Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I have been working on getting snort set up for a couple of weeks now on a new external host that I am building.
The system is Debian Squeeze, all updates regularly installed. All software is installed from the debian repos, not from source.
Snort is installed and functioning correctly as far as I can tell at this time. The issue I am having is in understanding just what I need to have installed/configured to have the snort rules automatically updated.
Indicates that in order for snort to log to mysql I need to have barnyard/2 or similar installed. I have acidbase installed and working properly and it appear that the events are being logged to mysql as the data reported by acidbase is changed regularly. But I do NOT have barnyard or similar installed. So I don't understand how the mysql database is being logged to. If my database is being updated do I need to install barnyard?
I have also tried to setup oinkmaster to pull the updated rules files but I am getting a "permission denied" error. Yes I do have an oinkcode.
Not exactly an answer (for that you would need to show at least 'grep -v ^# oinkmaster.conf|grep .;' details plus a verbose run of Oinkmaster) but try what Sourcefire promotes: http://code.google.com/p/pulledpork/? Wrt speed it's simple: binary logging with Barnyard(2) is faster than (interpreted) human-readable text logging.
I have looked at PulledPork2 but hesitate to install it because it is not in the debian repos. That presents an update issue for me as then I have to monitor the app for updates and manually install it. All of which takes time that is very limited for me. So I would really rather use oinkmaster instead.
c# oinkmaster -o /etc/snort/rules -c -v
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /bin
Found tar binary in /bin
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.
--2013-03-19 19:44:17-- http://www.snort.org/pub-bin/oinkmaster.cgi/0a781b9ff1692198554915a60f3083d4z
Resolving www.snort.org... 184.108.40.206
Connecting to www.snort.org|220.127.116.11|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-19 19:44:19 ERROR 403: Forbidden.
/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinz
Oink, oink. Exiting...
I do have PulledPork installed but it is also having issues. Here lately my average has gotten pretty low. Seams like every thing I try fails.
Not being able to devote lots of time to this project results in forgeting things. I had tried pulledpork before and ran into this problem.
# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ email@example.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
The specified Snort binary does not exist!
Please correct the value or specify the FULL rules tarball name in the pulledpork.conf!
at /usr/local/bin/pulledpork.pl line 1736
YES THE BINARY DOES EXIST, if it is talking about the snort binary. But I was not able to find out where to set the path.
I have been through pulledpork.pl again and I do not understand how the path is being set. But then I am not a programer either. I have tried copying the snort binary to /usr/local/bin where I think it is put when installing from source but still no joy.
In pulledpork.pl there are several lines like
and there is
my ( $Snort_config, $Snort_path, $Textonly, $grabonly, $ips_policy, );
But I can find no place where $Snort_path is actually defined.