Thank you for this information. Being a novice, it all sounds a bit complicated, but at least I now have the guide to follow when my particular paranoia peaks.
Thank you for this information. Being a novice, it all sounds a bit complicated, but at least I now have the guide to follow when my particular paranoia peaks.
Using snort-2.8.3.1 there is not a /signatures and am not sure where to point it. I have browsed the dirs and do not see anything relative...Code:cp -R /usr/src/snort-2.8.3/doc/signatures .
Last edited by scribbles; November 24th, 2008 at 06:38 AM.
thank you very much for this great article.
i have a question though. i did the nmap portscan (from 192.168.0.100 to 192.168.0.100) and snort blocked my further pings as expected. however, i then wasn't able to refresh the base and ossec web interfaces for a small period - even though i have 192.168.0.100 whitelisted in /etc/init.d/snort. base web interface doesn't show any info on this, have i misinterpreted the guide at some point?
thank you
Last edited by lapio; November 25th, 2008 at 03:50 PM.
Snort does not block access, OSSEC does.
So you would need to whitelist your IP address in OSSEC (it is in the config file).
Try this: Disable (stop) ossec and re-scan. You *should* also see more alerts in snort.
scan ...Code:sudo /etc/init.d/ossec stop
Notice your IP is not blocked
restart ossec
scan againCode:sudo /etc/init.d/ossec start
Your IP is now blocked, and you may not see as many alerts in snort
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
I have a script for updating the rules automatically with oinkmaster running on cron. ¿Do I have to restart snort every time it gets updated for the new rules to work or can I just leave it running?
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
bodhi, just a quick bit on rules.
Rules can be commented out though there is a better way to do this. Commentating rules is problematic because rules by an admin get updated periodically (hopefully everyone is using oinkmaster). When these new rules are put into /etc/snort/rules they erase the previous commented out versions.
If people are using oinkmaster this can be done very easily. In /etc/oinkmaster.conf look at the section for SIDs down toward the bottom. Each rule has a unique SID (Snort ID) enter in the SID's:
and oinkmaster will comment the section on update.Code:disablesid 8427,8428,8426 # cipher overflow for older openssl
more can be read here
Nice guide bodhi, thank you.
Last edited by Orange Luna; December 4th, 2008 at 07:59 PM.
Thank you for the information Orange Luna
I was going to make a post on oinkmaster, but this was already too long.
And you did a better, much more succinct tutorial then I would have written
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
First of all thank you very much for this great post,after spending two weeks trying to install snort finally got it done with this post.
Now for the question, when I fire up BASE I see no activity whatsoever, yet I know there are things happening because if I type snort -v I get screenfulls of activity.
If anyone has any ideas that would be great.
Last but not least first time in Ubuntu and revisiting *nix after 10 years of not having used it.
Bookmarks