LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-17-2013, 08:28 PM   #1
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 652

Rep: Reputation: 42
confused by snort setup


Ladies & Gents,

I have been working on getting snort set up for a couple of weeks now on a new external host that I am building.

The system is Debian Squeeze, all updates regularly installed. All software is installed from the debian repos, not from source.

Snort is installed and functioning correctly as far as I can tell at this time. The issue I am having is in understanding just what I need to have installed/configured to have the snort rules automatically updated.

This howto:
http://youresuchageek.blogspot.com/2...in-debian.html

Indicates that in order for snort to log to mysql I need to have barnyard/2 or similar installed. I have acidbase installed and working properly and it appear that the events are being logged to mysql as the data reported by acidbase is changed regularly. But I do NOT have barnyard or similar installed. So I don't understand how the mysql database is being logged to. If my database is being updated do I need to install barnyard?

I have also tried to setup oinkmaster to pull the updated rules files but I am getting a "permission denied" error. Yes I do have an oinkcode.

I have also been looking at this howto
http://www.aboutdebian.com/snort.html
and this one
http://scriptthe.net/category/guides/ (about 3/4 of the way down.)

I have not changed the default installed rule set or the default config at this time.

Can anyone help clear up my confusion?
 
Old 03-18-2013, 02:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Quote:
Originally Posted by rbees View Post
If my database is being updated do I need to install barnyard?
AFAIK if you enable database logging in snort.conf you don't need Barnyard(2).


Quote:
Originally Posted by rbees View Post
I have also tried to setup oinkmaster to pull the updated rules files but I am getting a "permission denied" error.
Post actual errors, process, directory and file ownership and permissions, maybe verbose or debug logging if Oinkmaster can show that, stuff like that.
 
Old 03-18-2013, 08:41 AM   #3
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 658

Rep: Reputation: 66
Barnyard is not compulsory , But it will help you to improve the performance of snort . If Barnyard is not on place then logging activities may consume more resources
 
Old 03-18-2013, 07:52 PM   #4
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 652

Original Poster
Rep: Reputation: 42
Thanks unSpawn,

I did some looking again at snort's config and found the database thing. I guess I was just confused by what is stated in that howto.

Sorry it is a "Forbidden" error and not a "Denied"

Code:
# oinkmaster -o /etc/snort/rules -c
Loading /etc/oinkmaster.conf
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8. 
/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oin:

 http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.tar.gzResolving www.s0
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-18 20:31:44 ERROR 403: Forbidden.

Oink, oink. Exiting...
I have tried to find more up to date instructions but ever thing I found was a couple years old.
 
Old 03-18-2013, 08:09 PM   #5
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 652

Original Poster
Rep: Reputation: 42
vishesh

Could you please elaborate more. What does it do to enhance the performance?
 
Old 03-19-2013, 02:42 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Not exactly an answer (for that you would need to show at least 'grep -v ^# oinkmaster.conf|grep .;' details plus a verbose run of Oinkmaster) but try what Sourcefire promotes: http://code.google.com/p/pulledpork/? Wrt speed it's simple: binary logging with Barnyard(2) is faster than (interpreted) human-readable text logging.
 
Old 03-19-2013, 06:47 PM   #7
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 652

Original Poster
Rep: Reputation: 42
Code:
# grep -v ^# oinkmaster.conf|grep .;
url = http://www.snort.org/pub-bin/oinkmaster.cgi/MyOinkCode/snortrulesz
path = /sbin:/usr/sbin:/bin:/usr/bin
use_external_bins = 1
tmpdir = /var/run/oinkmaster
umask = 0027
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
use_path_checks = 1
skipfile local.rules
skipfile deleted.rules
skipfile snort.conf
I have looked at PulledPork2 but hesitate to install it because it is not in the debian repos. That presents an update issue for me as then I have to monitor the app for updates and manually install it. All of which takes time that is very limited for me. So I would really rather use oinkmaster instead.

Code:
c# oinkmaster -o /etc/snort/rules -c -v
Loading /etc/oinkmaster.conf
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /bin
Found tar binary in /bin
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8. 
--2013-03-19 19:44:17--  http://www.snort.org/pub-bin/oinkmaster.cgi/0a781b9ff1692198554915a60f3083d4z
Resolving www.snort.org... 23.23.143.143
Connecting to www.snort.org|23.23.143.143|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-19 19:44:19 ERROR 403: Forbidden.


/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinz

Oink, oink. Exiting...
 
Old 03-19-2013, 09:26 PM   #8
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 652

Original Poster
Rep: Reputation: 42
I do have PulledPork installed but it is also having issues. Here lately my average has gotten pretty low. Seams like every thing I try fails.

Not being able to devote lots of time to this project results in forgeting things. I had tried pulledpork before and ran into this problem.

Code:
#  /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The specified Snort binary does not exist!
Please correct the value or specify the FULL rules tarball name in the pulledpork.conf!
 at /usr/local/bin/pulledpork.pl line 1736
YES THE BINARY DOES EXIST, if it is talking about the snort binary. But I was not able to find out where to set the path.

PulledPork config
Code:
grep -v ^# pulledpork.conf|grep .;
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|MyOinkCode
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rule=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/bin/snort
config_path=/etc/snort/snort.conf
sostub_path=/usr/local/snort/etc/rules/so_rules.rules
distro=Debian-Lenny
enablesid=/etc/snort/enablesid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf
version=0.6.0
The section of pulledpork.pl referenced
Code:
if ( @base_url && -d $temp_path ) {                                                                   
                                                                                                      
    if ( -d $temp_path . "tha_rules" ) {                                                              
        print                                                                                         
"\tdoh, we need to perform some cleanup ... an unclean run last time?\n"                              
          if ( $Verbose && !$Quiet );                                                                 
        temp_cleanup($temp_path);                                                                     
    }                                                                                                 
                                                                                                      
    if ( !$NoDownload ) {                                                                             
                                                                                                      
        foreach (@base_url) {                                                                         
                                                                                                      
            #undef $Sostubs if ( $Textonly || ( $_ =~ /emergingthreats/ ) );                          
            my ( $base_url, $rule_file, $oinkcode ) = split( /\|/, $_ );                              
            croak                                                                                     
"You need to define an oinkcode, please review the rule_url section of the pulledpork config file!\n" 
              unless $oinkcode;                                                                       
            croak(                                                                                    
                "please define the rule_url correctly in the pulledpork.conf\n")                      
              unless defined $base_url;                                                               
            croak(                                                                                    

            if ( $base_url =~ /snort\.org/i ) {                                                       
                $prefix = "VRT-";                                                                     
                unless ( $rule_file =~ /snortrules-snapshot-\d{4}\.tar\.gz/
                    || $rule_file =~ /opensource\.gz/ )                                               
                {                                                                                     
                    croak(                                                                            
"The specified Snort binary does not exist!\nPlease correct the value or specify the FULL",           
                        " rules tarball name in the pulledpork.conf!\n"                               
                    ) unless $Snort;                                                                  
                    my $Snortv = $Snort;                                                              
                    $Snortv =~ s/\.//g;                                                               
                    $rule_file = "snortrules-snapshot-$Snortv.tar.gz";                                
                }                                                                                     
            }                                                                                         
            elsif ( $base_url =~ /emergingthreats.net/ ) {                                            
                $prefix = "ET-";                                                                      
                my $Snortv = $Snort;                                                                  
                $Snortv =~ s/(?<=\d\.\d\.\d)\.\d//;                                                   
                $base_url .= "$oinkcode/snort-$Snortv/";                                              
                                                                                                      
                #$Textonly = 1;                                                                       
            }                                                                                         
                                                                                                      
            $prefix = "Custom-" unless $prefix;                                                       
                                                                                                      
            $Hash = 1 unless $base_url =~ /(emergingthreats|snort.org)/;                              
                                                                                                      
            if ( !$Hash ) {                                                                           
                $md5 = md5file( $oinkcode, $rule_file, $temp_path, $base_url );                       
            }
When I asked about this on my local lug I got no response and so moved on to try oinkmaster.
 
Old 03-20-2013, 08:09 PM   #9
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 652

Original Poster
Rep: Reputation: 42
I have been through pulledpork.pl again and I do not understand how the path is being set. But then I am not a programer either. I have tried copying the snort binary to /usr/local/bin where I think it is put when installing from source but still no joy.

In pulledpork.pl there are several lines like

use File::Path;
use File::Find;

and there is

my ( $Snort_config, $Snort_path, $Textonly, $grabonly, $ips_policy, );

But I can find no place where $Snort_path is actually defined.

So I am still clueless.
 
Old 03-21-2013, 02:37 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Quote:
Originally Posted by rbees View Post
Code:
c# oinkmaster -o /etc/snort/rules -c -v
(..)
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8. 
--2013-03-19 19:44:17--  http://www.snort.org/pub-bin/oinkmaster.cgi/0a781b9ff1692198554915a60f3083d4z
Resolving www.snort.org... 23.23.143.143
Connecting to www.snort.org|23.23.143.143|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-19 19:44:19 ERROR 403: Forbidden.
/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinz
Oink, oink. Exiting...
If you feed the complete tar ball URI to say cURL or wget does it 403 as well?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Best hardware setup for snort genderbender Linux - Security 6 06-21-2010 10:46 AM
How to setup snort IDS saini_mw Linux - Security 2 05-15-2006 07:46 AM
Snort and cable modem setup Crito Linux - Security 9 02-23-2006 06:44 PM
Snort setup turbo_acura Linux - Networking 2 11-29-2004 08:37 AM
Snort/ACID setup q TruckStuff Linux - Security 3 09-14-2004 01:20 PM


All times are GMT -5. The time now is 06:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration