Page 3 of 31 FirstFirst 1234513 ... LastLast
Results 21 to 30 of 309

Thread: Intrusion Detection

  1. #21
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Intrusion Detection

    Quote Originally Posted by Sarmacid View Post
    Just wanted to point out that there is a package with mysql logging support, I did it as indicated in the guide by djhedges and works great.

    OK, I will add that information in to the original post.

    The version in the repos is 2.7, and snort is on 2.8.3.

    IMO, as we are talking about security, in this case it is better to compile form source (and compiling snort is quite easy (as well as downloading a more up-to-date rule set).

    One advantage of installing from the repos, it will include an init script for snort.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #22
    Join Date
    Jun 2008
    Location
    Colombia
    Beans
    443

    Re: Intrusion Detection

    I agree that in security you should be the most up to date you can be, however, getting snort through synaptic has its advantages. It's easier and it gets updated, and really, the most important thing to keep up to date are the rules themselves, and that, as you mention in the guide is done with oinkmaster. Don't wanna start up a discussion, but I think for the users that use snort at home getting it from the repos should be enough.

  3. #23
    Join Date
    Oct 2007
    Location
    Colorado
    Beans
    189
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: Intrusion Detection

    Thanks for the tutorial. I've wanted to install snort and now this tutorial will get me there.

    One thing might need to be updated, when I pasted the download for snort I found the address didn't work on my computer. So I went over to snort's website and copied the link and pasted that onto my command line.

    The command that worked for me is:

    wget http://www.snort.org/dl/snort-2.8.3.1.tar.gz && tar -zxvf snort-2.8.3.1.tar.gz
    Last edited by Girya; November 2nd, 2008 at 03:36 PM. Reason: remove the link in the quote

  4. #24
    Join Date
    Nov 2008
    Location
    Tennessee
    Beans
    12
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Intrusion Detection

    Thank you bodhi.zazen. I am a 4th year student for a information security systems and computer science degree and found your post informative and interesting. The majority of classes that deal with intrusion detection, network fortification, and common security practices apply the aforementioned concepts to Windows Server. This of course is useful for someone looking for a job because there are a fair amount of Windows Servers. But for the rest of us who would like to secure a Linux server and get paid to do so, they do not inform quite as well. Thank you for this post. The use of NIDS is much more interesting on an open system.

  5. #25
    Join Date
    Jul 2006
    Beans
    14
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: Intrusion Detection

    I had run into a problem which resulted in the following error on "make":
    Code:
    attribute error: open with O_CREAT in second argument needs 3 arguments
    This seems to be a programmatic error. I fixed this by doing the following.

    You must be root to perform the following procedure. You may also open the file below and save it in your home folder, then copy it (as root) to its original directory (../snort2.8.*/src/preprocessors/flow/portscan/).

    After "./configure --with-mysql --enable-dynamicplugin", locate the file "server_stats.c" in "../snort-2.8.*/src/preprocessors/flow/portscan/" and open it in a text editor or IDE. Identify the following section:
    Code:
    int server_stats_save(SERVER_STATS *ssp, char *filename)
    In this section, identify the line:
    Code:
    fd = open(filename, O_CREAT|O_TRUNC|O_SYNC|O_WRONLY);
    and change it to:
    Code:
    fd = open(filename, O_CREAT|O_TRUNC|O_SYNC|O_WRONLY, 0600);
    Then you may run "make && make install".

    This resulted in other problems related to MySQL using Snort-2.8.3. I then attempted to use the current Snort-2.8.3.1 and it compiled and installed beautifully on my Intrepid server.

  6. #26
    Join Date
    Nov 2008
    Beans
    1

    Re: Intrusion Detection

    I'm having a problem downloading the init script via wget command line on my server installation. Can someone please detail instructions on the procedure to get the file via CLI?

    thanks



    Write a script to start snort :

    The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that if there are no alerts, snort will lose it's connection with the mysql database.

    To solve this, I wrote a script to start / restart snort.

    The script is attached to this post and is called "ubuntu.snort.init.txt"

    Copy this file to your computer and copy/move it to /etc/init.d/snort

    Now lets look at the code. You need to look at two lines.

    1. The first is your interface. The default is eth0. If you wish to use snort on an alternate interface, such as eth1, you will need to edit the line IFACE="eth0" and change "eth0" to "eth1"
    * Note : Snort will not work with wireless interfaces, you need to use airsnort instead.
    2. The second option is to whitelist ip addresses. I advise you do this with caution, but you *may* wish to white IP addresses such as your router and your public ip address.

    To white list an IP , add it to the line WHITELIST='' (note that is two single quotes, ' ' and not a double quote " ) , one ip at a time, separated by a space, like this :

    Code:

    WHITELIST='127.0.0.1 192.168.1.1'


    Now that you are done editing the file, set ownership and permissions :

    Code:

    chown root.root /etc/init.d/snort
    chmod 500 /etc/init.d/snort

    Starting snort on boot

    My script has a 20 second sleep built in (sometimes when you start snort it will fail after a 10-15 second delay). To avoid adding a 20 second longer boot time, use the "boot" option.

    With this factoid in mind, edit /etc/rc.local and add :

    Code:

    exec /etc/init.d/snort boot

    Add this single line above "exit 0" if your have an exit 0 in the file

  7. #27
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Intrusion Detection

    yes, you can not wget directly from the forums.

    Try this :

    Code:
    wget http://bodhizazen.net/ubuntu.snort.init.txt
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  8. #28
    Join Date
    Apr 2007
    Location
    #ubuntu-us-ny
    Beans
    2,150
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Intrusion Detection

    Quote Originally Posted by Etlaesium View Post
    I had run into a problem which resulted in the following error on "make":
    Code:
    attribute error: open with O_CREAT in second argument needs 3 arguments
    I ran into the same issue. I didn't have any problems following the Howto Forge for 7.10 on an 8.04 machine. I thought maybe some of the packages in the Howto Forge tutorial may been outdated or whatever and I wanted to try an 8.10 tutorial. I'm not a developer - I'm a user - so I don't know the affect of what appears to be adding one more argument of value 0600 to the fd function, which I believe is a kernel function, has to do with this but I guess that type of uncertainty is one of the downfalls of not learning and understanding the operating system and how it is created.

    In any event, I did this and followed the rest of the tutorial without any problems. OP, you may want to change this line:
    [code]
    tar zxvf ../snrotrules*
    [code]
    to
    Code:
    tar zxvf ./snortrules*

  9. #29
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Intrusion Detection

    Thanks, fixed the typo. using .. vs . depends on what directory you are in and where you saved the archive. I *think* if you are following my directions steep-by-step it is indeed a double dot (..)
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #30
    Join Date
    Apr 2007
    Location
    #ubuntu-us-ny
    Beans
    2,150
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Intrusion Detection

    I'm sorry - I wasn't really pinpointing the use of the dot versus double dot and I didn't even notice that I used a single instead of a double. I meant to point out the misspelling of snortrules which I see you corrected Thanks again for the tutorial.

Page 3 of 31 FirstFirst 1234513 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •