LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-08-2005, 05:19 PM   #1
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Rep: Reputation: 15
portsentry


hello
ive installed portsentry and after typing 'make install' got this:
Creating psionic directory /usr/local/psionic
Setting directory permissions
Creating portsentry directory /usr/local/psionic/portsentry
Setting directory permissions
chmod 700 /usr/local/psionic/portsentry
Copying files
cp ./portsentry.conf /usr/local/psionic/portsentry
cp ./portsentry.ignore /usr/local/psionic/portsentry
cp ./portsentry /usr/local/psionic/portsentry
cp: cannot stat `./portsentry': No such file or directory
make: *** [install] Error 1

when i try 'portsentry -stcp' i get: -bash: portsentry: command not found

please help or at least tell me how to uninstall portsentry! (some of its config files where placed correctly in all my directories despite the error)

also, is there no built in program in linux for fulfilling portsentries task?

Last edited by skoot; 11-08-2005 at 05:21 PM.
 
Old 11-08-2005, 08:10 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
First of all please DITCH Portsentry and install Snort. Unlike Portsentry Snort is actively developed, maintained, performs better way and is backed by a huge community.


when i try 'portsentry -stcp' i get: -bash: portsentry: command not found
Thats because portsentry resides in /usr/local/psionic/portsentry, which is not in your path, so either do "PATH=$PATH:/usr/local/psionic/portsentry" or "/usr/local/psionic/portsentry/portsentry (args)".


please help or at least tell me how to uninstall portsentry
If "make uninstall" doesnt work (I doubt it) do "make -n install | less" to see where the script tries to put stuff.
 
Old 11-10-2005, 11:35 AM   #3
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 15
snort

i have snort now but upon './configure' i got:
ERROR! Libpcre header not found, go get it from
http://www.pcre.org

nothing hard here i hear you say. pcre.org sais this of libpcre:
The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5.

once downloaded where should i save library functions to? (ie. what directory).
also, i would love to know what the above sentence means
 
Old 11-10-2005, 06:58 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Well, in your profile you show "FC3" as distribution of choice, so that means you could install the rpm of snort. If it's not in the FC3 repo, then Google DAG for Snort. Installing the rpm *should* pick up any dependencies to install as well.

If you persist in building from source (laudable, even if only for the experience) then you must make sure you have installed pcre before you build Snort. Unpack, cd into the dir and follow the instructions in the README and INSTALL textfiles.
 
Old 11-11-2005, 07:50 PM   #5
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 15
your advice doesnt seem to have fared me well; i now have even more needed dependancies now that i downloaded the rpm.
i get;
[root@localhost snort]# rpm -ihv snort-2.3.3-1.1.fc3.rf.x86_64.rpm
warning: snort-2.3.3-1.1.fc3.rf.x86_64.rpm: V3 DSA signature: NOKEY, key ID 6b8d79e6
error: Failed dependencies:
libc.so.6()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64
libc.so.6(GLIBC_2.2.5)(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 libc.so.6(GLIBC_2.3)(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64
libm.so.6()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64
libnsl.so.1()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64
libpcap.so.0.8.3()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64
libpcre.so.0()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64


snort somehow doesnt feel impressive anymore. i want a smooth installation.
what can i do to make this work!?

Last edited by skoot; 11-11-2005 at 07:52 PM.
 
Old 11-12-2005, 09:58 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
your advice doesnt seem to have fared me well; i now have even more needed dependancies now that i downloaded the rpm.
If you have a 64-bit box then it makes sense to install the 64bit version of Snort, and to install Snort you must satisfy dependencies. Doesn't come any easier.
 
Old 11-13-2005, 08:36 AM   #7
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 15
snort

oops! sorry!! 64-bit !
i have 64bit processor but not 64bit linux - i guess i should snort a 32bit
 
Old 11-13-2005, 08:51 AM   #8
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 15
snort

okay, i got the .tar.gz of (supposedly 32bit) snort and got

ERROR! Libpcre header not found, go get it from
http://www.pcre.org

once downloaded, where should i save the Libpcre header file to??

Last edited by skoot; 11-13-2005 at 11:09 AM.
 
Old 11-13-2005, 03:31 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Like I said 2 posts ago: unpack pcre archive, cd into the dir and follow the instructions in the README and INSTALL texts.
 
Old 11-14-2005, 06:39 AM   #10
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 15
wow; cool! it works!!
thank you very much for you help.

i am confused about one thing in the instructions on the running of snort;
the need to specify the home network ip (eg. snort -dev -l <ip.ip.ip.ip> -c snort.conf
it sais this effects the name of the directories that messages are logged to.
does this mean each individual event gets logged to its own file??
if so, how do i change it to one static file?

also; is my home ip the one my isp gives me each time i connect?
 
Old 11-14-2005, 09:09 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
wow; cool! it works!!
Ahhh... finally.


it sais this effects the name of the directories that messages are logged to.
does this mean each individual event gets logged to its own file??

Yes. Check the "-l" (logdir) option and you should see something like /var/log/snort/IPs/logfiles.


how do i change it to one static file?
Go for binary logging (see snort.conf for details). Way faster compared to text logging because it doesn't need to parse out all details. You will need to install Barnyard to parse binary Snort logs though. It's at Snort.org in the contrib section.


also; is my home ip the one my isp gives me each time i connect?
If you're not on a LAN: yes.
 
Old 11-14-2005, 05:32 PM   #12
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 15
OK.
cant snort and tcpdump also convert the binaries?
 
Old 11-14-2005, 07:57 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
LOL. I'll go into WayBack Archive Mode and serve you my answer from 2003 at whitehats.com :-] Logtopcap.c is here.
 
Old 11-16-2005, 04:34 PM   #14
skoot
Member
 
Registered: Apr 2005
Distribution: Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 15
'the connection was refused when attempting to contact whitehats.com'
the above link cant be followed; aaaargh.
 
Old 11-17-2005, 08:03 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Oh well, bottom line is you *will* need Barnyard to turn Snort's unified logging into human readable ones and logtopcap to convert to packet captures (pcap) readable by "tcpdump -r".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to change notification email for portsentry and how to test portsentry roorings Linux - Security 1 11-04-2003 10:36 AM
PortSentry Question lub0 Linux - Security 6 10-17-2003 09:54 AM
PortSentry mikesvx1 Linux - Security 5 12-20-2001 01:52 AM
portsentry Jase Linux - Security 1 07-24-2001 07:49 AM
portsentry Dallam Linux - Security 5 07-12-2001 05:42 AM


All times are GMT -5. The time now is 05:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration