Intrusion Detection

[bmwman]

I would report him, but it's an ISP in Mexico.

[bodhi.zazen]

I would report him, but it's an ISP in Mexico.

Well, that is what black listing is for

[tnnn]

Since I'm not a big fan of adding several resource hungry services (apache, mysql) when they are not essential, I decided to go for the sqlless snort + ossec. I used the "snort" ubuntu package from repository which installed and started flawlessly (it detected my own nmap scans, and even some random port scans from internet). However, when Ubuntu is booting, I can see that snort starting script has "failed" and snort doesn't start. But if I run "/etc/conf.d/snort start" from console it starts without any issues. I've tried running it with both original and bodhi.zazens scripts but the result is always the same - snort fails during boot, but starts and works perfectly when started from console... Executing from rc.local changes nothing. I've tried "snort -T -c /etc/snort/snort.conf" but it doesn't report any errors.

Any ideas why is it happening? Or at least how to find out what is failing during boot?

[topimiring]

I'm sorry for asking such a noob question ,
Is there any way to translate honeypot captured data into a SNORT signature ?
I'd like to deploy self-learning IDS with snort based on data caputred by honeypot softwares.
THank you

[KEE]

wondering if this is for me. i think i get hacked almost on a daily bases. everytime i install any ubuntu 7.10 to 8.10 (i give up on 8.04 and 8.10 since i get systems 32 file along the installation process) . that same day my drive becomes "read only" and cannot save or anything. its either that or malicious software. going to reinstall sometime soon so wondering if i should install this before updates or after? i seem tobe getting hacked or getting malicious software during installation. i need to try something. please help

[bodhi.zazen]

wondering if this is for me. i think i get hacked almost on a daily bases. everytime i install any ubuntu 7.10 to 8.10 (i give up on 8.04 and 8.10 since i get systems 32 file along the installation process) . that same day my drive becomes "read only" and cannot save or anything. its either that or malicious software. going to reinstall sometime soon so wondering if i should install this before updates or after? i seem tobe getting hacked or getting malicious software during installation. i need to try something. please help

Sounds like a hard ware problem to me, my guess is your hard drive is old and/or failing. When there are disk errors they are remounted read only.

[catolh]

For some reason the ossec webui doesnt ask for a password when i access the site. Even though i set a username and password when i installed ossec.

Is this a known issue? (when i installed apache i only did apt-get apache2 and php modules).

[bodhi.zazen]

For some reason the ossec webui doesnt ask for a password when i access the site. Even though i set a username and password when i installed ossec.

Is this a known issue? (when i installed apache i only did apt-get apache2 and php modules).

I use https / .htaccess for the webui

[catolh]

I use https / .htaccess for the webui

Ah, i figured there was something about .htaccess. But how do i go about and make it require https ?

[bodhi.zazen]

Ah, i figured there was something about .htaccess. But how do i go about and make it require https ?

You have to install / configure ssl and apache :

http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html