LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   confused by snort setup (http://www.linuxquestions.org/questions/linux-security-4/confused-by-snort-setup-4175454461/)

rbees 03-17-2013 08:28 PM

confused by snort setup
 
Ladies & Gents,

I have been working on getting snort set up for a couple of weeks now on a new external host that I am building.

The system is Debian Squeeze, all updates regularly installed. All software is installed from the debian repos, not from source.

Snort is installed and functioning correctly as far as I can tell at this time. The issue I am having is in understanding just what I need to have installed/configured to have the snort rules automatically updated.

This howto:
http://youresuchageek.blogspot.com/2...in-debian.html

Indicates that in order for snort to log to mysql I need to have barnyard/2 or similar installed. I have acidbase installed and working properly and it appear that the events are being logged to mysql as the data reported by acidbase is changed regularly. But I do NOT have barnyard or similar installed. So I don't understand how the mysql database is being logged to. If my database is being updated do I need to install barnyard?

I have also tried to setup oinkmaster to pull the updated rules files but I am getting a "permission denied" error. Yes I do have an oinkcode.

I have also been looking at this howto
http://www.aboutdebian.com/snort.html
and this one
http://scriptthe.net/category/guides/ (about 3/4 of the way down.)

I have not changed the default installed rule set or the default config at this time.

Can anyone help clear up my confusion?

unSpawn 03-18-2013 02:27 AM

Quote:

Originally Posted by rbees (Post 4913559)
If my database is being updated do I need to install barnyard?

AFAIK if you enable database logging in snort.conf you don't need Barnyard(2).


Quote:

Originally Posted by rbees (Post 4913559)
I have also tried to setup oinkmaster to pull the updated rules files but I am getting a "permission denied" error.

Post actual errors, process, directory and file ownership and permissions, maybe verbose or debug logging if Oinkmaster can show that, stuff like that.

vishesh 03-18-2013 08:41 AM

Barnyard is not compulsory , But it will help you to improve the performance of snort . If Barnyard is not on place then logging activities may consume more resources

rbees 03-18-2013 07:52 PM

Thanks unSpawn,

I did some looking again at snort's config and found the database thing. I guess I was just confused by what is stated in that howto.

Sorry it is a "Forbidden" error and not a "Denied"

Code:

# oinkmaster -o /etc/snort/rules -c
Loading /etc/oinkmaster.conf
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.
/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oin:

 http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.tar.gzResolving www.s0
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-18 20:31:44 ERROR 403: Forbidden.

Oink, oink. Exiting...

I have tried to find more up to date instructions but ever thing I found was a couple years old.

rbees 03-18-2013 08:09 PM

vishesh

Could you please elaborate more. What does it do to enhance the performance?

unSpawn 03-19-2013 02:42 AM

Not exactly an answer (for that you would need to show at least 'grep -v ^# oinkmaster.conf|grep .;' details plus a verbose run of Oinkmaster) but try what Sourcefire promotes: http://code.google.com/p/pulledpork/? Wrt speed it's simple: binary logging with Barnyard(2) is faster than (interpreted) human-readable text logging.

rbees 03-19-2013 06:47 PM

Code:

# grep -v ^# oinkmaster.conf|grep .;
url = http://www.snort.org/pub-bin/oinkmaster.cgi/MyOinkCode/snortrulesz
path = /sbin:/usr/sbin:/bin:/usr/bin
use_external_bins = 1
tmpdir = /var/run/oinkmaster
umask = 0027
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
use_path_checks = 1
skipfile local.rules
skipfile deleted.rules
skipfile snort.conf

I have looked at PulledPork2 but hesitate to install it because it is not in the debian repos. That presents an update issue for me as then I have to monitor the app for updates and manually install it. All of which takes time that is very limited for me. So I would really rather use oinkmaster instead.

Code:

c# oinkmaster -o /etc/snort/rules -c -v
Loading /etc/oinkmaster.conf
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /bin
Found tar binary in /bin
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.
--2013-03-19 19:44:17--  http://www.snort.org/pub-bin/oinkmaster.cgi/0a781b9ff1692198554915a60f3083d4z
Resolving www.snort.org... 23.23.143.143
Connecting to www.snort.org|23.23.143.143|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-19 19:44:19 ERROR 403: Forbidden.


/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinz

Oink, oink. Exiting...


rbees 03-19-2013 09:26 PM

I do have PulledPork installed but it is also having issues. Here lately my average has gotten pretty low. Seams like every thing I try fails.

Not being able to devote lots of time to this project results in forgeting things. I had tried pulledpork before and ran into this problem.

Code:

#  /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l

    http://code.google.com/p/pulledpork/
      _____ ____
    `----,\    )
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
      `--==\\/
    .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \  \  _(")
    \  /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The specified Snort binary does not exist!
Please correct the value or specify the FULL rules tarball name in the pulledpork.conf!
 at /usr/local/bin/pulledpork.pl line 1736

YES THE BINARY DOES EXIST, if it is talking about the snort binary. But I was not able to find out where to set the path.

PulledPork config
Code:

grep -v ^# pulledpork.conf|grep .;
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|MyOinkCode
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rule=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/bin/snort
config_path=/etc/snort/snort.conf
sostub_path=/usr/local/snort/etc/rules/so_rules.rules
distro=Debian-Lenny
enablesid=/etc/snort/enablesid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf
version=0.6.0

The section of pulledpork.pl referenced
Code:

if ( @base_url && -d $temp_path ) {                                                                 
                                                                                                     
    if ( -d $temp_path . "tha_rules" ) {                                                             
        print                                                                                       
"\tdoh, we need to perform some cleanup ... an unclean run last time?\n"                             
          if ( $Verbose && !$Quiet );                                                               
        temp_cleanup($temp_path);                                                                   
    }                                                                                               
                                                                                                     
    if ( !$NoDownload ) {                                                                           
                                                                                                     
        foreach (@base_url) {                                                                       
                                                                                                     
            #undef $Sostubs if ( $Textonly || ( $_ =~ /emergingthreats/ ) );                         
            my ( $base_url, $rule_file, $oinkcode ) = split( /\|/, $_ );                             
            croak                                                                                   
"You need to define an oinkcode, please review the rule_url section of the pulledpork config file!\n"
              unless $oinkcode;                                                                     
            croak(                                                                                   
                "please define the rule_url correctly in the pulledpork.conf\n")                     
              unless defined $base_url;                                                             
            croak(                                                                                   

            if ( $base_url =~ /snort\.org/i ) {                                                     
                $prefix = "VRT-";                                                                   
                unless ( $rule_file =~ /snortrules-snapshot-\d{4}\.tar\.gz/
                    || $rule_file =~ /opensource\.gz/ )                                             
                {                                                                                   
                    croak(                                                                           
"The specified Snort binary does not exist!\nPlease correct the value or specify the FULL",         
                        " rules tarball name in the pulledpork.conf!\n"                             
                    ) unless $Snort;                                                                 
                    my $Snortv = $Snort;                                                             
                    $Snortv =~ s/\.//g;                                                             
                    $rule_file = "snortrules-snapshot-$Snortv.tar.gz";                               
                }                                                                                   
            }                                                                                       
            elsif ( $base_url =~ /emergingthreats.net/ ) {                                           
                $prefix = "ET-";                                                                     
                my $Snortv = $Snort;                                                                 
                $Snortv =~ s/(?<=\d\.\d\.\d)\.\d//;                                                 
                $base_url .= "$oinkcode/snort-$Snortv/";                                             
                                                                                                     
                #$Textonly = 1;                                                                     
            }                                                                                       
                                                                                                     
            $prefix = "Custom-" unless $prefix;                                                     
                                                                                                     
            $Hash = 1 unless $base_url =~ /(emergingthreats|snort.org)/;                             
                                                                                                     
            if ( !$Hash ) {                                                                         
                $md5 = md5file( $oinkcode, $rule_file, $temp_path, $base_url );                     
            }

When I asked about this on my local lug I got no response and so moved on to try oinkmaster.

rbees 03-20-2013 08:09 PM

I have been through pulledpork.pl again and I do not understand how the path is being set. But then I am not a programer either. I have tried copying the snort binary to /usr/local/bin where I think it is put when installing from source but still no joy.

In pulledpork.pl there are several lines like

use File::Path;
use File::Find;

and there is

my ( $Snort_config, $Snort_path, $Textonly, $grabonly, $ips_policy, );

But I can find no place where $Snort_path is actually defined.

So I am still clueless.

unSpawn 03-21-2013 02:37 AM

Quote:

Originally Posted by rbees (Post 4914779)
Code:

c# oinkmaster -o /etc/snort/rules -c -v
(..)
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.
--2013-03-19 19:44:17--  http://www.snort.org/pub-bin/oinkmaster.cgi/0a781b9ff1692198554915a60f3083d4z
Resolving www.snort.org... 23.23.143.143
Connecting to www.snort.org|23.23.143.143|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-19 19:44:19 ERROR 403: Forbidden.
/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinz
Oink, oink. Exiting...


If you feed the complete tar ball URI to say cURL or wget does it 403 as well?


All times are GMT -5. The time now is 07:37 AM.