Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: snort (app) setup?

  1. #1
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,171

    Default snort (app) setup?

    Dear Opensuse users: The only manual I could find on setting up Snort on opensuse was one which assumed you built it yourself from source - it was basically a guide to building snort. But there is a repo version of snort and pulledpork, so the question is, has anyone gotten this to work? I keep getting a weird error which I can't google... it throws errors on every line in community.rules which doesn't start with # (I assume commented-out).

    Code:
    linux-l8th:/home/patti # snort -c /etc/snort/rules/community.rules -i wlo1
    Running in IDS mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file "/etc/snort/rules/community.rules"
    Tagged Packet Limit: 256
    Log directory = /var/log/snort
    
    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    ERROR: /etc/snort/rules/community.rules(389) Undefined variable in the string: $SQL_SERVERS.
    Fatal Error, Quitting..
    linux-l8th:/home/patti #

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,518
    Blog Entries
    15

    Default Re: snort (app) setup?

    Hi
    Where did these community rules come from, they are not part of the package from what I can see?

    What is at line 389? Are you running some sql server, if so then I would imagine you need to relevant snort-somedb package instead of plain snort?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,171

    Default Re: snort (app) setup?

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Where did these community rules come from, they are not part of the package from what I can see?

    What is at line 389? Are you running some sql server, if so then I would imagine you need to relevant snort-somedb package instead of plain snort?
    Hi Malcom: The rules come from the snort site. I think the Snort package comes ready to simply sniff packets. But if you want to listen specifically for evidence of packets from known malware, then you have to have a database of rules. That's the community.rules package, as far as I understand it. I'm not running an sql server as far as I know. I was trying to follow the steps on the Snort.org website. For instance, Krebs gives the snort associated signature of the malware that took out Sony:

    http://krebsonsecurity.com/2014/12/s...ta/#more-28882

    The windows snort version has a more integrated setup, and I get further, but still not a fully functional system.

    So I guess I am trying to set up a "targeted" intrusion detection system - using the community signatures. But there's something I'm not "getting" about setting up snort. I can sniff packets fine, but can't seem to grok the rules setup aspect... Basically, I guess I don't trust virus/malware/rootkit checkers to catch everything...

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,518
    Blog Entries
    15

    Default Re: snort (app) setup?

    Hi
    OK, so have you observed any malicious attacks on your system? Turned of unnecessary services? Restricted physical access?

    I would guess you just need to go through the rules and weed out what you don't need?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #5
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,171

    Default Re: snort (app) setup?

    Quote Originally Posted by malcolmlewis View Post
    Hi
    OK, so have you observed any malicious attacks on your system? Turned of unnecessary services? Restricted physical access?

    I would guess you just need to go through the rules and weed out what you don't need?
    Doing everything I can. But not being a Wizard guarantees I will have issues at some point :-) Also, it's sort of interesting. I have maybe 20 or so systems and have unplugged most from the LAN and instead do sneakernet, but one Win7 system stays internet-facing (with McAfee). I did see a hit or two on rkhunter on my main opensuse system. I lock all opensuse systems and have strong passwords. But the bad guys are getting sneakier and sneakier, and the antivirus people are pretty much using the same old technologies... So, learning more is usually a good idea. Hence the interest in snort. I've been saved before by being proactive with malware... :-)

    Code:
        
        /usr/bin/lastlog                                         [ OK ]
        /usr/bin/ldd                                             [ Warning ]
        /usr/bin/less                                            [ OK ]
        /usr/bin/logger                                          [ OK ]
     
    
        /sbin/ifstatus                                           [ OK ]
        /sbin/ifup                                               [ Warning ]
        /sbin/init                                               [ OK ]
        /sbin/insmod                                             [ OK ]
        /sbin/ip                                                 [ OK ]

    Often folks are on linux anyway as a way to avoid the hackability of ms. So rkhunter/snort/etc. are great to have around.

    Code:
    Performing system configuration file checks
        Checking for an SSH configuration file                   [ Found ]
        Checking if SSH root access is allowed                   [ Warning ]
        Checking if SSH protocol v1 is allowed                   [ Warning ]
        Checking for a running system logging daemon             [ Found ]
        Checking for a system logging configuration file         [ Found ]
        Checking if syslog remote logging is allowed             [ Not allowed ]
      Performing filesystem checks
        Checking /dev for suspicious file types                  [ Warning ]
        Checking for hidden files and directories                [ Warning ]
    Though it's not always clear what these results mean... :-)

  6. #6
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,518
    Blog Entries
    15

    Default Re: snort (app) setup?

    Quote Originally Posted by PattiMichelle View Post
    Doing everything I can. But not being a Wizard guarantees I will have issues at some point :-) Also, it's sort of interesting. I have maybe 20 or so systems and have unplugged most from the LAN and instead do sneakernet, but one Win7 system stays internet-facing (with McAfee). I did see a hit or two on rkhunter on my main opensuse system. I lock all opensuse systems and have strong passwords. But the bad guys are getting sneakier and sneakier, and the antivirus people are pretty much using the same old technologies... So, learning more is usually a good idea. Hence the interest in snort. I've been saved before by being proactive with malware... :-)

    Code:
        
        /usr/bin/lastlog                                         [ OK ]
        /usr/bin/ldd                                             [ Warning ]
        /usr/bin/less                                            [ OK ]
        /usr/bin/logger                                          [ OK ]
     
    
        /sbin/ifstatus                                           [ OK ]
        /sbin/ifup                                               [ Warning ]
        /sbin/init                                               [ OK ]
        /sbin/insmod                                             [ OK ]
        /sbin/ip                                                 [ OK ]

    Often folks are on linux anyway as a way to avoid the hackability of ms. So rkhunter/snort/etc. are great to have around.

    Code:
    Performing system configuration file checks
        Checking for an SSH configuration file                   [ Found ]
        Checking if SSH root access is allowed                   [ Warning ]
        Checking if SSH protocol v1 is allowed                   [ Warning ]
        Checking for a running system logging daemon             [ Found ]
        Checking for a system logging configuration file         [ Found ]
        Checking if syslog remote logging is allowed             [ Not allowed ]
      Performing filesystem checks
        Checking /dev for suspicious file types                  [ Warning ]
        Checking for hidden files and directories                [ Warning ]
    Though it's not always clear what these results mean... :-)
    Hi
    So configure /etc/ssh/sshd_config as required to only use V2 and disable root logins, make users login as a user first, then su - (or configure sudo as required) to root. Maybe if you need ssh, then only use keys rather than passwords?

    There are always .files and .directories maybe you need to see what it's on about? Again for /dev what it's finding as suspicious.

    rkhunter is only an indicator and does spit out it's fair share of false positives. maybe you would be better of running Nessus https://en.wikipedia.org/wiki/Nessus_(software)

    If your really paranoid, maybe run a live system or use something like tails linux derivative...

    Well windows is windows to the rest of the worlds users....
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: snort (app) setup?

    On 2014-12-07 03:26, PattiMichelle wrote:

    > Hi Malcom: The rules come from the snort site. I think the Snort
    > package comes ready to simply sniff packets. But if you want to listen
    > specifically for evidence of packets from known malware, then you have
    > to have a database of rules. That's the community.rules package, as far
    > as I understand it.


    Interesting. I didn't know snort could do this.

    I have seen powerful, proprietary, systems routinely doing this on
    Windows networks. They listen for traffic patterns, warning the
    administrator, that then goes to the local machine and looks further.

    I also have seen other tools that actively scan the network, seeking
    "targets" and what known holes are open. For instance, machine on that
    IP, named so, has windows that version, with service that version
    running, that has this known hole. Or it has this version patch applied.
    Not only windows holes, but Linux holes. Unfortunately, I forgot the
    name of the program. It can be a double edge tool, of course.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #8
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,171

    Default Re: snort (app) setup?

    Thanks Again, Malcom - that Nessus looks good, but it looks like it doesn't do intrusion detection. It's good for hardening a system, though. Everyone seems to think in terms of hardening systems. But the whole area of intrusion detection is pretty important given the fact that most folks haven't got a clue about cybercrime (so they leave their systems unpatched, etc.). The A/V community seems to be overwhelmed and it seems like it's going to get much worse. Intrusion detection is sort of like setting up security cameras in your yard, rather than waiting until someone tries to actually break into your house...

    Even though there's an opensuse Snort package in the repo - I guess I'll need to join the snort mailserver to get a working ids going. Really, that's just malware scanner on the LAN, which uses traffic-detection rather than codebase-detection.

    I was surprised I couldnt' get any hits on the Forums under "snort" in the last year, other than my post

    Thanks! Patti

  9. #9
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,518
    Blog Entries
    15

    Default Re: snort (app) setup?

    On Sun 07 Dec 2014 05:36:02 PM CST, PattiMichelle wrote:


    Thanks Again, Malcom - that Nessus looks good, but it looks like it
    doesn't do intrusion detection. It's good for hardening a system,
    though. Everyone seems to think in terms of hardening systems. But the
    whole area of intrusion detection is pretty important given the fact
    that most folks haven't got a clue about cybercrime (so they leave their
    systems unpatched, etc.). The A/V community seems to be overwhelmed and
    it seems like it's going to get much worse. Intrusion detection is sort
    of like setting up security cameras in your yard, rather than waiting
    until someone tries to actually break into your house...

    Even though there's an opensuse Snort package in the repo - I guess I'll
    need to join the snort mailserver to get a working ids going. Really,
    that's just malware scanner on the LAN, which uses traffic-detection
    rather than codebase-detection.

    I was surprised I couldnt' get any hits on the Forums under "snort" in
    the last year, other than my post

    Thanks! Patti


    Hi
    OK, so you do need to be running a database....
    http://www.andrew.cmu.edu/user/rdany...b_install.html

    Then also install the snort-somedatabase package..

    If you running services, eg apache php etc then sure, average desktop
    user on linux... browser hijacking and events like that, windows viri
    in email, infected docs and pdf's... all part of life these days.

    At the end of the day, it's all PEBKAC + Social engineering....
    cleaned three windows machines (well factory re-installs) yesterday all had
    viruses, no running AV....

    In your situation, better to have clean images and PXE booting or
    provide thin clients... or get Mac's...

    --
    Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.28-4-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!
    Last edited by malcolmlewis; 07-Dec-2014 at 13:47. Reason: Add when....

  10. #10
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: snort (app) setup?

    The snort package in 13.2 is completely fubar and doesn't do anything by default. If you download the snortrules-snapshot-xxx.tar.gz package from the Snort website you need to do some adjustments before it'll work.

    I might do a howto or a step-by-step how to fix the snort but right now I don't have the time. Essentially you need to decompress the snapshot rules, copy the snort/* and rules to /etc/snort, then adjust the snort.conf included with the snapshot to point to the right libdir (it points to local when it should be lib64/snort), create empty black_list.rules and white_list.rules, remove dynamicdetection since its not used..

    Yeah I think I'll just do a write up on this tomorrow seeing as it has a few steps.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •