LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-11-2005, 07:30 PM   #1
dracolich
Senior Member
 
Registered: Jul 2005
Distribution: Slackware
Posts: 1,173

Rep: Reputation: 47
kernel panic after starting snort daemon


I consider myself more knowledgable than a newbie, but still far from an expert - thanks largely to the wealth of information on the site. Almost every question I've had, from installing the OS to fine-tuning the fs, I've found the answers here. Except this one.

This is my first posting here. I hope I include everything you need.
I have a headless box that I use as a masqdial server for my 56K dial-up connection. It's a P233 with 64MB RAM running Slackware 9.1, CL only, and the 2.4.24 kernel that came with it, customized only once to adjust netfiltering (IIRC). It's part of a small 802.11b network with no WEP. For networking it's running c-mserver-0.5.5 for masqdialing and samba-2.2.8 for sharing files. It runs an iptables firewall script created with Guarddog on another machine, then copied to this one. Because it's headless I use ssh when I need to access more than just a samba share. It's been running like this for almost a year with almost no problems - for days or weeks at a time.

Now the problem at hand: Because I haven't set WEP, and the fact that in my environment I can see nearby wireless routers, I want to boost my security. I intend to set WEP , but I also want to setup an IDS. Just this past weekend I downloaded and installed snort-2.3.3-i486-1stb.tgz from linuxpackages.net Then I installed the latest snort rules. When I run snort as a daemon the kernel panics within an hour. I get some logs for individual IP addresses, but the alert log stays empty.

Some Googling suggests that I might need to adjust a couple of lines in the iptables script to send packets to the queue. Is there more I need to do to configure snort? What could be causing the kernel panic?

Thanks in advance.
 
Old 07-13-2005, 05:57 PM   #2
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
Does you /var/log/messages or any other log show a reason for the panic?

setting a wep key iwconfig eth1 key xxxx-xxxx-xx and you do the same in the router.

I must however say that with the latest weplab it is crackable in about 10 minutes no matter the traffic or key length. So maybe you want to add some MAC filtering. This can also be overcome quite easily. As most network card allow to change the boards MAC. Although it kind of confuses the router when there are 2 boards with the same MAC. So you may consider WPA as an alternative to WEP.

I heard there is a WPA cracker going about but it still need a bit of time before cracking the WPA key.
 
Old 07-13-2005, 06:33 PM   #3
dracolich
Senior Member
 
Registered: Jul 2005
Distribution: Slackware
Posts: 1,173

Original Poster
Rep: Reputation: 47
Thank you for your reply. I didn't know that about WEP able to be cracked so quickly. Something else to think about...

After rebooting and browsing the log files there's nothing in syslog in the last few minutes before. Messages only has a couple of --MARK--, ARPlog has lots of "who-has" for my router's and desktop's IP addresses, samba.smbmount has some "denied connection"s from 200.21.78.24 and 69.222.65.46. I don't recognize those IPs and I wasn't online at the time. Although snort wasn't logging anything to alert, it was logging for the seperate IP addresses on my network. In the minutes before the panic, every 1-2 minutes was a UDP packet from server:137 -> router:5846 and every 5 minutes from AA:AA:3:0:0:0 -> 00:920:61. Also every 5 minutes from server:137 and 138 -> broadcast:137. The ARPlog, smbmount and frequent UDP packets to/from NetBIOS ports make me suspicious, as well as the MAC addresses. My equipment is all from the same vendor and neither of those vendor portions matches that of mine.

Am I right to be suspicous of these things? Is somebody trying to hack my network?
 
Old 07-14-2005, 06:08 PM   #4
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
who has is normal as that is how ARP gets resolved.

If those MAC aren't yours you probably are getting some traffic from networks near you.

That traffic is probably just the NetBIOS broadcasting that they are there, that is how windows can autodetect the available share.

A couple of attempts to mount you shares is quite common in the internet. If those share are not visible from the internet then maybe just a guy wardriving around with his laptop trying to find open wireless networks like yours. If you have a limit on your internet downloads beware of people downloading stuff as they don't care about your limits.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
Snort daemon havelino Linux - Security 3 02-03-2005 05:12 AM
kernel panic when starting pcmcia daftwight Debian 2 07-06-2004 11:25 PM
reconfigure snort daemon startup script hari_seldon99 Linux - Security 1 05-18-2004 01:40 AM
I want to start Snort as a service/daemon Olusegun Linux - Software 3 10-15-2002 10:35 AM


All times are GMT -5. The time now is 04:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration