LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   kernel panic after starting snort daemon (http://www.linuxquestions.org/questions/linux-security-4/kernel-panic-after-starting-snort-daemon-342281/)

dracolich 07-11-2005 07:30 PM

kernel panic after starting snort daemon
 
I consider myself more knowledgable than a newbie, but still far from an expert - thanks largely to the wealth of information on the site. :) Almost every question I've had, from installing the OS to fine-tuning the fs, I've found the answers here. Except this one.

This is my first posting here. I hope I include everything you need.
I have a headless box that I use as a masqdial server for my 56K dial-up connection. It's a P233 with 64MB RAM running Slackware 9.1, CL only, and the 2.4.24 kernel that came with it, customized only once to adjust netfiltering (IIRC). It's part of a small 802.11b network with no WEP. For networking it's running c-mserver-0.5.5 for masqdialing and samba-2.2.8 for sharing files. It runs an iptables firewall script created with Guarddog on another machine, then copied to this one. Because it's headless I use ssh when I need to access more than just a samba share. It's been running like this for almost a year with almost no problems - for days or weeks at a time.

Now the problem at hand: Because I haven't set WEP, and the fact that in my environment I can see nearby wireless routers, I want to boost my security. I intend to set WEP , but I also want to setup an IDS. Just this past weekend I downloaded and installed snort-2.3.3-i486-1stb.tgz from linuxpackages.net Then I installed the latest snort rules. When I run snort as a daemon the kernel panics within an hour. I get some logs for individual IP addresses, but the alert log stays empty.

Some Googling suggests that I might need to adjust a couple of lines in the iptables script to send packets to the queue. Is there more I need to do to configure snort? What could be causing the kernel panic?

Thanks in advance.

Krugger 07-13-2005 05:57 PM

Does you /var/log/messages or any other log show a reason for the panic?

setting a wep key iwconfig eth1 key xxxx-xxxx-xx and you do the same in the router.

I must however say that with the latest weplab it is crackable in about 10 minutes no matter the traffic or key length. So maybe you want to add some MAC filtering. This can also be overcome quite easily. As most network card allow to change the boards MAC. Although it kind of confuses the router when there are 2 boards with the same MAC. So you may consider WPA as an alternative to WEP.

I heard there is a WPA cracker going about but it still need a bit of time before cracking the WPA key.

dracolich 07-13-2005 06:33 PM

Thank you for your reply. I didn't know that about WEP able to be cracked so quickly. Something else to think about...

After rebooting and browsing the log files there's nothing in syslog in the last few minutes before. Messages only has a couple of --MARK--, ARPlog has lots of "who-has" for my router's and desktop's IP addresses, samba.smbmount has some "denied connection"s from 200.21.78.24 and 69.222.65.46. I don't recognize those IPs and I wasn't online at the time. Although snort wasn't logging anything to alert, it was logging for the seperate IP addresses on my network. In the minutes before the panic, every 1-2 minutes was a UDP packet from server:137 -> router:5846 and every 5 minutes from AA:AA:3:0:0:0 -> 0:D0:9:D2:D0:61. Also every 5 minutes from server:137 and 138 -> broadcast:137. The ARPlog, smbmount and frequent UDP packets to/from NetBIOS ports make me suspicious, as well as the MAC addresses. My equipment is all from the same vendor and neither of those vendor portions matches that of mine.

Am I right to be suspicous of these things? Is somebody trying to hack my network?

Krugger 07-14-2005 06:08 PM

who has is normal as that is how ARP gets resolved.

If those MAC aren't yours you probably are getting some traffic from networks near you.

That traffic is probably just the NetBIOS broadcasting that they are there, that is how windows can autodetect the available share.

A couple of attempts to mount you shares is quite common in the internet. If those share are not visible from the internet then maybe just a guy wardriving around with his laptop trying to find open wireless networks like yours. If you have a limit on your internet downloads beware of people downloading stuff as they don't care about your limits.


All times are GMT -5. The time now is 11:37 PM.