Page 12 of 31 FirstFirst ... 2101112131422 ... LastLast
Results 111 to 120 of 309

Thread: Intrusion Detection

  1. #111
    Join Date
    Dec 2006
    Beans
    197

    Re: Intrusion Detection

    Hi Bodhi,
    I seem to be able to run snort using the command you used in the script ie. when I do this:
    Code:
    /usr/local/bin/snort -c /etc/snort/snort.conf -u snort -g snort -D
    I get this:
    Code:
    root@thunder:/usr/share/doc# ps aux | grep snort
    root     25753  0.0  0.0   3220   844 pts/1    S+   17:35   0:00 more snort
    root     25759  0.0  0.0   2076   540 pts/2    R+   17:36   0:00 grep snort
    root     30336  0.0  0.1   6464  2552 pts/0    S+   12:50   0:00 mysql -u snort -p snort
    root@thunder:/usr/share/doc#
    But when I issue the two commands that run the script, nothing happens:
    Code:
    @thunder:~$ sudo /etc/init.d/snort restart
    @thunder:~$ sudo /etc/init.d/snort boot
    @thunder:~$ ps -ef | grep snort
    root     30336 30272  0 12:50 pts/0    00:00:00 mysql -u snort -p snort
    31127 30529  0 12:56 pts/1    00:00:00 grep snort
    @thunder:~$ cd /etc/init.d/
    @thunder:/etc/init.d$ ls

  2. #112
    Join Date
    Dec 2006
    Beans
    197

    Re: Intrusion Detection

    My mistake. It runs when I use snort -v command
    Code:
    root@thunder:/usr/share/doc# snort -v
    Running in packet dump mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Verifying Preprocessor Configurations!
    ***
    *** interface device lookup found: eth0
    ***
    
    Initializing Network Interface eth0
    Decoding Ethernet on interface eth0
    
            --== Initialization Complete ==--
    
       ,,_     -*> Snort! <*-
      o"  )~   Version 2.8.3.2 (Build 22)  
       ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
               (C) Copyright 1998-2008 Sourcefire Inc., et al.
               Using PCRE version: 7.8 2008-09-05
    
    Not Using PCAP_FRAMES
    04/11-17:43:07.562835 169.254.1.125:21302 -> 255.255.255.255:21302
    UDP TTL:64 TOS:0x0 ID:20024 IpLen:20 DgmLen:628
    Len: 600
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    04/11-17:43:09.511187 ARP reply 169.254.1.125 is-at 0:15:9A:FA:F3:B (0:15:9A:D3:3A:D9)
    
    04/11-17:43:10.781693 74.125.47.17:80 -> 192.168.1.3:60524
    TCP TTL:251 TOS:0x0 ID:61537 IpLen:20 DgmLen:68
    ***AP*** Seq: 0x13472EBF  Ack: 0x5D0D2F63  Win: 0x37DC  TcpLen: 20
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    04/11-17:43:10.781742 192.168.1.3:60524 -> 74.125.47.17:80
    TCP TTL:64 TOS:0x0 ID:51708 IpLen:20 DgmLen:40 DF
    ***A**** Seq: 0x5D0D2F63  Ack: 0x13472EDB  Win: 0x6FB8  TcpLen: 20
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    ^C*** Caught Int-Signal
    Run time prior to being shutdown was 5.798422 seconds
    ===============================================================================
    Packet Wire Totals:
       Received:            7
       Analyzed:            7 (100.000%)
        Dropped:            0 (0.000%)
    Outstanding:            0 (0.000%)
    ===============================================================================
    Breakdown by protocol (includes rebuilt packets):
          ETH: 7          (100.000%)
      ETHdisc: 0          (0.000%)
         VLAN: 0          (0.000%)
         IPV6: 0          (0.000%)
      IP6 EXT: 0          (0.000%)
      IP6opts: 0          (0.000%)
      IP6disc: 0          (0.000%)
          IP4: 3          (42.857%)
      IP4disc: 0          (0.000%)
        TCP 6: 0          (0.000%)
        UDP 6: 0          (0.000%)
        ICMP6: 0          (0.000%)
      ICMP-IP: 0          (0.000%)
          TCP: 2          (28.571%)
          UDP: 1          (14.286%)
         ICMP: 0          (0.000%)
      TCPdisc: 0          (0.000%)
      UDPdisc: 0          (0.000%)
      ICMPdis: 0          (0.000%)
         FRAG: 0          (0.000%)
       FRAG 6: 0          (0.000%)
          ARP: 1          (14.286%)
        EAPOL: 0          (0.000%)
      ETHLOOP: 0          (0.000%)
          IPX: 0          (0.000%)
        OTHER: 3          (42.857%)
      DISCARD: 0          (0.000%)
    InvChkSum: 0          (0.000%)
       S5 G 1: 0          (0.000%)
       S5 G 2: 0          (0.000%)
        Total: 7         
    ===============================================================================
    Action Stats:
    ALERTS: 0
    LOGGED: 0
    PASSED: 0
    ===============================================================================
    Snort exiting
    root@thunder:/usr/share/doc#

  3. #113
    Join Date
    Dec 2006
    Beans
    197

    Re: Intrusion Detection

    Please ignore the previous post, I am geting closer. Now I see this when I run snort with -c option pointing the the snort.conf file:
    Code:
    Initializing Network Interface eth0
    Decoding Ethernet on interface eth0
    database: compiled support for ( )
    database: configured to use mysql
    database: 'mysql' support is not compiled into this build of snort
    
    ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
    or Windows), then check for alternate builds that contains the necessary
    'mysql' support.
    
    If this build of snort was compiled by you, then re-run the
    the ./configure script using the '--with-mysql' switch.
    For non-standard installations of a database, the '--with-mysql=DIR'
    syntax may need to be used to specify the base directory of the DB install.
    
    See the database documentation for cursory details (doc/README.database).
    and the URL to the most recent database plugin documentation.
    Fatal Error, Quitting..
    I am going to recompile. I know for sure I used the -mysql option during the compilation.

  4. #114
    Join Date
    Dec 2006
    Beans
    197

    Re: Intrusion Detection

    Seems my install is working, but I am not sure. I see the following:
    Code:
    root@thunder:/etc/snort# ps aux |  grep snort
    snort    14473  7.1  7.1 144468 110520 ?       Ss   18:52   0:05 snort -c /etc/snort/snort.conf -u snort -g snort -D
    root     30336  0.0  0.1   6464  2564 pts/0    S+   12:50   0:00 mysql -u snort -p snort
    root@thunder:/etc/snort#
    I downloaded nmap, and issued nmap x.x.x.x ( ip of my snort machine ). But I do not see any alerts in /var/log/snort
    Code:
    root@thunder:/var/log/snort# more snort.log.1239490353 
    root@thunder:/var/log/snort# more alert
    I also do not see anything collecting my my snort database:
    Code:
    mysql> select * from event;
    Empty set (0.00 sec)
    
    mysql> select * from data;
    Empty set (0.00 sec)
    Help please.

    Oh the machine that is doing the nmap scan is connected through a wireless, and going through a hub/router with firewall functionality. I also have firewall turned on at the host that runs the snort. I use fireStarter to manage the Ubuntu firewall. Should I disable it to test?

  5. #115
    Join Date
    Apr 2009
    Beans
    7

    Re: Intrusion Detection

    Quote Originally Posted by bodhi.zazen View Post
    No problem . Did you get it working ?
    I haven't had any success yet. As I stated earlier, I am able to start snort from the command line, but when I attempt to start when I boot (from rc.local), it does not start (no PID). I have backtracked my work, and it looks like I have mirrored your tutorial step by step. (The best by far anywhere) I am continuing to investigate. Are there any environmental situations that could cause my problem (like a mis-configured network, etc.)?

    Thanks for your time and assistance!

    Best regards,
    Mike McCoy

  6. #116
    Join Date
    Mar 2009
    Location
    NH
    Beans
    45
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: Intrusion Detection

    thanks for writing the tutorial - i haven't tried it yet but it looks very detailed.
    I intended to go ahead and try it out, using airsnort since i'm on a wireless connection. i went to the airsnort page, it says: "This software is old. It is no longer maintained or supported. Besides, there are much better tools out there. You really should be trying something like aircrack-ng."
    ???
    aircrack-ng seems to be some way of cracking wireless network encryption keys... and then it says it can "audit" wireless networks...
    i'm very confused now.

  7. #117
    Join Date
    Jun 2006
    Location
    Edinburgh Scotland
    Beans
    32

    Re: Intrusion Detection

    Quote Originally Posted by bodhi.zazen View Post
    Install base



    Code:

    cd
    wget http://easynews.dl.sourceforge.net/s...e-1.3.9.tar.gz

    Note : Later versions of base do not work (with Ubuntu at least).

    Open a web browser and navigate to http://your_ip_address/base


    Back to top
    Great tutorial

    I have it running with base 1.4.1

    setup is done from http://your_ip_address/base/setup

    you also need to install pear Mail Mail_Mime Net_SMTP
    Reference

  8. #118
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Intrusion Detection

    Thanks for the information gyterpena

    I shall try it and update my post
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #119
    Join Date
    Dec 2006
    Beans
    197

    Re: Intrusion Detection

    Hi Bodhi,
    I see alerts in my alerts file in /var/logs/snort directory, but I do not see them in base page. Here is what I have in the alerts files:

    Code:
    [**] [1:382:7] ICMP PING Windows [**]
    [Classification: Misc activity] [Priority: 3] 
    04/19-09:43:20.987089 192.168.1.4 -> 192.168.1.3
    ICMP TTL:128 TOS:0x0 ID:24149 IpLen:20 DgmLen:60
    Type:8  Code:0  ID:512   Seq:16128  ECHO
    [Xref => http://www.whitehats.com/info/IDS169]
    
    [**] [1:384:5] ICMP PING [**]
    [Classification: Misc activity] [Priority: 3] 
    root@thunder:/var/log/snort#
    but base page is blank. Any idea?

  10. #120
    Join Date
    Oct 2007
    Location
    Cali
    Beans
    69
    Distro
    Ubuntu

    Re: Intrusion Detection

    need help getting the rules downloaded, i use your commands i get a permission denied i typed in this"

    wget http://www.snort.org/pub-bin/downloa....8.tar.gz:sad:
    Last edited by tronnix75; April 20th, 2009 at 01:52 AM.

Page 12 of 31 FirstFirst ... 2101112131422 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •