LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - News (http://www.linuxquestions.org/questions/linux-news-59/)
-   -   Autosnort: a way to make your snort installations easier. (http://www.linuxquestions.org/questions/linux-news-59/autosnort-a-way-to-make-your-snort-installations-easier-4175437011/)

da_667 11-13-2012 05:54 PM

Autosnort: a way to make your snort installations easier.
 
Hello fellow Linux users. I'd like to introduce myself. I'm DA, shorthand for Digital Arcanist. I work in information/network security, and have been a cross-platform Linux user and enthusiast for a number of years. I came here to the security forums to announce a new tool/script I have developed called "Autosnort".

As the name implies, the script is related to the open-source snort software. For those who do not know what snort is, snort as a powerful rule-driven Network Intrusion Detection and Prevention System -- to put it simply, it inspects network traffic, and lets you know if it spots anything unusual on the wire with an extensive set of rules provided by the Sourcefire VRT (the creators and maintainers of snort) among other rule writing sources.

The autosnort script simply automates and makes an intense and fairly complicated exercise in updating snort to the latest available version into something as effortless as running a shell script and responding to a few prompts.

Like everything good in the Linux universe, I'm releasing this script for free - entirely open-source and under the MIT license, meaning you can do practically anything you want to with it.

If you are interested, please check out my github repository where I am currently hosting the script, as well as my blog for updates in functionality and distro support.

github: https://github.com/da667/Autosnort
blog: http://autosnort.blogspot.com/

If you have any questions or run into problems, my contact information is provided in the readme as well.

Happy snorting!

note to the moderators: Apologies if this announcement landed in the wrong forum, or if I inadvertently violated the rules. Feel free to move or remove this as deemed necessary if I'm breaking the rules.

Cheers,

DA.

unSpawn 11-13-2012 06:17 PM

While Snort as application can be thought of as network / security-related your announcement is not. I'll move it to the News section, no problem. And congrats with the scripts. I see you've been working on them for some time now.

unSpawn 11-13-2012 06:34 PM

Looking at autosnort-centOS.sh I wonder why you didn't choose to install DAQ and Snort from snort.org? After all it provides RPM packages. Or is enabling performance monitoring for rules and preprocessors *that* important on a sensor?

da_667 11-14-2012 06:20 PM

Hello Unspawn,

thanks for both of the replies. the script has definitely come a long way. I'm not much of a programmer and I've had TONS of help with this little project, some of which coming from here, months ago as evidenced by that link :) So let me get to your questions (thanks for your patience by the way!)

Quote:

Looking at autosnort-centOS.sh I wonder why you didn't choose to install DAQ and Snort from snort.org? After all it provides RPM packages.
Actually, I poll snort.org directly via this block of code:
Code:

echo "acquiring latest version of snort and daq."
echo ""

cd /tmp 1>/dev/null
wget -q http://snort.org/snort-downloads -O /tmp/snort-downloads
snortver=`cat /tmp/snort-downloads | grep snort-[0-9]|cut -d">" -f2 |cut -d"<" -f1 | head -1`
daqver=`cat /tmp/snort-downloads | grep daq|cut -d">" -f2 |cut -d"<" -f1 | head -1`
rm /tmp/snort-downloads
cd /usr/src 1>/dev/null
wget http://snort.org/dl/snort-current/$snortver -O $snortver
wget http://snort.org/dl/snort-current/$daqver -O $daqver

Basically what I'm doing here is a quiet check of snort.org/snort-downloads. the grep statement is just looking for part of a snort version string, and the word daq and cutting out the first instance of each, assigning them both to a variable. The testing I did seems to indicate that performing these actions turn up the current stable source of daq and snort as the first lines returned. The cut statments are just to clean them up as variables for the following WGET statements to download the source for both. this code could easily be modified to pull the RPMs, then the code in other portions of the script modified to just rpm -Uvh the rpms... but...

Quote:

is enabling performance monitoring for rules and preprocessors *that* important on a sensor?
Well, *I* consider it important, because in a previous life I use to work for Sourcefire, the guys who produce the corporate version of snort. I use to do a lot of performance tuning and troubleshooting with customers. having the performance statistic options available and turned on by default comes out of being in the trenches and knowing how useful perfstats output can be when trying to figure out what is wrong with your network -- is it the IPS or is it something else we have to point the finger at for this network outage? okay well we know for sure its the IDS, now what? performance profiling lets you get an idea of which preprocessors and which rules are causing you grief.

Giving users the ability to troubleshoot performance issues (inline or passive deployments) without the need to recompile is a nice benefit to me for what is, on most modern systems maybe an extra few minutes of compile time. If I hear enough complaints about it, or if there is enough of a demand to just install the RPMs for redhat-based derivatives, I will definitely do so -- or if you, or any other users, are so inclined, feel free to write it in and I'll just merge it in and accredit you for your contribution :)

Cheers,

DA

p.s. thank you and the rest of the linuxquestions forum moderation team for allowing me to post here!


All times are GMT -5. The time now is 01:21 AM.