Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been working on getting snort set up for a couple of weeks now on a new external host that I am building.
The system is Debian Squeeze, all updates regularly installed. All software is installed from the debian repos, not from source.
Snort is installed and functioning correctly as far as I can tell at this time. The issue I am having is in understanding just what I need to have installed/configured to have the snort rules automatically updated.
Indicates that in order for snort to log to mysql I need to have barnyard/2 or similar installed. I have acidbase installed and working properly and it appear that the events are being logged to mysql as the data reported by acidbase is changed regularly. But I do NOT have barnyard or similar installed. So I don't understand how the mysql database is being logged to. If my database is being updated do I need to install barnyard?
I have also tried to setup oinkmaster to pull the updated rules files but I am getting a "permission denied" error. Yes I do have an oinkcode.
If my database is being updated do I need to install barnyard?
AFAIK if you enable database logging in snort.conf you don't need Barnyard(2).
Quote:
Originally Posted by rbees
I have also tried to setup oinkmaster to pull the updated rules files but I am getting a "permission denied" error.
Post actual errors, process, directory and file ownership and permissions, maybe verbose or debug logging if Oinkmaster can show that, stuff like that.
Barnyard is not compulsory , But it will help you to improve the performance of snort . If Barnyard is not on place then logging activities may consume more resources
Not exactly an answer (for that you would need to show at least 'grep -v ^# oinkmaster.conf|grep .;' details plus a verbose run of Oinkmaster) but try what Sourcefire promotes: http://code.google.com/p/pulledpork/? Wrt speed it's simple: binary logging with Barnyard(2) is faster than (interpreted) human-readable text logging.
I have looked at PulledPork2 but hesitate to install it because it is not in the debian repos. That presents an update issue for me as then I have to monitor the app for updates and manually install it. All of which takes time that is very limited for me. So I would really rather use oinkmaster instead.
Code:
c# oinkmaster -o /etc/snort/rules -c -v
Loading /etc/oinkmaster.conf
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /bin
Found tar binary in /bin
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.8.
--2013-03-19 19:44:17-- http://www.snort.org/pub-bin/oinkmaster.cgi/0a781b9ff1692198554915a60f3083d4z
Resolving www.snort.org... 23.23.143.143
Connecting to www.snort.org|23.23.143.143|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2013-03-19 19:44:19 ERROR 403: Forbidden.
/usr/sbin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinz
Oink, oink. Exiting...
I do have PulledPork installed but it is also having issues. Here lately my average has gotten pretty low. Seams like every thing I try fails.
Not being able to devote lots of time to this project results in forgeting things. I had tried pulledpork before and ran into this problem.
Code:
# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The specified Snort binary does not exist!
Please correct the value or specify the FULL rules tarball name in the pulledpork.conf!
at /usr/local/bin/pulledpork.pl line 1736
YES THE BINARY DOES EXIST, if it is talking about the snort binary. But I was not able to find out where to set the path.
I have been through pulledpork.pl again and I do not understand how the path is being set. But then I am not a programer either. I have tried copying the snort binary to /usr/local/bin where I think it is put when installing from source but still no joy.
In pulledpork.pl there are several lines like
use File::Path;
use File::Find;
and there is
my ( $Snort_config, $Snort_path, $Textonly, $grabonly, $ips_policy, );
But I can find no place where $Snort_path is actually defined.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.