There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
I want to second what all these guys are saying: According to the airsnort website, airsnort is outdated and no longer developed or maintained. It refers people to aircrack-ng, but that seems to be cracking software, not intrusion-detection software.
Here is my issue: System Monitor is showing a conspicuously high amount of data that has been sent over the network from my computer, and even after I restarted X, I noticed I was constantly uploading data at a few KB/s. I want to know who my computer is/has been communicating with and why, but I'm not sure how.
After initially posting this, I've realized this is probably what OSSEC was made for, not Snort. Am I correct here?
If not, has Snort been updated to include wireless support, or is there another viable software package that does? I understand if Snort is not able to monitor every packet crossing over the wireless network, but I at least want to determine who my own computer is sending packets to. What's the best way to do this?
Last edited by UnrealMiniMe; August 21st, 2010 at 01:06 AM.
Greetings-
I am a newbie to Linux and security on a dual-boot AMD_x86 Gateway machine running Lucid Lynx, 2.6.32.24.
1. I installed ossec and used the install.sh script. My installation is agentless and ossec is running.
But maybe because I am a newbie I missed something such as ::
How would I know that anything is wrong unless I manually read the logs?
I read the installation instructions but beyond running install.sh I am not sure what to configure next, so that I get some sort of notification more frequently than 6 hours (the default time between ossec checks). I guess the instructions are okay if you already know how to do it. I 'm afraid I'll mess something up.
2. I downloaded airsnort from voxel.sourceforge.net to cover any possible network intrusion. Here's my dilemma::
I already have a LAMPP stack installed on my system in /opt. It has to be started manually when I want to use it. Should I still install another copy of Apache and MySQL? (I don't use the LAMPP stack on the network - no reason to. ) Will it affect anything on the LAMPP stack?
Thank-you in advance.
Regards-
I installed ossec as described in post #6, and the web interface in post #7. After doing this, I rebooted my computer, and as it was loading, an error message was displayed.
I googled the error message, and found only this forum post. On the post, the following command was suggested:There is a problem with the configuration server.
(/usr/bin/libgconf2-4/gconf-sanity-check-2 exited with status 256)
I entered the terminal, and logged in, by pressing ctrl+alt+f1. I assume that the fact i was able to do that means that it is a problem with gnome(?). However, the error message only started appearing after i installed ossec, and the web interface. At the terminal, I entered the above command, but it didn't resolve the problem.sudo chmod 755 /etc/gconf/gconf.xml.system
Any ideas? has anyone else had the same problem?
I intended to go ahead and try it out, using airsnort since i'm on a wireless connection. i went to the airsnort page, it says: "This software is old. It is no longer maintained or supported. Besides, there are much better tools out there. You really should be trying something like aircrack-ng."
Does anyone know if the original posts here are still applicable or are they outdated ?
thx
This is a popular setup. I think you will run into some issues related to difference in software packages and etc. I would suggest that you install one component at a time. There is other information online about this setup. Here is what I would suggest you do:
1- Install Snort first, and run it by itself and verify that you can view packet captures
2- See if you can store the traffic in the database
3- install the management interfaces. I think BASE is no longer used.
Keep in mind that I did this a couple of years ago, and the above steps are just to give you an idea of what I would suggest. My point is that I don't think you can do every step, and get the exact output stated. But overall the procedures rocked. I learned so much by doing this.
Good Luck
I've just installed AlienVault and can't start snort. I'm a newbie. Maybe you can provide some help.
This is the error i get: After everything seems to work fine.
server snort[26207]: FATAL ERROR: Failed to initialize dynamic engine: SF_SNORT_DETECTION_ENGINE version 1.16.18
AlienVault 4.1 , everything up to date.
thank in advance, and sorry for the near off-topic.
I'm not sure if Alienvault has a special way of setting things up for its version of Snort, but in my experience when they dynamic engine is being loaded it gives the actual path to the library which is typically somewhere in /usr/lib. The first place I'd check is in /etc/snort/snort.conf to see if there is a properly configured path to the dynamic engine.
This may be something better suited for Alienvault support forums, though.
Bookmarks