LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > LinuxQuestions.org > Linux - News
User Name
Password
Linux - News This forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.

Notices

Reply
 
Search this Thread
Old 11-13-2012, 05:54 PM   #1
da_667
LQ Newbie
 
Registered: Aug 2012
Posts: 6

Rep: Reputation: Disabled
Autosnort: a way to make your snort installations easier.


Hello fellow Linux users. I'd like to introduce myself. I'm DA, shorthand for Digital Arcanist. I work in information/network security, and have been a cross-platform Linux user and enthusiast for a number of years. I came here to the security forums to announce a new tool/script I have developed called "Autosnort".

As the name implies, the script is related to the open-source snort software. For those who do not know what snort is, snort as a powerful rule-driven Network Intrusion Detection and Prevention System -- to put it simply, it inspects network traffic, and lets you know if it spots anything unusual on the wire with an extensive set of rules provided by the Sourcefire VRT (the creators and maintainers of snort) among other rule writing sources.

The autosnort script simply automates and makes an intense and fairly complicated exercise in updating snort to the latest available version into something as effortless as running a shell script and responding to a few prompts.

Like everything good in the Linux universe, I'm releasing this script for free - entirely open-source and under the MIT license, meaning you can do practically anything you want to with it.

If you are interested, please check out my github repository where I am currently hosting the script, as well as my blog for updates in functionality and distro support.

github: https://github.com/da667/Autosnort
blog: http://autosnort.blogspot.com/

If you have any questions or run into problems, my contact information is provided in the readme as well.

Happy snorting!

note to the moderators: Apologies if this announcement landed in the wrong forum, or if I inadvertently violated the rules. Feel free to move or remove this as deemed necessary if I'm breaking the rules.

Cheers,

DA.

Last edited by da_667; 11-13-2012 at 06:00 PM.
 
Old 11-13-2012, 06:17 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
While Snort as application can be thought of as network / security-related your announcement is not. I'll move it to the News section, no problem. And congrats with the scripts. I see you've been working on them for some time now.
 
Old 11-13-2012, 06:34 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Looking at autosnort-centOS.sh I wonder why you didn't choose to install DAQ and Snort from snort.org? After all it provides RPM packages. Or is enabling performance monitoring for rules and preprocessors *that* important on a sensor?
 
Old 11-14-2012, 06:20 PM   #4
da_667
LQ Newbie
 
Registered: Aug 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hello Unspawn,

thanks for both of the replies. the script has definitely come a long way. I'm not much of a programmer and I've had TONS of help with this little project, some of which coming from here, months ago as evidenced by that link So let me get to your questions (thanks for your patience by the way!)

Quote:
Looking at autosnort-centOS.sh I wonder why you didn't choose to install DAQ and Snort from snort.org? After all it provides RPM packages.
Actually, I poll snort.org directly via this block of code:
Code:
echo "acquiring latest version of snort and daq."
echo ""

cd /tmp 1>/dev/null
wget -q http://snort.org/snort-downloads -O /tmp/snort-downloads
snortver=`cat /tmp/snort-downloads | grep snort-[0-9]|cut -d">" -f2 |cut -d"<" -f1 | head -1`
daqver=`cat /tmp/snort-downloads | grep daq|cut -d">" -f2 |cut -d"<" -f1 | head -1`
rm /tmp/snort-downloads
cd /usr/src 1>/dev/null
wget http://snort.org/dl/snort-current/$snortver -O $snortver
wget http://snort.org/dl/snort-current/$daqver -O $daqver
Basically what I'm doing here is a quiet check of snort.org/snort-downloads. the grep statement is just looking for part of a snort version string, and the word daq and cutting out the first instance of each, assigning them both to a variable. The testing I did seems to indicate that performing these actions turn up the current stable source of daq and snort as the first lines returned. The cut statments are just to clean them up as variables for the following WGET statements to download the source for both. this code could easily be modified to pull the RPMs, then the code in other portions of the script modified to just rpm -Uvh the rpms... but...

Quote:
is enabling performance monitoring for rules and preprocessors *that* important on a sensor?
Well, *I* consider it important, because in a previous life I use to work for Sourcefire, the guys who produce the corporate version of snort. I use to do a lot of performance tuning and troubleshooting with customers. having the performance statistic options available and turned on by default comes out of being in the trenches and knowing how useful perfstats output can be when trying to figure out what is wrong with your network -- is it the IPS or is it something else we have to point the finger at for this network outage? okay well we know for sure its the IDS, now what? performance profiling lets you get an idea of which preprocessors and which rules are causing you grief.

Giving users the ability to troubleshoot performance issues (inline or passive deployments) without the need to recompile is a nice benefit to me for what is, on most modern systems maybe an extra few minutes of compile time. If I hear enough complaints about it, or if there is enough of a demand to just install the RPMs for redhat-based derivatives, I will definitely do so -- or if you, or any other users, are so inclined, feel free to write it in and I'll just merge it in and accredit you for your contribution

Cheers,

DA

p.s. thank you and the rest of the linuxquestions forum moderation team for allowing me to post here!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can we make slackbuilds easier? TheCrow33 Slackware 5 01-14-2011 09:35 AM
Make linuxquestions.org easier to use Dwight Randall LQ Suggestions & Feedback 8 12-19-2009 08:58 AM
LXer: To Those Who Make My Job Easier LXer Syndicated Linux News 0 06-19-2008 06:40 AM
Make Linux easier for the general population! Please. Paul Parr General 2014 06-03-2005 02:53 PM
Make linux easier? bolinux General 43 10-20-2003 10:22 PM


All times are GMT -5. The time now is 12:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration