Intrusion Detection

[tronnix75]

ok i tared the snort 2.8.4 and then changed directory but now what is with this command:


tar zxvf ../snortrules* i need step by step like baby steps thank you in advance.

[tronnix75]

I did exactly what you said to do with that URL it downloads really quick then i try to use the tar command does not work errors out what am i doing wrong?

[MarnickV]

Some minor problems here:

in your guide:

Code:

cp -R /usr/src/snort-2.8.3/doc/signatures .

I am using snort 2.8.4 and there is no such directory (doc/signatures). What should I do here?

Another thing: I only downloaded the community rules so if I issue:

Code:

snort -c /etc/snort/snort.conf

I get errors stating that I don't have the appropriate rules (local.rules, icmp.rules, ...). I commented out the includes of those files in snort.conf, and inserted includes for all the community rules. Maybe it would be helpfull to also incorporate that in your guide.

Another small thing: the machine I am installing on is my gateway, so it only has 2 NICs. Currently I configured snort to run on eth1 which is my internet interface, but I guess since snort puts eth1 in promiscuous mode, it would kill performance (however it's only my home network so not too much traffic)... Is it possible to deploy snort on this machine or should I buy an extra NIC; or worse: should I have an inline machine in front of my gateway?

I tried snort on the internet interface and started snort via:

Code:

/etc/init.d/snort start

This resulted in:

Code:

Snort failed to start ...

My entry in /var/log/messages:

Code:

Apr 21 14:43:32 artoo kernel: [158473.114012] device eth1 entered promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.114040] audit(1240317812.170:22): dev=eth1 prom=256 old_prom=0 auid=4294967295
Apr 21 14:43:32 artoo kernel: [158473.143981] device eth1 left promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.143999] audit(1240317812.200:23): dev=eth1 prom=0 old_prom=256 auid=4294967295
Apr 21 14:43:32 artoo kernel: [158473.174009] device eth1 entered promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.174041] audit(1240317812.230:24): dev=eth1 prom=256 old_prom=0 auid=4294967295
Apr 21 14:43:32 artoo kernel: [158473.204105] device eth1 left promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.204138] audit(1240317812.260:25): dev=eth1 prom=0 old_prom=256 auid=4294967295

Why isn't this working?

Then I tried:

Code:

snort -v &

I let this run for a couple minutes and my packet wire totals were:

Code:

===============================================================================
Packet Wire Totals:
   Received:           11
   Analyzed:           10 (90.909%)
    Dropped:            0 (0.000%)
Outstanding:            1 (9.091%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
      ETH: 6          (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 6          (100.000%)

All the rest was 0%. I find this weird, since I pinged from another machine and since I am remotely logged in on my machine through SSH and I was surfing the web. Isn't this weird since the amount of packets from SSH/web traffic coming through for example? On top of that, nothing logged in BASE (mysql).

Thanks in advance & kudos for your guide mate.

[polecat409]

I think I have an issue with the way I set up the permissions. I see a couple of other posts regarding missing sensor id in mysql, which causes BASE not to show anything. How can I get more information about this and troubleshoot it please?

I am having the same problems. I followed the snort/base instructions exactly on a fresh install of Hardy server.

Does anyone have any suggestions? I've been trying to troubleshoot this for a week, and I'm about ready to install the package from the repos (but I don't want to!)...

[bodhi.zazen]

The community rules are very very old and IMO outdated.

You really should register with snort so that you may download a more updated set of rules.

The community rules do not have signatures, so you will have to live without them if you use the community rules. Signatures are nothing more then an explanation of alerts, and the same information is available on line if you wish. You will see links in Base when you look at an alert. "Local" == signatures.

As far as configuration, I am not sure you will need to look at your config file. Snort places your network card in promiscuous mode (snort is a packet sniffer after all, lol), which is fine with modern switches.

[polecat409]

I am having the same problems. I followed the snort/base instructions exactly on a fresh install of Hardy server.

Does anyone have any suggestions? I've been trying to troubleshoot this for a week, and I'm about ready to install the package from the repos (but I don't want to!)...

Just to clarify, snort is running, I've made another database and also installed base 1.4.1 (which works fine!), but I still get a big-fat-zero for sensors in base:

Code:

Sensors/Total: 0 / 0
Unique Alerts: 0
Categories: 0
Total Number of Alerts: 0

I have snort set to run as a daemon (which it is), but I'll try 'snort -v' anyway, and run 'nmap -v -A my_snort_machine's_ip' from my windows machine, and here's what I get:

Code:

root@guinness:~# snort -v

04/21-05:49:02.911991 10.1.1.132:22 -> 10.1.8.21:6012
TCP TTL:64 TOS:0x10 ID:64889 IpLen:20 DgmLen:444 DF
***AP*** Seq: 0x83C77398  Ack: 0x8D825380  Win: 0x2180  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

*** Caught Term-Signal
Run time prior to being shutdown was 451.369952 seconds
===============================================================================
Packet Wire Totals:
   Received:      3095040
   Analyzed:      2606794 (84.225%)
    Dropped:       488103 (15.770%)
Outstanding:          143 (0.005%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
      ETH: 2606794    (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 24         (0.001%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 2604165    (99.899%)
  IP4disc: 62835      (2.410%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 2539817    (97.431%)
      UDP: 1448       (0.056%)
     ICMP: 65         (0.002%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 2204       (0.085%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 401        (0.015%)
  DISCARD: 62835      (2.410%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 2606794
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting
root@guinness:~#

[bodhi.zazen]

I you do not see any sensors in base, than base is not working.

Possibilities are :

1. mysql is not set up properly.

2. snort lost it's connection with mysql. To test this, clear the database in base (from the admin panel) even though it reads "0", then restart snort. You should now see 1 sensor in base.

3. Base is not working, ie base is not connecting to the mysql database.

[MarnickV]

I managed to get my snort working with your script bodhi.zazen, my /var/log/daemon.log showed that snort didn't have the right permissons for /var/log/snort/alert. So after I changed that, everything started like it should.

However, I too have problems in BASE seeing the sensor. I believe BASE _can_ connect to mysql, since I can log in (I have enabled authentication on BASE, table base_users in database snort).

I connected to mysql and I checked some tables:
*tcphdr
*event

Both have one row (the latter has a timestamp from just moments ago).
However, table "sensor" does not have any rows.

Number 2 of your list does not work at my setup, I cleared data tables (from the Cache & Status menu) and then restarted snort. Still no sensor.

Any advice?

[shahin]

ok i tared the snort 2.8.4 and then changed directory but now what is with this command:


tar zxvf ../snortrules* i need step by step like baby steps thank you in advance.

Hi Tronnix
.. refers to a directory above where you are currently. Bodhi wants you to unpack all the tar files that start with snortrules from the parent directory, into the directory you are in. So if you downloaded a couple (I just downloaded one, but there is different ones like bleeding edge, current etc. - I say for now just download one. ) of tar files containing the rules into:
/usr/src/snort2.8.4, then I believe the procedures call for creating a directory called /usr/src/snort2.8.4/rules. So from the rules directory the command tar zxvf ../snortrules* would unpack all the rules and place them in the rules directory. I hope I got all the directory names right; I am trying to do it from memory. Good luck.

[sw34963]

Great Tutorial, thanks its much appreciated someone going into such detail other than just 'sudo apt-get install snort'

Thanks