong:

While Roj has RedHat Enterprise listed on http://www.root0.net/snort/, I believe he means RedHat Enterprise 3. I'm not sure if his RPM will work on an older enterprise; only he could answer that question.

Thank you.

Hi Roj:

From Frank Knobbe, the author of Snortsam when asked about the signature Id being 0 in the emai:

"You will have to use a Snort version that has the latest version of the
Snortsam plugin compiled into it. The latest Snortsam plugin patch can
get downloaded from http://www.snortsam.net/files/snort-plugin/snortsam-patch.tar.gz Alternatively, the precompiled binaries on the web site now all include the new plugin.

If you build Snort yourself, you need to update the Snortsam plugin and recompile Snort. The only plugin still works but does not transmit the SID while the new (or current) version of the plugin does."

I noticed that when I compile 2.2.6 from scratch I get SID always of 0.

If I use your version as is; then I don't get any SID.

Eg: Blocking host 24.97.203.43 (rrcs-24-97-203-43.nys.biz.rr.com) completely for 1800 seconds.

Your page states you have snort with the plugin compiled. Correct?

Have you tried rebuilding your rpm on the latest releases?

I'm using a loglevel 3 and no sid; which would be nice when some one calls asking why an IP is being blocked.

Thoughts?

Thank you.

We've downloaded last snortsam sources, snort patch and recreate RPMs/scripts ASAP.
Thank you.

I got this... Where do I go download this rpm?

Install
error: failed dependencies:
libc.so.6(GLIBC_2.3) is needed by snort-mysql-sam-2.2.0-0

I got an mixture of FreeBSD as well as Redhat Linux... I am now trying to install it on a Redhat Linux WS2.1 platform...

Any idea? :>

Hi Yong:

While Roj has RedHat Enterprise listed on http://www.root0.net/snort/, I believe he means RedHat Enterprise 3. I'm not sure if his RPM will work on an older enterprise; only he could answer that question.

Thank you.

Yes I mean RedHat Enterprise 3. RPMs were created and tested only for RedHat Enterprise 3 and RedHat 7.3 OSs. As I can see from this forum it is two main supported operating systems. Try to use http://www.root0.net/snort/snort_inst.2.2.0-f.sh script. There was added --nodeps key into snort-mysql-sam-2.2.0-0 installation line.

Hi Roj:


We've downloaded last snortsam sources, snort patch and recreate RPMs/scripts ASAP.
Thank you.

Awesome and thank you!

Please let me know when it is ready, and we will start testing as soon as possible.

Thank you!!

Hi Roj:
Awesome and thank you!
Please let me know when it is ready, and we will start testing as soon as possible.
Thank you!!

We've recreated Snort package with new patch and SnortSam version 2.26. You can use it.

Hi Roj:

Has Snort itself been patched?

Thank you.

Yes and now snortsam sending messages like:
---
Blocking host 64.246.56.78 (domain.com) completely for 3600 seconds.
This block was triggered by signature ID: 1002
---
and
---
Removing 3600 sec complete block for host 64.246.56.78 (domain.com).
The block was originally triggered by signature ID: 1002
---

Hi Roj:

Confirmed; thank you very much!

Thank you.

Greetings Roj:

From testing:

On RedHat Enterprise ES 3, Taroon 3, the system works perfectly.

On RedHat 7.3 (latest packages), snort constantly looses the connection to snortsam

snort: WARNING => [Alert_FWsam] Did not receive response from host 10.0.0.6. Will try again later.

I've tried the default of 127.0.0.0/24, 127.0.0.1, 10.0.0.6

I've tried binding to a single IP.

No matter what I try, on RedHat 7.3... within less than two minutes, I will get the error noted above.

RedHat Enterprise, flawless as I can tell.
RedHat 7.3, snort reports to the database, but not to snortsam unless there are constant (every literal minute) restarts.

Thank you.

Greetings Roj:
From testing:
On RedHat Enterprise ES 3, Taroon 3, the system works perfectly.
On RedHat 7.3 (latest packages), snort constantly looses the connection to snortsam
snort: WARNING => [Alert_FWsam] Did not receive response from host 10.0.0.6. Will try again later.
I've tried the default of 127.0.0.0/24, 127.0.0.1, 10.0.0.6
I've tried binding to a single IP.
No matter what I try, on RedHat 7.3... within less than two minutes, I will get the error noted above.
RedHat Enterprise, flawless as I can tell.
RedHat 7.3, snort reports to the database, but not to snortsam unless there are constant (every literal minute) restarts.

Thank you.

Was snortsam started ?
We have installed latest snort packages to several RedHat 7.3 servers and haven't any problems...

Greetings:

Yes. /usr/sbin/snortsam was started and running; and the snortsam log showed no errors.

snortd was then started, and it connects the first time per /var/log/messages

But within moments, it can no longer connect to snortsam.

Would you mind sharing your /etc/snort/snortsam.conf and /etc/snort/snort.conf configuration files?

Thank you.

Greetings:
Yes. /usr/sbin/snortsam was started and running; and the snortsam log showed no errors.
snortd was then started, and it connects the first time per /var/log/messages
But within moments, it can no longer connect to snortsam.
Would you mind sharing your /etc/snort/snortsam.conf and /etc/snort/snort.conf configuration files?
Thank you.

I didn't change /etc/snort/snort.conf file

[root@cp snort]# cat /etc/snort/snortsam.conf | grep -v "^$" | grep -v "^#"
accept 127.0.0.0/24
dontblock 192.168.0.0/16
dontblock 10.0.0.0/8
dontblock X.X.X.X # (My IP)
email 127.0.0.1 info@mydomain.com snortsam@mydomain.com
iptables eth0 /var/log/snort/snortsam_eth0.log
logfile /var/log/snort/snortsam.log
daemon
[root@cp snort]#

Greetings Roj:
From testing:
On RedHat Enterprise ES 3, Taroon 3, the system works perfectly.
On RedHat 7.3 (latest packages), snort constantly looses the connection to snortsam
snort: WARNING => [Alert_FWsam] Did not receive response from host 10.0.0.6. Will try again later.
I've tried the default of 127.0.0.0/24, 127.0.0.1, 10.0.0.6
I've tried binding to a single IP.
No matter what I try, on RedHat 7.3... within less than two minutes, I will get the error noted above.
RedHat Enterprise, flawless as I can tell.
RedHat 7.3, snort reports to the database, but not to snortsam unless there are constant (every literal minute) restarts.
Thank you.

Today I got the same log when tried to restart snort:
=============
....
Oct 29 01:52:36 cp snort: Ports to decode telnet on: 21 23 25 119
Oct 29 01:52:36 cp snort: INFO => [Alert_FWsam](FWsamCheckIn) Connected to host 127.0.0.1.
Oct 29 01:52:42 cp snort: WARNING => [Alert_FWsam](FWsamCheckIn) Did not receive response from host 127.0.0.1. Will try again later. <== (!!!!!!!!!!!!!!!!!!!)
Oct 29 01:52:43 cp snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Oct 29 01:52:45 cp snort: Snort initialization completed successfully
==============
I have stopped snort, killed all snortsam processes and restarted snortsam and snort again.

Greetings:

When we do that on our RedHat 7.3 servers, snortsam and snort will communicate for up to 60 seconds, and then it happens again.

I'm not sure what's happening; server load is under 0.50.

The system works without flaws on RedHat Enterprise.

Thank you.

Are there any plans for CentOS support on this project?

Greetings:
When we do that on our RedHat 7.3 servers, snortsam and snort will communicate for up to 60 seconds, and then it happens again.
I'm not sure what's happening; server load is under 0.50.
The system works without flaws on RedHat Enterprise.
Thank you.

Yes, connection problem exists at least on RedHat-7.3.
I wrote Frank Knobbe (snortsam author). Here is his letter:
===
...Do you have "nothreads" in the snortsam.conf file? If not,
add that and it will probably fix the problem.

The reason is that there are problems with POSIX threads under
most(all?) Linux platforms. Adding "nothread" will turn the threading
off during runtime and cause Snortsam to run in a single process/thread.

Strangely, BSD and Windows don't have problems with threads...

Regards,
Frank
===

Now I've added "nothreads" options to /etc/snort/snortsam.conf. I hope it will help. :D


Are there any plans for CentOS support on this project?


We not sure that someone use it . :D
If yes, probably we'll create RPMs and scripts for this OS...

Greetings Roj:

The "nothreads" option appears to be helping on the RedHat 7.3 machines.

Thank you.

Greetings Roj:

May I make a suggestion for the /etc/snort/iptsamconf script?

Please consider allowing the following as a way to run the script:

/etc/snort/iptsamconf -t seconds -r FULL_PATH_TO_RULE_FILE


With the goal being to turn on snortsam for the time specified for all rules within the rules file.

Thank you.

P.S. Possible bug report... the iptsamconf script does not appear to work with rules from http://www.bleedingsnort.com/ such as http://www.bleedingsnort.com/bleeding-virus.rules

Greetings Roj:
May I make a suggestion for the /etc/snort/iptsamconf script?
Please consider allowing the following as a way to run the script:
/etc/snort/iptsamconf -t seconds -r FULL_PATH_TO_RULE_FILE
With the goal being to turn on snortsam for the time specified for all rules within the rules file.
Thank you.
Good idea. I already thought about such options. ;) It realy needs if you have several servers with same services installed.
This weekend we've recreated new Snort and SnortSam RPMs (new version SnortSam-2.27) and added this features to new /etc/snort/iptsamconf script. Also were added several another changes. Read more about it: http://www.root0.net/snort/news.html


P.S. Possible bug report... the iptsamconf script does not appear to work with rules from http://www.bleedingsnort.com/ such as http://www.bleedingsnort.com/bleeding-virus.rules
Very interesting site. Thank you.
We'll add bleeding-virus.rules support to iptsamconf script.

Greetings Roj:

Thank you for your kind and hard work.

We now have your system running on five servers (a mixture of RedHat 7.3 and RedHat Enterprise ES 3) with great success.

We just started using http://oinkmaster.sourceforge.net/ to help keep the snort rules up to date; and also to disable those rules which are not appicable to our environment.

The end result is that the ACID output is a log more meaningful as we don't have to wade through a lot of snort output which does not apply; granted it took a lot of working reading up on various snort SID's.

Of note, oinkmaster will overwrite updated rule files so that the auto time firewall events are no longer listed.

We handled this by writing a short script to be a wrapper around oinkmaster where we would erase the iptsamconf.state file, run oinkmaster, and then incorporate a series of iptsamconf calls to re-update the rules with the timed firewall entries.

Here's an example for your own use to expand upon:

#!/bin/sh
/usr/local/bin/oinkmaster.pl -o /etc/snort/rules/ -b /etc/snort/backup
cd /etc/snort
mv iptsamconf.stat iptsamconf.stat.old
# SNORTSAM RULES
#
/etc/snort/iptsamconf -t [time] -s [sid]
# and so on
#
service snortd restart
tail -f /var/logmessages


Thank you.

...
Possible bug report... the iptsamconf script does not appear to work with rules from http://www.bleedingsnort.com/ such as http://www.bleedingsnort.com/bleeding-virus.rules

Snort rules on http://www.bleedingsnort.com/ created in terrible format. :confused: ,
but we created fixrule.sh script to fix format problems and added it to new snortsam-2.27-1.rpm. (build 1 !!!)

Also we added build to RPM versions. Now you can update packages without problems.
Read more about RPM update: http://www.root0.net/snort/index.html#Update

I have a question

How you guys are running snort network based or host based?

Thanks

Hi Roj:

Have you seen http://secureideas.sourceforge.net/ ?

They are picking up A.C.I.D. (which has not been updated in a long time) to modernize and make it more friendly for use with snort.

Thoughts?

Thank you.

Are there any plans for CentOS support on this project?
We've added CentOS support, but not tested installation script on this OS yet. :rolleyes:
I have a question
How you guys are running snort network based or host based?
Thanks
Please specify your question. :confused:
Have you seen http://secureideas.sourceforge.net/ ?
They are picking up A.C.I.D. (which has not been updated in a long time) to modernize and make it more friendly for use with snort.
Thoughts?

:eek: We'll check it and probably add new ACID version to project.

Roj,

Did I tell you lately how cool your site is :-)

Please specify your question.

I think the question pertains to the concept of using a network "Tap" device instead of a monitor port on a switch and a UNIX/Windows host ..

Correct me if I am wrong ..

Francesca

[QUOTE=roj]
Please specify your question. :confused:
QUOTE]

What I mean is: snort is network based IDS it job is to protect the hold network but I know a lot of people install snort in each server
My questions is how H-Sphere owners are installing snort per network or per host?

I had to use snort for Windows I installed my sensor between my firewall and my switch using a hub and IDS Center (a free front end for snort)

Thanks

Hello,

Well to watch a segment you need a switch that can monitor a port .. You hook up the snort host to this port .. So in this case you would be better off with a Hub .. unless your switch can "Monitor" a segment from a port .. You can grab a HP 2524 procurve switch for example which will do monitor functions .. There are a lot more of course ..

A Network Tap is just that .. A special device that sits on a network .. Snort grabs packets from it and process's them .. Highly expensive in terms of bandwidth and price ..

Francesca

Greetings:

We are installing it per server at the moment.

For those with multi-physical server clusters, we are tying them together to one snort database where ACID can report each server as one sensor.

Thank you.

Hi Dynamicnet,
If you are installing snort/ACID per server, then what's the overall impact on the performance of the server that you've noticed so far, in term of CPU, Memory, Disk, and Bandwidth?

Thanks!

Greetings:

We've actually seen better server performance on our servers with the installation thanks to keeping out bad traffic.

FYI.

From 2004-11-03 06:14:56 to 2004-11-10 15:04:05 there have been 296,547 snort alerts covering 5 sensors having 106 unique alerts in 12 categories.

The most frequent alerts are NMAP scans and NMAP pings followed by SNMP udp requests and ICMP L3retriever Ping.

Thank you.

Hi Roj:
Have you seen http://secureideas.sourceforge.net/ ?
They are picking up A.C.I.D. (which has not been updated in a long time) to modernize and make it more friendly for use with snort.
Thoughts?
Thank you.

We have added base-0.9.8 installation to snort_inst.sh (http://www.root0.net/snort/) script and created base_inst.sh script for base-0.9.8 only installation to servers where ACID was already installed.
Read more http://www.root0.net/snort/news.html

SnortSam 2.28 released.
http://www.snortsam.net/news.html
You can download new RPMs for all supported OSs :
http://www.root0.net/snort/res3/
http://www.root0.net/snort/r73/
http://www.root0.net/snort/co31/

Greetings Roj:

What's included in snort-mysql-sam-2.2.0-3.rpm

To upgrade snortsam, do we just install snortsam-2.28-1.rpm or do we have to do snortsam-2.28-1.rpm plus snort-mysql-sam-2.2.0-3.rpm

Also, I did both on one test sever, and it wiped out and replaced the /etc/snort directory and wiped out all of our custom changes.

You may want to check out if the snort-mysql-sam-2.2.0-3.rpm is the culprit; and if it can be set up to preserve any existing /etc/snort contents and subdirectory data.

Thank you.

Greetings Roj:
What's included in snort-mysql-sam-2.2.0-3.rpm
To upgrade snortsam, do we just install snortsam-2.28-1.rpm or do we have to do snortsam-2.28-1.rpm plus snort-mysql-sam-2.2.0-3.rpm
Also, I did both on one test sever, and it wiped out and replaced the /etc/snort directory and wiped out all of our custom changes.
You may want to check out if the snort-mysql-sam-2.2.0-3.rpm is the culprit; and if it can be set up to preserve any existing /etc/snort contents and subdirectory data.
Thank you.

There no code changes. Only added last version of snort rules. You can skip snort-mysql-sam update to this version. This package was created for users who use snort_install.sh script firstly.

Hi Roj:

Thank you. BTW, we've been using oinkmaster with great success in terms of keeping the snort rules up to date.

See http://oinkmaster.sourceforge.net/

Thank you.

Hi Roj:

May I make a suggestion for iptsamconf?

If the format includes the sid, don't use it as a toggle if it is already on. Just keep it on.

We use oinkmaster to keep the snort rules updated, but not ever rule file gets updated on a regular basis.

I have a script that then has all my calls to iptsamconf with the time and sid parameters after oinkmaster runs.

If a rule file wasn't updated, the iptsamconf call ends up turning off the minutes even though that is not the intent.

Thank you for this consideration.

Hi Roj:
May I make a suggestion for iptsamconf?
If the format includes the sid, don't use it as a toggle if it is already on. Just keep it on.
We use oinkmaster to keep the snort rules updated, but not ever rule file gets updated on a regular basis.
I have a script that then has all my calls to iptsamconf with the time and sid parameters after oinkmaster runs.
If a rule file wasn't updated, the iptsamconf call ends up turning off the minutes even though that is not the intent.
Thank you for this consideration.

I agree with you. Several times I had same difficults :D . That is why I've changed iptsamconf.sh script.
Now if you use it with "-t" (time) key you can ONLY enable fwsam function in Snort rules, otherwise if you use script without this key - ONLY disable it. Just update snortsam-2.28-2.rpm.

Hi Roj:

Can you separately post the new iptsamconf.sh file?

Thank you!!

Hi Roj:
Can you separately post the new iptsamconf.sh file?
Thank you!!
Get it here:
http://www.root0.net/snort/iptsamconf.sh

Hi Roj:

Thank you.

BTW, the most recent snort_inst.sh has some problems:

Unpack
snort_inst.sh: line 250: chowh: command not found
snort_inst.sh: line 251: chowh: command not found
snort_inst.sh: line 252: chowh: command not found
snort_inst.sh: line 253: chowh: command not found

Thank you.

Greetings:

General FYI for those of you on RedHat (CentOS may have this issue as well).

If you upgrade your kernel, the release put out by RedHat in the past 24 hours appears to work with Snortsam-2.28 (RPM build 2); and if you have Enterprise, you must use the nothreads option.

Thank you.

Hi Roj:
Thank you.
BTW, the most recent snort_inst.sh has some problems:
Unpack
snort_inst.sh: line 250: chowh: command not found
snort_inst.sh: line 251: chowh: command not found
snort_inst.sh: line 252: chowh: command not found
snort_inst.sh: line 253: chowh: command not found
Thank you.
We've changed snort_inst.sh script. Thank you...

you must use the nothreads option.

Dear Peter,

Is this the nothreads option in the /etc/snortsam.conf file?

# Example: nothreads
#
nothreads # RedHat 7.x


rgds

Hans

Is this the nothreads option in the /etc/snortsam.conf file?
# Example: nothreads
#
nothreads # RedHat 7.x
rgds
Hans
Yes it is. I recommend to enable it on Linux servers.

Hi RoJ:

There is still a problem with the snort_inst.sh script.

When it gets to the part to use create_mysql no matter what mysql password you enter (root or the one for the snort database or the snort user), it bombs out.

Thank you.

Hi RoJ:
There is still a problem with the snort_inst.sh script.
When it gets to the part to use create_mysql no matter what mysql password you enter (root or the one for the snort database or the snort user), it bombs out.
Thank you.
It is not a problem. Script tried to get root mysql password from ~mysql/.my.cnf file and if there no password it asked to enter it. :rolleyes:

Hi Roj:

And I enter the root password (which I can use on the command line); and the script bombs out.

Thank you.

Hi Roj:
And I enter the root password (which I can use on the command line); and the script bombs out.
Thank you.
Hmm... :confused:
Yesterday I've installed snort to 5 new servers, but hadn't any problems?
What OS do you have on your server?
Also please send script output to both our emails http://www.root0.net/contact/index.html and we'll investigate possible reasons.

A new version 2.29 of Snortsam has just been released. It adds two new plugins. We've created RPMs for all supported OSs. http://www.root0.net/snort/index.html#Update

There is a Snort 2.2.x exploit which crashes Snort with a prepared package.
2.3 RC1 and RC2 is not vulnerable.
http://www.k-otik.com/exploits/20041222.angelDust.c.php
We'll recreate our snort and snortsam RPMs with 2.3 RC2 version as soon as we can. Now we recommend to stop snort services on your servers.

New Snort RPM 2.3.0RC2 created. Just get it http://www.root0.net/snort/index.html#Update and update.
Now you are not vulnerable. Get back to work ;)

New SnortSam 2.30 released. We've created RPM and recreated Snort RPM 2.3.0RC2 (build 2) with new SnortSam patch. Update instruction here http://www.root0.net/snort/index.html#Update

Snort 2.3.0 released. Update instruction:

# /etc/rc.d/init.d/snortd stop
# /etc/rc.d/init.d/snortsamd stop

# rpm -e snort-mysql-sam
# rpm -ivh snort-mysql-sam-2.3.0-1.rpm
# mv /etc/snort/snort.conf.rpmsave /etc/snort/snort.conf

# /etc/rc.d/init.d/snortsamd start
# /etc/rc.d/init.d/snortd start

Snortsam 2.31 was released.

Now has support for IPFW2 on FreeBSD 4.11 & 5.3

ROJ - First I want to thank you oh great helpful H-Sphere Admin for your wonderful contribution - :)

Using your installation script, I successfully install snort/snortsam/Acid -
While in the base, I click on Administration and received the following error:

Error loading the DB Abstraction library: from "../adodb/adodb.inc.php"
Check the DB abstraction library variable $DBlib_path in base_conf.php
The underlying database library currently used is ADODB, that can be downloaded at http://adodb.sourceforge.net/

Checking the ADODB folder, I noticed adodb.inc.php public var section needed to be filled in with current DB info - unfortunately this did not resolve the above error -

Any ideas what step I missing – Thanks

Sincerely
Barry

We ran into the same problem.

Edit the base_conf.php file located in the base direcory, and change $DBlib_path to the full location of adodb, instead of the default ../adodb.

That worked for us.

rgds

ROJ - First I want to thank you oh great helpful H-Sphere Admin for your wonderful contribution - :)
Using your installation script, I successfully install snort/snortsam/Acid -
While in the base, I click on Administration and received the following error:
Error loading the DB Abstraction library: from "../adodb/adodb.inc.php"
Check the DB abstraction library variable $DBlib_path in base_conf.php
The underlying database library currently used is ADODB, that can be downloaded at http://adodb.sourceforge.net/
Checking the ADODB folder, I noticed adodb.inc.php public var section needed to be filled in with current DB info - unfortunately this did not resolve the above error -
Any ideas what step I missing – Thanks
Sincerely
Barry
Unfortunately I can't suggest anything how to fix it. You can uninstall our software:
http://www.root0.net/snort/index.html#Uninstall
and install it back. It is so easy ;)

We ran into the same problem.
Edit the base_conf.php file located in the base direcory, and change $DBlib_path to the full location of adodb, instead of the default ../adodb.
That worked for us.
rgds

Thank you for your help. I newer had such problem. "../adodb/adodb.inc.php" has to work. But if not, probably absolute path will help. :confused:

Snortsam 2.31 was released.
Now has support for IPFW2 on FreeBSD 4.11 & 5.3

WAU!!! support for IPFW2 on FreeBSD 4.11 & 5.3. It is very interesting.
Now, I hope, that we probably will try to create FreeBSD Snort/SnortSam packages if here is enough H-Sphere customers who use FreeBSD on their servers and wish to install Snort software easy.
Also I found the following news "Comodo Acquires Psoft" http://www.psoft.net/misc/acquisition.html on Psoft site. Probably it is a good idea to add Trustix OS support? What is your mind?
Is here FreeBSD or Trustix custommers? ;)

Is here FreeBSD or Trustix custommers? ;)

I am a freebsd customer and there are many other freebsd users around here that would probably benifet alot from your packages if you made them.

Score one for BSD.. I think it's time for me to look at that installation script again... As LL said earlier in the thread its not that hard a script..

Thank you for your help. I newer had such problem. "../adodb/adodb.inc.php" has to work. But if not, probably absolute path will help. :confused:


That Worked - Thanks

q. how is everybody handling the snort database growth ?


Thanks
Barry

Greetings:

We review the B.A.S.E. data throughout the day. If we find SID's that do not apply to the environment, we use Oinkmaster to disable them to cut down on noise.

On a regular basis, we clear out the snort database as it relates to the B.A.S.E. data so it starts fresh.

That also helps us focus on new threats which might get accidentally hidden behind non threats.

Thank you.

New SnortSam version 2.31 RPM released.
Added /etc/snort/snortsam/docs and /etc/snort/snortsam/conf directories.
Here you can get configuration examples and read about configuration options more.
Improved iptsamconf.sh and fixrule.sh scripts.

Sorry. There was found mistake in iptsamconf.sh script. New RPM temporary unavailable. :o

Greetings:

We review the B.A.S.E. data throughout the day. If we find SID's that do not apply to the environment, we use Oinkmaster to disable them to cut down on noise.

On a regular basis, we clear out the snort database as it relates to the B.A.S.E. data so it starts fresh.

Thank you.

Oinkmaster - I need to look into this, anything I can use to help elimate some of the noise is very welcome :) --- thanks for the info ..

Do you manually clear out the DB or run a script?
and if you have a script, can you share it ?

Thanks
Barry

Hello,

Snort puts the interface in promiscuous mode. I have been told that this in general isn't a very good idea. Just worndering if that's indeed the case, and if there is anything that can be done to put snort in non promiscuous mode, for example by using the -p option, without breaking the working of snort.

rgds

Oinkmaster - I need to look into this, anything I can use to help elimate some of the noise is very welcome :) --- thanks for the info ..
Do you manually clear out the DB or run a script?
and if you have a script, can you share it ?
Thanks
Barry

You can clean snort database through ACID/BASE interface.
Look for "Action" form on the bottom of ACID/BASE pages.

Anyone who can shed some light on snort putting the nic into promiscuous mode?

rgds

Hello,

Anyone who can shed some light on snort putting the nic into promiscuous mode?

It goes in that mode .. To capture packets ..

Francesca

Trustix OS support added. :cool:
It is not tested enough and errors can arise.
Your reports:
http://www.root0.net/contact/index.html
You also can uninstall it in any time: ;)
http://www.root0.net/snort/index.html#Uninstall

i need to resinstall mysql db.. using snort_inst.sh, I am getting the following error

Resolving www.root0.net... done.
Connecting to www.root0.net[69.141.99.18]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8,174 [text/plain]

100%[================================================== ===================================>] 8,174 107.87K/s ETA 00:00

02:53:02 (107.87 KB/s) - `create_mysql' saved [8174/8174]

Download create_mysql file [ OK ]
MySQL configuration
ERROR 1062 at line 26: Duplicate entry '106' for key 1



any ideas?



thanks
Barry

I know i am coming in late in the game here, but here is my setup. And would be greatful if someone may be able to help me out.

I have a box with 3 nics running openbsd 3.5 in my network. No part of hsphere at all. All it does is firewall+cache

2 of the nics are bridged with 0 ips assigned and then the third card is used to admin the box. I have snortsam and snort installed and I am trying to tell snortsam and snort to use bridge0 as the interface (the bridged interfaces) but i get a message stating

"Linking plugin 'pf'...
Error: DIOCCHANGERULE 4 (auto=1) : Invalid argument. PF plugin disabled"

Has anyone seen anything like this?

i need to resinstall mysql db.. using snort_inst.sh, I am getting the following error
...
Download create_mysql file [ OK ]
MySQL configuration
ERROR 1062 at line 26: Duplicate entry '106' for key 1
any ideas?
thanks
Barry

Just drop Snort MySQL database and recreate it via our install script again.

Hi Roj:

From http://www.snort.org --> "Snort v2.3.1 Available Now"

Thank you.

Greetings Roj and everyone:

Should I cry now or later :_)

Snort.org has gone from open source to $$$

See http://www.snort.org/rules/why_subscribe.html

The community rules ( available at http://www.snort.org/pub-bin/downloads.cgi ) are free; but A LOT has changed.

They've also redesigned their site making it more interesting to find out more information about SID rules.

Thank you.

FreeBSD 5.x support added (ipfw2 has to be enabled) . Fedora Core (for not H-Sphere servers) support added. Install script and snort page were seriously rewrote. Fixed several possible bugs in Trustix installation. If you have any problems with new installation script, use old version snort_inst.linux.sh.

Hi Roj:
From http://www.snort.org --> "Snort v2.3.1 Available Now"
Thank you.

Thank you. I just got it. ;)


Greetings Roj and everyone:
Should I cry now or later :_)
Snort.org has gone from open source to $$$
See http://www.snort.org/rules/why_subscribe.html
The community rules ( available at http://www.snort.org/pub-bin/downloads.cgi ) are free; but A LOT has changed.
They've also redesigned their site making it more interesting to find out more information about SID rules.

:eek: OPssss, we haven't money for CURRENT rules :confused:
Probably we'll use old version. ;)

Greetings Roj:

1. I think that 3.2 is now out.

2. If you register (free) you can get the rules that are 5 days old that appear to be in the same format; if you don't register you can use the community rules which are different.

Thank you.

Greetings Roj:

1. I think that 3.2 is now out.

2. If you register (free) you can get the rules that are 5 days old that appear to be in the same format; if you don't register you can use the community rules which are different.

Thank you.

Yes, I see it and I hope that our new packages will be ready soon.

Hey Roj,

I see you check specifically for FreeBSD 5, but it should be ok to run the script on FreeBSD 4.11 with IPFW2 enabled?

Hey Roj,
I see you check specifically for FreeBSD 5, but it should be ok to run the script on FreeBSD 4.11 with IPFW2 enabled?
Packages was compiled and created on FreeBSD 5.3, but you can try to install it to FreeBSD 4.11.
Just change 107 line in snort_inst.sh script from
if [ ${OS_NUM} -lt 5 ]; then
to
if [ ${OS_NUM} -lt 4 ]; then

We just released new Snort package version 2.3.2. Snort documentation directory added to package.

Roj,

As always Thank You .. :-)

Francesca

So how is everyone installing this package? Putting snort/sam on every server? How does that protect your windows boxes?

Maybe I missed something during the installation instructions. However I find the best practice is to build a linux bridging firewall box and install it between your router and network. However this creates a single point of failure in your network design which is always hazardous. The next best thing to do is create 2 of these boxes in a bridging firewall configuration and implement keepalived a VRRP implementation designed for failover/redundancy.

Now your network will look like Router <-> switch <-> snort box 1&2 in parallel <-> switch <-> servers and rest of protected network

This will allow you to keep real world IP's on your servers w/o having to do nat or masq.

We've added Fedora Core 3 support. You can get packages here: http://www.root0.net/snort/fc3/
Now our installation script supports the following OSs:

Red Hat Linux release 7.3
Red Hat Enterprise Linux x.x
CentOS x.x
Trustix x.x
Fedora Core 1 (servers without H-Sphere)
Fedora Core 3 (servers without H-Sphere)
FreeBSD 5.x

:rolleyes:

Hello,

Anyone knows what happened to the http://www.root0.net/snort/ web site. I'm getting a test page, or a "Not Found" message when I go to there web site.

rgds

Hello,
Anyone knows what happened to the http://www.root0.net/snort/ web site. I'm getting a test page, or a "Not Found" message when I go to there web site.
rgds

There was little routing problem ;)
It was fixed.

Sorry for inconveniences.

Getting a "refused connection" now?

rgds

Snort works with ipchains?

Hello,

Yes it works with ipchains.

Francesca

Hello,

I'm still unable to get to the web site. http://www.root0.net/snort/ gives me a time out message?

rgds

The web site is coming up correct now

rgds

New Snort packages with latest rules were created. You need to update it only if you wish to get latest rules. :rolleyes:

Hi Roj:

The latest package removes the snort user and group if you do a -Uvh such as

rpm -Uvh http://www.root0.net/snort/r73/snortsam-2.31-4.rpm http://www.root0.net/snort/r73/snort-mysql-sam-2.3.2-2.rpm


Please fix and advise.

Thank you.

Hi Roj:
The latest package removes the snort user and group if you do a -Uvh such as
rpm -Uvh http://www.root0.net/snort/r73/snortsam-2.31-4.rpm http://www.root0.net/snort/r73/snort-mysql-sam-2.3.2-2.rpm
Please fix and advise.
Thank you.
I will try to find out the reason of problem and fix it.

Thank you for your message.
Roj.

Hi Roj:

1. Thank you for looking into the bug / problem where the snort user and group are removed when updating.

2. Snort 2.3.3 is now out.

Thank you.

Hi Roj:
1. Thank you for looking into the bug / problem where the snort user and group are removed when updating.
2. Snort 2.3.3 is now out.
Thank you.
We have tried to emulate update problem where the snort user and group are removed on RedHat 7.3 server several times on several different servers, but without any success. :confused:
Did you follow our update instruction?
http://www.root0.net/snort/index.html#Update

Use the following commands as temporary solution:
=====
# groupadd snort
# useradd snort -g snort -d /etc/snort -s /sbin/nologin -c "Snort user"
# chown -R snort:snort /etc/snort
# chown -R snort:snort /var/log/snort
=====

Snort 2.3.3 sources were downloaded. :rolleyes:

Thank you for your post.
Roj.

New Snort package version 2.3.3 released.
Update instruction:
http://www.root0.net/snort/index.html#Update

Hi Roj:

Maybe it is me; but here is from a RH 7.3:

rpm -Uvh http://www.root0.net/snort/r73/snortsam-2.31-4.rpm http://www.root0.net/snort/r73/snort-mysql-sam-2.3.3-1.rpm
Retrieving http://www.root0.net/snort/r73/snortsam-2.31-4.rpm
Retrieving http://www.root0.net/snort/r73/snort-mysql-sam-2.3.3-1.rpm
Preparing... ########################################### [100%]
1:snortsam warning: /etc/snort/snortsam.conf created as /etc/snort/snortsam.conf.rpmnew
########################################### [ 50%]
groupadd: group snort exists
SnortSam was configured on eth0 interface.
2:snort-mysql-sam warning: /etc/snort/snort.conf created as /etc/snort/snort.conf.rpmnew
########################################### [100%]
groupadd: group snort exists
[/etc/snort] H-Sphere Control Server - cp(pts/0) [8:22am]> service snortd stop
Stopping snort: [ OK ]
[/etc/snort] H-Sphere Control Server - cp(pts/0) [8:22am]> service snortsamd restart
Stopping snortsam: [ OK ]
Starting snortsam: [ OK ]
[/etc/snort] H-Sphere Control Server - cp(pts/0) [8:22am]> service snortd start
Starting snort: [FAILED]


1:46 cp su(pam_unix)[31115]: session closed for user cpanel
May 3 08:21:53 cp kernel: PUB_IN DROP 5 IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:09:5b:a7:15:d6:08:00 SRC=10.0.0.22 DST=255.255.255.255 LEN=92 TOS=0x00 PREC=0x00 TTL=32 ID=15123 PROTO=UDP SPT=520 DPT=520 LEN=72
May 3 08:22:09 cp snort: Final Flow Statistics
May 3 08:22:09 cp snort: INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host 127.0.0.1.
May 3 08:22:09 cp kernel: device eth0 left promiscuous mode
May 3 08:22:09 cp snort: Snort exiting
May 3 08:22:10 cp snortd: snort shutdown succeeded
May 3 08:22:14 cp snortsamd: snortsam shutdown succeeded
May 3 08:22:14 cp snortsamd: snortsam startup succeeded
May 3 08:22:15 cp snort: FATAL ERROR: User "snort" unknown

Thoughts?

Thank you.

Hi Roj:

This also happened on RHEL 3 -- snort user and group removed.

Also, on a brand new RHEL3 installation:


OS = Red Hat Enterprise Linux ES release 3 (Taroon Update 4)
Select services for installation
and configuration:

1) SNORT [X]
2) MYSQL [ ]
3) ACID [ ]

q) quit
-) continue

Enter your choice [1,2,3]: -
MySQL will be configured on another server.
Enter remote MySQL server IP: ________
ACID will be installed to another server.
Enter remote ACID server IP: ________
MySQL server IP [________]
Enter MySQL database name [snort]: value_snort
Enter MySQL user name [snort]: snort_user
Enter "snort_user" password [snorttest]: ________

Snort installation
Download
--08:19:05-- http://www.root0.net/snort/res3/snort-mysql-sam-2.3.3-1.rpm
=> `snort-mysql-sam-2.3.3-1.rpm'
Resolving www.root0.net... done.
Connecting to www.root0.net[69.141.102.158]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 478,586 [audio/x-pn-realaudio-plugin]

100%[================================================== ================================================== ==================================>] 478,586 41.83K/s ETA 00:00

08:19:16 (41.83 KB/s) - `snort-mysql-sam-2.3.3-1.rpm' saved [478586/478586]

--08:19:16-- http://www.root0.net/snort/res3/snortsam-2.31-4.rpm
=> `snortsam-2.31-4.rpm'
Resolving www.root0.net... done.
Connecting to www.root0.net[69.141.102.158]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 95,336 [audio/x-pn-realaudio-plugin]

100%[================================================== ================================================== ==================================>] 95,336 33.03K/s ETA 00:00

08:19:19 (33.03 KB/s) - `snortsam-2.31-4.rpm' saved [95336/95336]

Install
error: open of {NODEPS} failed: No such file or directory

Please fix and or advise.

Thank you.

...
May 3 08:22:09 cp snort: INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host 127.0.0.1.
...
May 3 08:22:15 cp snort: FATAL ERROR: User "snort" unknown
...


I not sure if it help, but you need to stop snort and snortsam processes before update RPM packages. Follow update documentation.
http://www.root0.net/snort/index.html#Update

error: open of {NODEPS} failed: No such file or directory

It was my fault. I made stupid mistake in install script, just download and run it again.
Sorry for inconveniences.

Roj.

Stupid problem but just got an error upon installation:

error: failed dependencies:
libmysqlclient.so.12 is needed by snort-mysql-sam-2.3.3-1

Which package to get for this dependency to be ok?

mysql-client ...Most likely server also ..

Francesca

Hello,

Also ..

If you do have mysql loaded .. what does ldconfig -r show .. do you see this there ..

Francesca

mysql is installed, but no mysql-client, and even if it was, its only using libmysqlclient.so.10.

What is a friendly package that will work?

Version of Mysql ??

Francesca

Used the ones that psoft uses, which is the 4.0.24. That seems to work well.

Load the devel RPM .. from the download dir ..

http://www.psoft.net/shiv/HS/RHES3

Francesca

Everything is working nicely, however now its troublesome to understand the blocking. It seems like there is a large list or rules (DB) with SID's associated with them. When we log bad traffic, we have to manually add it using the script:

/etc/snort/iptsamconf.sh -t block-time -s SID-number-to-add

With that said, is that how it works in a nutshell?

How do we find the real SID number using BASE?

Greetings:

If you are using BASE (most recent release is 1.12), then look at the "snort" hyperlink; the number in the hyperlink is the sid.

eg. http://www.snort.org/pub-bin/sigs.cgi?sid=567

SID is 567

When you use "iptsamconf.sh" you are basically adjusting the rule for the SID in /etc/snort/rules so that when the rule is hit, the IP address is blocked.

If you are going to build the system yourself, you do have to take the time to learn how to read signatures, to learn what SID's are applicable to a H-Sphere envioronment, which SIDS to outright ignore, and which SIDS are important to time block.

Thank you.

Stupid problem but just got an error upon installation:
error: failed dependencies:
libmysqlclient.so.12 is needed by snort-mysql-sam-2.3.3-1
Which package to get for this dependency to be ok?
mysql is installed, but no mysql-client, and even if it was, its only using libmysqlclient.so.10.
What is a friendly package that will work?
Different servers have different MySQL versions installed. That is why this problem sometimes arise.

1. Make sure that MySQL-shared-compat package installed
2. Create link
# ln -s /usr/lib/libmysqlclient.so.10 /usr/lib/libmysqlclient.so.12
3. Run snort_inst.sh script with undocumented key "nodeps" like:
# ./snort_inst.sh nodeps

Greetings:
If you are using BASE (most recent release is 1.12), then look at the "snort" hyperlink; the number in the hyperlink is the sid.


We've added "BASE update" short instruction :
http://www.root0.net/snort/baseupdate.html


eg. http://www.snort.org/pub-bin/sigs.cgi?sid=567
SID is 567

Here is little example:
http://www.root0.net/snort/screenshots/base_6.html
Each signature has link [snort] like :
" [ snort (http://www.snort.org/snort-db/sid.html?sid=1002) ] WEB-IIS cmd.exe access "
There is link:
http://www.snort.org/snort-db/sid.html?sid=1002
SID is 1002

Just curious if this works on RH 7.2?

Just curious if this works on RH 7.2?
You can try and check it ;)

Whats the SID for a portscan?

(portscan) Open Port
(portscan) TCP Portscan
(portscan) UDP Portscan

There seems to be no SID 1, 3 or 27. Just do a custom rule and apply it?

Greetings:

The rules are in /etc/snort/rules

If you don't find the SID in the rules, then it you cannot use the iptsamconf.sh to time block the IP.

Thank you.

So how does one block a simple portscan?

Hello,

So how does one block a simple portscan

The answer to that is not so simple.

1. Read the logs

2. Use a BFD Type tool to modify Iptables/IPFW rules dynamically

3. Maintain that list because "False Positives" will occur.

Francesca

New SnortSam version 2.33 released.
Update instruction:
http://www.root0.net/snort/index.html#Update

Hi Roj:

You probably know this news, but to play safe, see http://www.snort.org/docs/release_notes/release_notes_240.txt

Thank you.

Roj,

It appears root0.net is off the internet for one reason or another. My timing is always so perfect... I was going to try and install the current software versions onto a test server.

Dan

Hmmm,

Looks like Go Daddy Goof ..

PARK19.SECURESERVER.NET
PARK20.SECURESERVER.NET

Thats the nameservers ..

Francesca

Well....

The last time I saw this (park??.secureserver.net) for one of my clients domains, was when someone "CRACKED" their database and "stole" the domain name. They change the ownership, etc. What a lot of work getting the domain back....Still bitter about that one.

Heya,

Still owned by root0.net in New Jersey .. but yah .. that can be changed .. But if it is Go Daddy they moved it to (Saying thats right) .. thats a pretty no nonsense place ..

Francesca

Well,

With the troubles we had, they will NEVER see another domain hosted on our servers. Ever!

More Likely .. looking at dns .. someone or something at go daddy had some issue with the bogus "whois" info and locked the domain .. They really push that private 10.00 a year crap ..

Regards,

Francesca

Anyone know of any other locations to download the following?

snort_inst.sh

Greetings:

Unfortunately http://www.root0.net/snort/index.html which appears down.

Thank you.

Hello,

Now looking good .. and yes I do have a life outside polling random web hosts ..

Francesca

Hi,

i trie dto install it with mysql manually.

Where can I get the .sql file to insert it into my database ?

Thanks and best regards

Niels

Hi,

now i did the install.

But what is the best method to protect against atackers ?

As i understood, i would have to setup every rule by rule with the SID to use them all, or is there a possibility to activate a complete rule set ?

Thanks and best regards

Niels

Greetings Niels:

You need to review the rules in /etc/snort/rules to see which rules are applicable to your H-Sphere environment which have the potential for abuse.

We have 213 timed blocks that we use (ours is geared towards almost any H-Sphere provider); this is only for our hardening customers.

If you don't know the snort rules too well, and want to learn and do this on your own, review the types of suspect attacks hitting your server from your BASE browser-based report.

Then look up the SID in the snort online documentation such as http://www.snort.org/pub-bin/sigs.cgi?sid=499

And then make a determination as to whether you want to time block it or not based on whether or not you would get false positives if you blocked it, whether or not you have the software installed (some SID's are software specific), and so on.

Thank you.

Anyone know of any other locations to download the following?
snort_inst.sh
I apologize for temporary problems with our site.

Hi Roj:
You probably know this news, but to play safe, see http://www.snort.org/docs/release_notes/release_notes_240.txt
Thank you.
Yes thank you, I saw and downloaded Snort and SnortSam sources for RPM creation, but there were several (2.36, 2.38, 2.39 ,2.40 :eek: ) new SnortSam versions during last week. I hope that 2.40 is a last and stable version :D .

Roj.

Hi,
now i did the install.
But what is the best method to protect against atackers ?
As i understood, i would have to setup every rule by rule with the SID to use them all, or is there a possibility to activate a complete rule set ?
Thanks and best regards
Niels

Every day/week analize ACID/BASE data and block possible intrusions by iptsamconf.sh script :
http://www.root0.net/snort/index.html#Configuration

Roj.

New Snort version 2.4.0. New SnortSam version 2.40. :cool:
Update instruction:
http://www.root0.net/snort/index.html#Update

Hi Roj:

The next time you do an update, can you include the latest release of BASE?

Thank you.

Roj,

And everyone else .. this lil monster just popped up

http://secunia.com/advisories/16786/

Francesca

Hi Francesca:

Thank you for posting that info.

I saw it this morning, but didn't panic because Roj's implementation does not make use of the "-v" switch.

Thank you.

Peter,

Very True .. Yes its more a heads up for anyone who might have done such a thing ..

Francesca

Greetings Roj:

Snort 2.4.1 is out per http://www.snort.org/

When you update your packages next, can you include the latest release of BASE as well?

Thank you.

Greetings:

we need to re-install snortd using Roj snort_inst.sh script, we're running RHE/ES4

Unfortunately snortsam-2.40-1.rpm failed to find dependency libpcap.so.0.6.2 - checking I see we have libpcap-0.8.3-10 installed -
if i down grade then the latest version of ntop fails - god know what else will fail if I downgrade - but I want snortsam installed :(

solution anybody ?


Thanks

Sincerely
Barry

~~ Bump ~~


Thanks

Sincerely
Barry

Roj,

any idea if or when you will be upgrading snortsam.rpm to use latest libpcap-0.8.3-10

Thanks
Barry

Greetings all,
I am new to the Linux world and have started making a IDS. I have tried a lot of different flavors and can't seem to get the right mix working correctly. I have just finished a fresh install of the latest CentOS 4 and started your install script. It gets to here and stops:

Snort installation
Download
Install
error: failed dependencies:
libpcap.so.0.6.2 is needed by snort-mysql-sam-2.1.3-0

When I download and try and install this I get the message that the version I have installed is a newer version and it fails to install. Any ideas on a work around. As I said I am fairly a newb to the Linux world, but am liking what I see so far. Thanks in advance for your time.

Well, I figured out how to use yum to uninstall the installed version, then installed the needed version. It took out my ethereal and NMap installs to as they are dependencies. Now I have to find those packages and I think I will be fine.

This is what I got after the install. Any ideas?


[root@localhost ~]# tail -5 /var/log/messages
Sep 30 17:18:55 localhost snort[8616]: Flush behavior: Small (<255 bytes)
Sep 30 17:18:55 localhost snort[8616]: Ports: 21 23 25 42 53 80 110 111 135136 137 139 143 445 513 1433 1521 3306
Sep 30 17:18:55 localhost snort[8616]: Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Sep 30 17:18:55 localhost snort[8616]: FATAL ERROR: Cannot open performance logfile '/var/snort/snort.stats'
Sep 30 17:18:55 localhost kernel: device eth0 left promiscuous mode

Oops, my bad :)

Greetings Roj:

Snort 2.4.2 has been released. See http://www.snort.org/docs/release_notes/release_notes_242.txt

Thank you.

Greetings Roj:
Snort 2.4.2 has been released. See http://www.snort.org/docs/release_notes/release_notes_242.txt
Thank you.

Oops.. There were released two new Snort versions without me :eek: . I had a short vacation. ;)

We have released new snort-mysql-sam-2.4.2-1.rpm package.
Update instruction:
http://www.root0.net/snort/index.html#Update


Greetings Roj:
Snort 2.4.2 has been released. See http://www.snort.org/docs/release_no..._notes_242.txt
Thank you.


I hope we'll include the latest release of BASE in one of new versions in future. :rolleyes:

Hello:

I am getting the following forbidden error

You don't have permission to access /snort/res3/snort-mysql-sam-2.4.2-1.rpm on this server.



Thanks
Barry

Hello:
I am getting the following forbidden error
You don't have permission to access /snort/res3/snort-mysql-sam-2.4.2-1.rpm on this server.
Thanks
Barry

It was my mistake, Sorry. Permissions changed on all new rpm packages.

I have installed CentOS 3.5 and re-installed snort using your script. The install completed perfectly and when I typed what is listed below, this is what I got. Is this a problem or any ideas as to what I need to do? Thanks.


[root@localhost ~]# tail -5 /var/log/messages
Sep 30 17:18:55 localhost snort[8616]: Flush behavior: Small (<255 bytes)
Sep 30 17:18:55 localhost snort[8616]: Ports: 21 23 25 42 53 80 110 111 135136 137 139 143 445 513 1433 1521 3306
Sep 30 17:18:55 localhost snort[8616]: Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Sep 30 17:18:55 localhost snort[8616]: FATAL ERROR: Cannot open performance logfile '/var/snort/snort.stats'
Sep 30 17:18:55 localhost kernel: device eth0 left promiscuous mode

Hi,

I have the same error, so i manually create the file myself and it works.

Hi,

I have the same error, so i manually create the file myself and it works.
Thanks for the reply, I will do that myself.:)

The Sourcefire Vulnerability Research Team (VRT) has learned of a vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released to correct the issue. In addition, detailed instructions for mitigating the issue by disabling the Back Orifice preprocessor are included below. :confused:
http://www.snort.org/pub-bin/snortnews.cgi#99

We have released new snort-mysql-sam-2.4.3-1.rpm package. :cool:
Update instruction:
http://www.root0.net/snort/index.html#Update

if anyone is getting a lot of hard-to-explain errors when starting snort

like in /var/log/messages:


Oct 28 02:54:17 atweb snort[19378]: pcap_loop: recvfrom: Network is down
...
Oct 28 02:54:17 atweb snort[19378]: INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host 127.0.0.1.
Oct 28 02:54:17 atweb kernel: device eth0 left promiscuous mode


check to make sure that your ethernet card is *ACTUALLY* called eth0. I spent about an hour and a half trying to debug this problem and finally discovered that our ethernet card is eth1, not eth0.

so i changed any reference to eth0 to eth1 in

/etc/init.d/snortd

if [ "$INTERFACE"X = "X" ]; then
INTERFACE="-i eth1"
and (i don't know if this was necessary, but it seemed like a good idea) in

/etc/snort/snortsam.conf

iptables eth1 /var/log/snort/snortsam_eth1.log


hope this saves someone some headaches

Jeremy

So after tinkering around with snort/snortsam for a while, I've realized what a task it is to come up with a good set of rules for snortsam on what to block from the firewall.

Any suggestion on where to get a robust set of rules, either in the form of RULEs or in commands to be passed to iptsamconf.sh?

Thanks!

Hi there,
I am wondering if this "package" works with Centos 4.2 ?

Thanks!

I have a server running CP only. Do i have to run a separate httpd service or can i used httpdcp? If i can use httpdcp, then the http root is /home/hsphere/local/home/cpanel/apache/ ?

Also, should i install mysql or just use the mysql in another linux box? which is better?

Thanks.

Hi:

A single server will have both httpd and httpdcp; I would recommend running BASE on the httpd part.

Thank you.

I have a server running CP only. Do i have to run a separate httpd service or can i used httpdcp? If i can use httpdcp, then the http root is /home/hsphere/local/home/cpanel/apache/ ?
Also, should i install mysql or just use the mysql in another linux box? which is better?
Thanks.

Probably you have H-Sphere configuration like:
Server1 : CP, DNS1;
Server2 : Web, Mail
Server3 : MySQL, PGSQL, DNS2
In this case there no H-Sphere Apache server on 80 port.

In Snort installation menu :
1) SNORT [X]
2) MYSQL [X]
3) ACID [X]

Select
"SNORT" for Server1
"SNORT" + "ACID" for Server2
"SNORT" + "MYSQL" for Server3

roj,
I tried to run the script on Centos 4.2 that is not part of an h-sphere cluster and it failed.
Does this script install snort+snortsam+acid on a pre-configured hshpere box? Is there any way to run it on non-hsphere box? (I am thinking of running it only on the perimeter firewall)

Thanks!

roj,
I tried to run the script on Centos 4.2 that is not part of an h-sphere cluster and it failed.
Does this script install snort+snortsam+acid on a pre-configured hshpere box? Is there any way to run it on non-hsphere box? (I am thinking of running it only on the perimeter firewall)
Thanks!
We haven't Snort RPMs for Centos 4.2. That is why script failed. :rolleyes: Probably in nearest future we'll add this and several other new OSs.
All supported OSs you can find on Snort installation page on www.root0.net.
This script is working on non-hsphere boxes, but you need to enter mysql root password several (6) times during install procedure.

Greetings:

we need to re-install snortd using Roj snort_inst.sh script, we're running RHE/ES4

Unfortunately snortsam-2.40-1.rpm failed to find dependency libpcap.so.0.6.2 - checking I see we have libpcap-0.8.3-10 installed -
if i down grade then the latest version of ntop fails - god know what else will fail if I downgrade - but I want snortsam installed :(

solution anybody ?


Thanks

Sincerely
Barry

Hi Bearman & ROJ,

I have the same problem. Any solution to this?

Hi Bearman & ROJ,

I have the same problem. Any solution to this?


I am sad to say, I didn’t received any feed back,
I didn’t see any other option - so I removed ntop, downgraded to libpcap.so.0.6.2 so I could install snortd..



Sincerely
Barry

Unfortunately snortsam-2.40-1.rpm failed to find dependency libpcap.so.0.6.2 - checking I see we have libpcap-0.8.3-10 installed...

Make link to /usr/lib/libpcap.so.0.8.3 and run snort install script with "nodeps" parameter :
# ln -s /usr/lib/libpcap.so.0.8.3 /usr/lib/libpcap.so.0.6.2
# ./snort_inst.sh nodeps

We have changed snort installation script and now it will install BASE version 1.2.1 instead old version 0.9.8. If any problem arise old version of install script you can get here:
http://www.root0.net/snort/snort_inst.linux.sh
Also we uploaded new Snort packages with latest rules.

We have changed snort installation script and now it will install BASE version 1.2.1 instead old version 0.9.8. If any problem arise old version of install script you can get here:
http://www.root0.net/snort/snort_inst.linux.sh
Also we uploaded new Snort packages with latest rules.

Hello;

I just tried a fresh install and received the following error

ACID installation [ OK ]
Download create_mysql file
Download create_mysql file [ OK ]
MySQL configuration
ERROR 1062 at line 26: Duplicate entry '106' for key 1


Thanks
Barry

Hello;

I just tried a fresh install and received the following error

ACID installation [ OK ]
Download create_mysql file
Download create_mysql file [ OK ]
MySQL configuration
ERROR 1062 at line 26: Duplicate entry '106' for key 1



never mind - i got it to work


Thanks
Barry[/QUOTE]

Added CentOS 4.2 support to snort installation script.

You can clean snort database through ACID/BASE interface.
Look for "Action" form on the bottom of ACID/BASE pages.

roj,
I could not find what you were referring to here about how to cleanup the database. Can you or someone here gives some details on how to delete old alerts from the database.

roj,
I could not find what you were referring to here about how to cleanup the database. Can you or someone here gives some details on how to delete old alerts from the database.
Log into your BASE interface:
http://SERVER_IP/base/base_main.php
Click link near: Unique Alerts: <NUMBER>
You will get list of unique alerts from your database.
Go to at the bottom of this page and find "ACTION" form.
Select "Delete alert(s)" and press "ALL on screen" button.

Mission accomplished :D

We have released new packages. SnortSam version 2.44 and Snort version 2.4.3 build 3 with last rules.

We have released new packages. SnortSam version 2.45 and Snort version 2.4.3 build 4 with last rules.
Update instruction:
http://www.root0.net/snort/#Update

Greetings Roj:

Thank you for your good work!

I used this snort/snortsam in a bridge firewall server, and I was wondering if it is possible to limit the "Destination" IP addresses that it monitors?

Currently it reports on all IP addresses in the subnet, but I am interested in only monitoring the traffic to only few IP addresses.

Try the following solution:
In /etc/snort.conf change HOME_NET value from any to IP list (see example in this file)
and restart snort.

Roj,
That's exactly what I was looking for... It is now working the way I wanted it.

Thank you ...

Hello,

I'm getting the following message in the log files:

email, Error: [email] Did not receive a response waiting for banner on mail server at

When snortsam blocks/unblocks ip numbers, I want a e-mail sent. For some reason this isn't working, with the above metioned reason.

Mail is working however, it's possible to sent mail from the server to the destination address from the shell prompt.

Hello,
I'm getting the following message in the log files:
email, Error: [email] Did not receive a response waiting for banner on mail server at
...

Probably you have big timeout on your mail server. Check if reverse DNS is configured for your mail.domain.com. If not :
http://www.root0.net/rdns/rdns.php

We have released new SnortSam package snortsam-2.47-1.

We are going to create new script for generation custom Snort anti-spam rules.
For example:
You found in qmail queue, or local mailboxes tons of spam letters with phraze "Online Pharmaceutical" or "Vlsagra $3.3" and spammer is sending such letters again and again. No problem, you just add this line to special file, run script and it will generate snort anti-spam rule for each such phraze. Now you can see in BASE interface spam statistic :rolleyes: and block spamer's IP, if you want, via iptsamconf.sh script. I'm just not sure about server load.
What is your opinion? Suggestions? Ideas?

Last news:
http://www.root0.net/news.html
Bugs, patches, flames or wishes -> info at root0.net ;)

I hope this topic has not been dead for too long. :)

I read the whole thread and ever post in it, but I am still confused about what to do with snort and the servers.

I am in the process of trying to install/configure/learn snort on our HSPHERE servers.

Currently, we have 4 HSPHERE servers. 1 mail, 1 sql, 1 web, 1 control panel.

I have installed snort & acid on the mail & web servers. When I first did this, I got all kinds of errors regarding to missing library files. However, I went found the missing library files, downloaded the the libraries and installed them. Then I finally could complete the SNORT installation. Now, I have snort installed, but I still have many questions.

How do I tell how or what snort is doing? I originally thought that the ACID program would do this for me, but I also wondered if I would need to create different databases for each server. Currently, I have snort running on the mail and web servers. Does 1 version of ACID on the webserver take care of all the servers? I realize snort needs to be running on all the servers I wish to monitor but do I need a different database for each instance of snort running?

What we are looking to do is have an easy way to monitor all 4 servers and be able to block IP addresses from scanning or attempting to login.

Currently, I can see the ACID control panel on our webserver. This has a database that links to the mailserver(SQL), but it is only reporting the web. How can I monitor the control panel, mail and SQL servers all on the same acid control panel? How do I figure out where potential attacks are coming from and then block them?

Any tips for a Linux/Snort newbie? I am not sure what type of configuration I should be looking to achieve with a CENT OS server. Any help that is give is greatly appreciated. Thank you in advance for your help.

I'll attempt to give you some answers, but know that i'm a newbie, too, and can only give you what my impressions are, and i might be corrected by others.

my view:

Snort: all it does is keep track of what connections have been coming in. it sorts them and stores all of them in it's DB.

SnortSam: the "sam" part of it is snort's connection to the firewall. you give snortsam some rules on what kind of connections you think are bad or mailicious, and when snort sees those kind of connections, it can pass block rules to the firewall, temporarily blocking the source IPs of teh requests. how to do this is outlined here: http://www.root0.net/snort/index.html#Configuration

acid: acid is just a nice little interface for you to monitor what snort dumps into the DB. You can sort on the most frequent alerts, the most recent, or look at graphs, statistics, etc. this helps you decide what kind of rules you want to give to snortsam.

I don't know that acid can monitor more than one server per installation. perhaps someone else can answer that.

anyway, hope I gave 0+ help...

...I don't know that acid can monitor more than one server per installation. perhaps someone else can answer that.


ACID/BASE can monitor more than one server per installation.
Snort sensors from different servers are sending alerts to general MySQL database. Then ACID and BASE are getting data from this database.


Currently, we have 4 HSPHERE servers. 1 mail, 1 sql, 1 web, 1 control panel.

In your case you can install:
Mail server: Snort;
SQL server: Snort, MySQL database;
Web server: Snort, ACID/BASE;
CP server: Snort.

Snort-2.4.4
Snortsam-2.50
http://www.root0.net/snort/#Update

Did you saw Security Alert on Psoft site? :eek:
Did any one know how (through what service) hacker got root access to H-Sphere servers?
I glad to inform you that no one server with Snort (at least in my care :rolleyes: ) wasn't compromissed.
Thank you Snort :D

We released new Snort RPM build, with very powerful rule set from http://www.bleedingsnort.com/
Update instruction as always :
http://www.root0.net/snort/#Update

PS: For existing installations
Don't forget to add 2 lines:
var SSH_PORTS 22
include $RULE_PATH/bleeding-all.rules
at the end of /etc/snort.conf.

Greetings Roj:

I'm glad you were not hit by the compromise.

We've been using rules from bleedingsnort.com for some time.

Did you incorporate all of the rules or just some?

If some, which ones?

Thank you.

We've been using rules from bleedingsnort.com for some time.
Did you incorporate all of the rules or just some?

All rules in one file:
http://www.bleedingsnort.com/bleeding-all.rules
We just deleted commented rules (200KB).

I'm running Trustix Secure 2.2, not enterprise. It seems your setup script is checking for only Enterprise. Is there a way around this?

Greetings Roj:

After the latest update, we are not getting emails with block and unblock.

Such as

Blocking host 216.104.66.202 (ded10.uci.net) completely for 3600 seconds.


This block was triggered by signature ID: 2000328



I checked /etc/snort/snortsam.conf and it does have the mail server and email address correct; no changes to that file.


Please advise.

Thank you.

I'm running Trustix Secure 2.2, not enterprise. It seems your setup script is checking for only Enterprise. Is there a way around this?
Thank you for correction. I have changed Snort install script for your case.
Just download new version and follow installation instruction.

After the latest update, we are not getting emails with block and unblock.

What version of SnortSam do you have? There were problems with 2.52 and SnortSam developer recalled it. :confused:

Hi Roj:

rpm -qa | grep snort

snort-mysql-sam-2.4.3-4
snortsam-2.50-1

Thank you.

Hi Roj:

I just noticed the snort-mysql-sam was not snort-mysql-sam-2.4.4-2.rpm

However when I shut down snort/snortsam and try to Uvh I get the following on all servers:

rpm -Uvh snort-mysql-sam-2.4.4-2.rpm
error: Failed dependencies:
libmysqlclient.so.10 is needed by snort-mysql-sam-2.4.4-2
Suggested resolutions:
mysql-3.23.58-16.RHEL3.1.i386.rpm


Please note we are using mySQL 4.0.26 and I believe we have the proper RPM's installed for Snort/Snortsam.

rpm -qa | grep -sir mysql
MySQL-shared-4.0.26-0
MySQL-client-4.0.26-0
snort-mysql-sam-2.4.3-4
MySQL-server-4.0.26-0


Please advise.

Thank you.

rpm -Uvh snort-mysql-sam-2.4.4-2.rpm
error: Failed dependencies:
libmysqlclient.so.10 is needed by snort-mysql-sam-2.4.4-2
Suggested resolutions:
mysql-3.23.58-16.RHEL3.1.i386.rpm

There are different MySQL versions on different OS and servers. That is why there no possibility to make universal RPM package.
SOLUTION: Create link.
# locate libmysqlclient.so
/usr/lib/libmysqlclient.so.12
/usr/lib/libmysqlclient.so
/usr/lib/libmysqlclient.so.12.0.0
# ls -la /usr/lib/libmysqlclient.so.12
lrwxrwxrwx 1 root root 24 Oct 19 05:46 /usr/lib/libmysqlclient.so.12 -> libmysqlclient.so.12.0.0
# ln -s /usr/lib/libmysqlclient.so.12.0.0 /usr/lib/libmysqlclient.so.10

and install RPM with "--nodeps" option

# rpm -Uvh snort-mysql-sam-2.4.4-2.rpm --nodeps

Hi Roj,

Firstly - thank you for providing all of this help in getting snort up and running :)

I have followed the instructions and some helpful points in this thread, but have a problem when starting snort, it does start, but then fails...

Apr 13 15:49:24 snort kernel: device eth0 entered promiscuous mode
Apr 13 15:49:24 snort snort[23237]: Initializing daemon mode
Apr 13 15:49:24 snort snort[23238]: PID path stat checked out ok, PID path set to /var/run/
Apr 13 15:49:24 snort snort[23238]: Writing PID "23238" to file "/var/run//snort_eth0.pid"
Apr 13 15:49:24 snort snortd: snort startup succeeded
Apr 13 15:49:24 snort snort[23238]: Parsing Rules file /etc/snort/snort.conf
Apr 13 15:49:24 snort snort[23238]: ,-----------[Flow Config]----------------------
Apr 13 15:49:24 snort snort[23238]: | Stats Interval: 0
Apr 13 15:49:24 snort snort[23238]: | Hash Method: 2
Apr 13 15:49:24 snort snort[23238]: | Memcap: 10485760
Apr 13 15:49:24 snort snort[23238]: | Rows : 4099
Apr 13 15:49:24 snort snort[23238]: | Overhead Bytes: 16400(%0.16)
Apr 13 15:49:24 snort snort[23238]: `----------------------------------------------
Apr 13 15:49:24 snort snort[23238]: Frag3 global config:
Apr 13 15:49:24 snort snort[23238]: Max frags: 65536
Apr 13 15:49:24 snort snort[23238]: Fragment memory cap: 4194304 bytes
Apr 13 15:49:24 snort snort[23238]: Frag3 engine config:
Apr 13 15:49:24 snort snort[23238]: Target-based policy: FIRST
Apr 13 15:49:24 snort snort[23238]: Fragment timeout: 60 seconds
Apr 13 15:49:24 snort snort[23238]: Fragment min_ttl: 1
Apr 13 15:49:24 snort snort[23238]: Fragment ttl_limit: 5
Apr 13 15:49:24 snort snort[23238]: Fragment Problems: 1
Apr 13 15:49:24 snort snort[23238]: Bound Addresses: 0.0.0.0/0.0.0.0
Apr 13 15:49:24 snort snort[23238]: Stream4 config:
Apr 13 15:49:24 snort snort[23238]: Stateful inspection: ACTIVE
Apr 13 15:49:24 snort snort[23238]: Session statistics: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Session timeout: 30 seconds
Apr 13 15:49:24 snort snort[23238]: Session memory cap: 8388608 bytes
Apr 13 15:49:24 snort snort[23238]: Session count max: 8192 sessions
Apr 13 15:49:24 snort snort[23238]: Session cleanup count: 5
Apr 13 15:49:24 snort snort[23238]: State alerts: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Evasion alerts: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Scan alerts: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Log Flushed Streams: INACTIVE
Apr 13 15:49:24 snort snort[23238]: MinTTL: 1
Apr 13 15:49:24 snort snort[23238]: TTL Limit: 5
Apr 13 15:49:24 snort snort[23238]: Async Link: 0
Apr 13 15:49:24 snort snort[23238]: State Protection: 0
Apr 13 15:49:24 snort snort[23238]: Self preservation threshold: 50
Apr 13 15:49:24 snort snort[23238]: Self preservation period: 90
Apr 13 15:49:24 snort snort[23238]: Suspend threshold: 200
Apr 13 15:49:24 snort snort[23238]: Suspend period: 30
Apr 13 15:49:24 snort snort[23238]: Enforce TCP State: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Midstream Drop Alerts: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Server Data Inspection Limit: -1
Apr 13 15:49:24 snort snort[23238]: WARNING /etc/snort/snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0)
Apr 13 15:49:24 snort snort[23238]: Stream4_reassemble config:
Apr 13 15:49:24 snort snort[23238]: Server reassembly: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Client reassembly: ACTIVE
Apr 13 15:49:24 snort snort[23238]: Reassembler alerts: ACTIVE
Apr 13 15:49:24 snort snort[23238]: Zero out flushed packets: INACTIVE
Apr 13 15:49:24 snort snort[23238]: Flush stream on alert: INACTIVE
Apr 13 15:49:24 snort snort[23238]: flush_data_diff_size: 500
Apr 13 15:49:24 snort snort[23238]: Reassembler Packet Preferance : Favor Old
Apr 13 15:49:24 snort snort[23238]: Packet Sequence Overlap Limit: -1
Apr 13 15:49:24 snort snort[23238]: Flush behavior: Small (<255 bytes)
Apr 13 15:49:24 snort snort[23238]: Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Apr 13 15:49:24 snort snort[23238]: Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Apr 13 15:49:24 snort snort[23238]: HttpInspect Config:
Apr 13 15:49:24 snort snort[23238]: GLOBAL CONFIG
Apr 13 15:49:24 snort snort[23238]: Max Pipeline Requests: 0
Apr 13 15:49:24 snort snort[23238]: Inspection Type: STATELESS
Apr 13 15:49:24 snort snort[23238]: Detect Proxy Usage: NO
Apr 13 15:49:24 snort snort[23238]: IIS Unicode Map Filename: /etc/snort/unicode.map
Apr 13 15:49:24 snort snort[23238]: IIS Unicode Map Codepage: 1252
Apr 13 15:49:24 snort snort[23238]: DEFAULT SERVER CONFIG:
Apr 13 15:49:24 snort snort[23238]: Ports: 80 8080 8180
Apr 13 15:49:24 snort snort[23238]: Flow Depth: 300
Apr 13 15:49:24 snort snort[23238]: Max Chunk Length: 500000
Apr 13 15:49:24 snort snort[23238]: Inspect Pipeline Requests: YES
Apr 13 15:49:24 snort snort[23238]: URI Discovery Strict Mode: NO
Apr 13 15:49:24 snort snort[23238]: Allow Proxy Usage: NO
Apr 13 15:49:24 snort snort[23238]: Disable Alerting: NO
Apr 13 15:49:24 snort snort[23238]: Oversize Dir Length: 500
Apr 13 15:49:24 snort snort[23238]: Only inspect URI: NO
Apr 13 15:49:24 snort snort[23238]: Ascii: YES alert: NO
Apr 13 15:49:24 snort snort[23238]: Double Decoding: YES alert: YES
Apr 13 15:49:24 snort snort[23238]: %U Encoding: YES alert: YES
Apr 13 15:49:24 snort snort[23238]: Bare Byte: YES alert: YES
Apr 13 15:49:24 snort snort[23238]: Base36: OFF
Apr 13 15:49:24 snort snort[23238]: UTF 8: OFF
Apr 13 15:49:24 snort snort[23238]: IIS Unicode: YES alert: YES
Apr 13 15:49:24 snort snort[23238]: Multiple Slash: YES alert: NO
Apr 13 15:49:24 snort snort[23238]: IIS Backslash: YES alert: NO
Apr 13 15:49:24 snort snort[23238]: Directory Traversal: YES alert: NO
Apr 13 15:49:24 snort snort[23238]: Web Root Traversal: YES alert: YES
Apr 13 15:49:24 snort snort[23238]: Apache WhiteSpace: YES alert: NO
Apr 13 15:49:24 snort snort[23238]: IIS Delimiter: YES alert: NO
Apr 13 15:49:24 snort snort[23238]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Apr 13 15:49:24 snort snort[23238]: Non-RFC Compliant Characters: NONE
Apr 13 15:49:24 snort snort[23238]: rpc_decode arguments:
Apr 13 15:49:24 snort snort[23238]: Ports to decode RPC on: 111 32771
Apr 13 15:49:24 snort snort[23238]: alert_fragments: INACTIVE
Apr 13 15:49:24 snort snort[23238]: alert_large_fragments: ACTIVE
Apr 13 15:49:24 snort snort[23238]: alert_incomplete: ACTIVE
Apr 13 15:49:25 snort snort[23238]: alert_multiple_requests: ACTIVE
Apr 13 15:49:25 snort snort[23238]: FATAL ERROR: unknown preprocessor "ftp_telnet"
Apr 13 15:49:25 snort kernel: device eth0 left promiscuous mode

Have I missed something somewhere, I did think it may be a rules issue, but if that was the case I guess others would have had the same problem? We have just installed it, the versions are...

rpm -qa | grep snort
snort-mysql-sam-2.4.4-2
snortsam-2.50-1

Thanks for any help!

Cheers,
Sean

Hi Sean:

FATAL ERROR: unknown preprocessor

I would check the preprocessor directives you are using in /etc/snort/snort.conf against the current documentation at http://www.snort.org/

Thank you.

Thanks Peter - This actually turned out to be the incorrect snort.conf altogether?

It appears that while snort 2.4 is installed, a 2.6 conf file is installed along with it? Changing this sorted it out, I am just getting back to looking at this again now.

Also my thanks to Steve (stevewest15) who actually helped suss this out.

hello there,


thanks for this useful subject.

I need more documents that explain how does snortsam works between the snort and the FireWall. Whether it is iptables or netscreen (including the installation of the snortsam). The OS that I am working on is FC4.

Thanks lot

Regards,

hello there,


thanks for this useful subject.

I need more documents that explain how does snortsam works between the snort and the FireWall. Whether it is iptables or netscreen (including the installation of the snortsam). The OS that I am working on is FC4.

Thanks lot

Regards,

http://www.snort.org/docs/

thanks, i already have read these documents.

I want documents that explain the installation in FC4 OS. Besides i heard that installation of snort in FC4 required other software such as libnet and other software i can't remember them now. I am going to search about them if i could find them i will post them there.
Plz, i need documents that completely explain the installation of snort + snortsam in Fedora Core 4 Operating system with all required softwares and configurations steps.

Regards
Security information Student :)

Greetings:

This forum is generally specific to H-Sphere which does not run on Fedora; so I'm not sure to what degree information will be readily available here on that subject matter.

Thank you.

I c

thanks so much for your response


Best Regards,

Security Information Student :(

It appears that while snort 2.4 is installed, a 2.6 conf file is installed along with it? Changing this sorted it out, I am just getting back to looking at this again now.

Oops :eek:
It was my mistake. I created snort-2.4 package with rules for 2.6. :o
Fixed in new package build.

We released new Snort-2.4.4 (build 4) package.
WARNING: Now it has name snort-2.4.4-4.rpm (not snort-mysql-sam-2.4.4-4.rpm) !
For update remove old package and install new
# rpm -e snort-mysql-sam-2.4.4-2.rpm
# rpm -ivh snort-2.4.4-4.rpm

then you can restore your old configuration from
/etc/snort/snort.conf.rpmsave file.

Also was changed snort_install.sh script: :cool:
Fixed several bugs, RPM installation (added nodeps option). Changed permissions on base, adodb directories, etc. Fedora Core 4/5 OSs support was added (directory fc5) http://www.root0.net/snort/fc5/


I need more documents that explain how does snortsam works between the snort and the FireWall. Whether it is iptables or netscreen (including the installation of the snortsam). The OS that I am working on is FC4.

We don't provide any documentation, but now you can install Snort with all it's software, to FC4/FC5 via snort_install.sh script too. ;) Use instruction: http://www.root0.net/snort/

We don't provide any documentation, but now you can install Snort with all it's software, to FC4/FC5 via snort_install.sh script too. ;) Use instruction: http://www.root0.net/snort/


Thank you very much :)

My regards,
Security Informaiton Student :rolleyes:

Hi Roj:

See http://secunia.com/advisories/20413/

Will you be creating a new build after June 5, 2006 for Snort 2.6.0 final?

Thank you.

Hi Roj:
See http://secunia.com/advisories/20413/
Will you be creating a new build after June 5, 2006 for Snort 2.6.0 final?
Thank you.

We already got Snort-2.6.0RC2 and will publish new packages as soon as they be ready.

Hi Roj:

According to the article, Snort 2.6.0 final (stable) will be ready on June 5th.

Thank you.

Hi Roj:
According to the article, Snort 2.6.0 final (stable) will be ready on June 5th.
Thank you.
There are strange problems during configuration/compilation Snort-2.6.0. :confused:
That is why this snort version is not ready yet. We are investigating it now.
New RPMs for Snort-2.4.5 are ready and you can use them. :rolleyes:

Hi Roj:

Thank you for the update, and your excellent work!

Hello,

Figured I throw this out for you Snort users. Time to patch or turn off the referenced option.

http://isc.sans.org/diary.html?storyid=2280

Francesca

Hello,

Figured I throw this out for you Snort users. Time to patch or turn off the referenced option.

http://isc.sans.org/diary.html?storyid=2280

Francesca

This is the more detailed advisory:
http://www.snort.org/docs/advisory-2007-02-19.html

If you can't upgrade to 2.6.1.3, you'll want to disable the DCE/RPC preprocessor in snort.conf.

Greetings Roj:

I hope you and your family are well.

Have you stopped development of http://www.root0.net/snort/index.html ?

Thank you.