LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-16-2013, 09:07 PM   #1
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Rep: Reputation: 166Reputation: 166
how to get snort working on wireless


snort works fine on eth0 but wireless uses eth1, how do I switch, or use both, on Debian?
I have changed ...conf to read DEBIAN_SNORT_INTERFACE="eth1" in /etc/snort/snort.debian.conf and so how do I test which interface snort is now tracking, if any?

Fred.
 
Old 06-17-2013, 04:48 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Fred Caro View Post
how do I test which interface snort is now tracking, if any?
IIRC it should result in a Snort instance being run for every interface in the $DEBIAN_SNORT_INTERFACE list, so 'pgrep -lf snort|grep eth1' should show?
 
Old 06-17-2013, 07:21 PM   #3
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unSpawn,

1. what is IIRC?
''
2. in 'pgrep-lf snort (pipe) eth1' the l is 'l' as in ls for list, or i as in 'if'

I will post the results

thanks,


Fred.
 
Old 06-17-2013, 07:48 PM   #4
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unSpawn,
results:


bob@bobsgaff:~$ pgrep -if snort | grep eth1
pgrep: invalid option -- 'i'
bob@bobsgaff:~$ pgrep -lf snort | grep eth1
4473 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/24] -i eth1
bob@bobsgaff:~$

any ideas?

Fred.
 
Old 06-17-2013, 08:08 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Fred Caro View Post
IIRC?
"If I Recall Correctly", a common FLA (Four Letter Acronym) ;-p


Quote:
Originally Posted by Fred Caro View Post
in 'pgrep-lf snort (pipe) eth1' the l is 'l' as in ls for list, or i as in 'if'
Copy the line to the CLI and you'll see it's l as in list.


Quote:
Originally Posted by Fred Caro View Post
Code:
bob@bobsgaff:~$ pgrep -lf snort | grep eth1
4473 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/24] -i eth1
Well it reads "-i eth1" and that was as explained / expected. All good.
 
Old 06-18-2013, 09:21 PM   #6
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unSpawn,
thanks, still:

1. if I add a line to that file for snort to look at eth0, snort will examine that as well?

2. there is also a file /etc/snort/snort.conf, does the debian snort.conf take precidence on a debian system?

3. there seems to be an issue involving when the snort is started,i.e, the wireless interface may not be started straight away when you boot up but will snort kick in when the specific wireless interface starts?

sorry to be a pain,

fred.
 
Old 06-19-2013, 06:38 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Fred Caro View Post
if I add a line to that file for snort to look at eth0, snort will examine that as well?
Please see 'man pgrep'. Basically it only looks for process names. With "-f" you can limit results by using for example 'pgrep -lf "snort.*eth0";'.


Quote:
Originally Posted by Fred Caro View Post
there is also a file /etc/snort/snort.conf, does the debian snort.conf take precidence on a debian system?
I don't know where the Debian snort.conf resides but your 'pgrep' result shows it's using "-c /etc/snort/snort.conf" like it should.


Quote:
Originally Posted by Fred Caro View Post
there seems to be an issue involving when the snort is started,i.e, the wireless interface may not be started straight away when you boot up but will snort kick in when the specific wireless interface starts?
Good question. IIRC Snort doesn't consider network devices that aren't initialized. If you use NetworkManager or equivalent you could force a start / restart by dropping a script in the /etc/NetworkManager/dispatcher.d/ directory?


Quote:
Originally Posted by Fred Caro View Post
sorry to be a pain,
Hell no: asking questions isn't stupid, not asking is!
 
Old 06-19-2013, 09:30 PM   #8
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unSpawn,
pgrep seems to be a solaris thing but the '-n' option seems to specify what is happening now, so will try -lfn as options to pgrep.
I'm not keen on writing scripts and then inserting them into 'profiles'as I don't know what effects that will have, if indeed that is what you do! I have read that you can set pre-existing conf. files to delay the take up of snort examination on os (debian) conf. files but can't find that reference again, any help would be appreciated.

Fred.
 
Old 06-20-2013, 08:57 PM   #9
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unSpawn,
the results:

pgrep -lfn snort|grep eth1
2984 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/24] -i eth1
bob@bobsgaff:~$
seems to be the same, perhaps I should check logs, not that I have created any percific logs so they will only this login?
It seems eth1 is being monitored as it has generated traffic for today:
root@bobsgaff:/var/log/snort# cat alert
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
06/20-23:39:49.757375 :: -> ff02::16
IPV6-ICMP TTL:1 TOS:0x0 ID:256 IpLen:40 DgmLen:96
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename...ame=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
06/20-23:39:49.818281 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x10 ID:0 IpLen:20 DgmLen:328
I assume it would not if snort was looking on eth0.

Fred.
 
Old 06-22-2013, 03:57 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Fred Caro View Post
pgrep seems to be a solaris thing
No?


Quote:
Originally Posted by Fred Caro View Post
the '-n' option seems to specify what is happening now
Why would you think that? You've already shown the right output...


Quote:
Originally Posted by Fred Caro View Post
I'm not keen on writing scripts and then inserting them into 'profiles'as I don't know what effects that will have, if indeed that is what you do! I have read that you can set pre-existing conf. files to delay the take up of snort examination on os (debian) conf. files but can't find that reference again, any help would be appreciated.
Your choice. Unfortunately I'm not that distro-agnostic to help you with that.



Quote:
Originally Posted by Fred Caro View Post
pgrep -lfn snort|grep eth1
2984 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/24] -i eth1
bob@bobsgaff:~$
seems to be the same
Sure but that's completely the wrong way to use pgrep.

- In short this tells you if Snort is running as it returns the PID and the whole command line:
Code:
pgrep -l snort
- and this tells you if Snort is running but selecting only those instances that have "eth1" as one of their arguments and returning nothing but the PId:
Code:
pgrep -f "/usr/sbin/snort.*eth1"
That means that in BASH you can:
Code:
snortcheck() { PIDS=($(pgrep -f "/usr/sbin/snort.*eth1"))
case ${#PIDS[@]} in 
 1) logger -t $FUNCNAME "Snort running with ${#PIDS[@]} PIds.";;
 *) logger -t $FUNCNAME "Restarting Snort:"
    /path/to/snort_start_script restart;;
esac; }

snortcheck

Quote:
Originally Posted by Fred Caro View Post
, perhaps I should check logs, not that I have created any percific logs so they will only this login? It seems eth1 is being monitored as it has generated traffic for today (..) I assume it would not if snort was looking on eth0.
The assumption would not be something I would want to use to determine what network device Snort listens on...


*BTW:
Quote:
Originally Posted by Fred Caro View Post
Code:
root@bobsgaff:/var/log/snort# cat alert
binary logs (see Barnyard2) are performance-wise way more efficient than having Snort capture traffic, parse packets and then requiring it to write out full human readable analysis logs.
 
Old 06-24-2013, 03:12 PM   #11
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unSpawn,
thanks, I'm not sure how much of it I understand at this point. The results for the penultimate box are as follows:


bob@bobsgaff:~$ pgrep -f "/usr/sbin/snort.*eth1"
3908
bob@bobsgaff:~$ snortcheck() { PIDS=($(pgrep -f "/usr/sbin/snort.*eth1"))
> case ${#PIDS[@]} in
> 1) logger -t $FUNCNAME "Snort running with ${#PIDS[@]} PIds.";;
> *) logger -t $FUNCNAME "Restarting Snort:"
> /path/to/snort_start_script restart;;
> esac; }
bob@bobsgaff:~$
bob@bobsgaff:~$ snortcheck

Does the blank link mean no check was carried out or that Snort was restarted?

Fred.
 
Old 06-24-2013, 05:15 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Fred Caro View Post
Does the blank link mean no check was carried out or that Snort was restarted?
No. If you check your syslog you should see a message "Snort running with 1 PIds.".
 
Old 06-25-2013, 08:04 PM   #13
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unSpawn,
thanks again, so snort is checking my wireless connection and what you do with that is is up to oneself. Am I right in thinking that Snort will throw off packets or parts of them if they don't conform?

Fred.
.
 
Old 06-26-2013, 07:27 PM   #14
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unspawn,
regarding the syslog, the tail end of the current log at about 23:30 (GMT) is:

Jun 26 23:26:25 bobsgaff NetworkManager[3039]: <info> (eth1): supplicant interface state: associating -> associated
Jun 26 23:26:26 bobsgaff NetworkManager[3039]: <info> (eth1): supplicant interface state: associated -> 4-way handshake
Jun 26 23:26:26 bobsgaff wpa_supplicant[3092]: eth1: WPA: Key negotiation completed with 24:db:ac:47:d8:b7 [PTK=CCMP GTK=CCMP]
Jun 26 23:26:26 bobsgaff wpa_supplicant[3092]: eth1: CTRL-EVENT-CONNECTED - Connection to 24:db:ac:47:d8:b7 completed (reauth) [id=0 id_str=]
Jun 26 23:26:26 bobsgaff NetworkManager[3039]: <info> (eth1): supplicant interface state: 4-way handshake -> completed
Jun 26 23:26:31 bobsgaff NetworkManager[3039]: <info> (eth1): roamed from BSSID (none) ((none)) to 24B:AC:478:B7 (VodafoneMobileWiFi-D8B789)


The "none"s cause concern, what do you think?


Fred.
 
Old 11-06-2013, 08:23 PM   #15
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
UnSpawn,
short result: bob@bobsgaff:~$ pgrep -lf snort | grep eth? (ie substitute)

from prompt'~$' is a good way of checking if snort is running the eth of your choice, so solved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort inline 2.6.0.2 enable_tcpopt_experimental_drops not working Emmanuel_uk Linux - Security 8 04-06-2007 06:53 AM
Snort-Wireless Atrocity Linux - Software 2 02-02-2006 04:07 PM
Snort stopped working gummimann Linux - Security 8 02-20-2004 07:17 AM
Snort no longer working - maybe? zuessh Linux - Security 1 02-12-2004 03:27 PM
snort (ids) not working please help!!! crealkillerI75 Slackware 5 07-18-2002 04:39 PM


All times are GMT -5. The time now is 10:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration