Intrusion Detection

[bodhi.zazen]

Woohoo! I figured it out. Bodhi, I did create a user named snort, and all of that. It seemed that importing the schemas was the problem. When you did that mysql command, I kept using my login password and not the mysql one. Now, I get snort is running successfully while whitelisting those two ip addresses.

Well done =)

[UnrealMiniMe]

I was just reading this tutorial and it says to use airsnort if you use wireless. When I go to the airsnort site it says that the project is dead. Is there an alternitive I should use? Thanks

thanks for writing the tutorial - i haven't tried it yet but it looks very detailed.
I intended to go ahead and try it out, using airsnort since i'm on a wireless connection. i went to the airsnort page, it says: "This software is old. It is no longer maintained or supported. Besides, there are much better tools out there. You really should be trying something like aircrack-ng."
???
aircrack-ng seems to be some way of cracking wireless network encryption keys... and then it says it can "audit" wireless networks...
i'm very confused now.

For wireless you recommended airsnort. I clicked on the link and it said that it was old an no longer supported. The site said there are better alternatives and gave 1 or 2 recommendations. Should I stick with airsnort or look for something else? I have an older laptop, Toshiba Satellite Pro 6100, P4 1.6GHz cpu, 1Gb mem, and a 40Gb hard drive. Will Apache be too much for me? If so, what NID and HID would you recommend?

I want to second what all these guys are saying: According to the airsnort website, airsnort is outdated and no longer developed or maintained. It refers people to aircrack-ng, but that seems to be cracking software, not intrusion-detection software.

Here is my issue: System Monitor is showing a conspicuously high amount of data that has been sent over the network from my computer, and even after I restarted X, I noticed I was constantly uploading data at a few KB/s. I want to know who my computer is/has been communicating with and why, but I'm not sure how.

After initially posting this, I've realized this is probably what OSSEC was made for, not Snort. Am I correct here?

If not, has Snort been updated to include wireless support, or is there another viable software package that does? I understand if Snort is not able to monitor every packet crossing over the wireless network, but I at least want to determine who my own computer is sending packets to. What's the best way to do this?

[lumore22]

Greetings-

I am a newbie to Linux and security on a dual-boot AMD_x86 Gateway machine running Lucid Lynx, 2.6.32.24.

1. I installed ossec and used the install.sh script. My installation is agentless and ossec is running.

But maybe because I am a newbie I missed something such as ::

How would I know that anything is wrong unless I manually read the logs?

I read the installation instructions but beyond running install.sh I am not sure what to configure next, so that I get some sort of notification more frequently than 6 hours (the default time between ossec checks). I guess the instructions are okay if you already know how to do it. I 'm afraid I'll mess something up.

2. I downloaded airsnort from voxel.sourceforge.net to cover any possible network intrusion. Here's my dilemma::

I already have a LAMPP stack installed on my system in /opt. It has to be started manually when I want to use it. Should I still install another copy of Apache and MySQL? (I don't use the LAMPP stack on the network - no reason to. ) Will it affect anything on the LAMPP stack?

Thank-you in advance.

Regards-

[Saeros3]

I installed ossec as described in post #6, and the web interface in post #7. After doing this, I rebooted my computer, and as it was loading, an error message was displayed.

There is a problem with the configuration server.

(/usr/bin/libgconf2-4/gconf-sanity-check-2 exited with status 256)

I googled the error message, and found only this forum post. On the post, the following command was suggested:

sudo chmod 755 /etc/gconf/gconf.xml.system

I entered the terminal, and logged in, by pressing ctrl+alt+f1. I assume that the fact i was able to do that means that it is a problem with gnome(?). However, the error message only started appearing after i installed ossec, and the web interface. At the terminal, I entered the above command, but it didn't resolve the problem.

Any ideas? has anyone else had the same problem?

[DarkTide]

I intended to go ahead and try it out, using airsnort since i'm on a wireless connection. i went to the airsnort page, it says: "This software is old. It is no longer maintained or supported. Besides, there are much better tools out there. You really should be trying something like aircrack-ng."

[starz677]

Does anyone know if the original posts here are still applicable or are they outdated ?

thx

[shahin]

This is a popular setup. I think you will run into some issues related to difference in software packages and etc. I would suggest that you install one component at a time. There is other information online about this setup. Here is what I would suggest you do:
1- Install Snort first, and run it by itself and verify that you can view packet captures
2- See if you can store the traffic in the database
3- install the management interfaces. I think BASE is no longer used.
Keep in mind that I did this a couple of years ago, and the above steps are just to give you an idea of what I would suggest. My point is that I don't think you can do every step, and get the exact output stated. But overall the procedures rocked. I learned so much by doing this.
Good Luck

[SSOMaster]

I've just installed AlienVault and can't start snort. I'm a newbie. Maybe you can provide some help.

This is the error i get: After everything seems to work fine.

server snort[26207]: FATAL ERROR: Failed to initialize dynamic engine: SF_SNORT_DETECTION_ENGINE version 1.16.18

AlienVault 4.1 , everything up to date.

thank in advance, and sorry for the near off-topic.

[OpSecShellshock]

I'm not sure if Alienvault has a special way of setting things up for its version of Snort, but in my experience when they dynamic engine is being loaded it gives the actual path to the library which is typically somewhere in /usr/lib. The first place I'd check is in /etc/snort/snort.conf to see if there is a properly configured path to the dynamic engine.

This may be something better suited for Alienvault support forums, though.