Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Its giving me two problems which i can't figure out to fix because theres no consistency in either of the problems.
Problem 1
This script won't execute on bootup and even though i'm not changing the script at all sometimes it will work if i manually execute it, others it will seem to execute fine but a #ps -ef | grep snort doesn't turn up anything.
root@localhost:# ls -l /etc/rc.d/rc.snort -rwxr-xr-x 1 root root 1045 Nov 20 00:12 rc.snort*
Code:
#!/bin/sh
#
# Created Honeynet Project <project@honeynet.org>
# March 18, 2000
#
# Updated November 07, 2003 <lance@honeynet.org>
#
# PURPOSE:
# Used to launch snort for daily automated IDS
#
# Set variables
PATH=/bin:/usr/local/bin
PID=/var/run/snort_eth0.pid
DIR=/var/log/snort
DATE=`date +%Y%m%d`
SNORT=/usr/local/bin/snort
### Kill snort
if [ -s $PID ]; then
PRO=`cat $PID`
echo ""
echo "Previous version of Snort running"
echo "Killing Snort, PID $PRO"
echo ""
kill -9 $PRO
fi
# Make directory based on date, if already exists do nothing.
if [ -d $DIR/$DATE ]; then
:
else
mkdir $DIR/$DATE
chown $USER $DIR/$DATE
fi
# Snort options explanation
# -b log packets in tcpdump format
# -c configuration file
# -d log packet details
# -D daemon mode
# -i interface in our case eth0
# -l log directory
# -Q (used ONLY with Snort-Inline for QUEUE mode)
# -u $USER run snort as UID $USER in our case nobody
### Start Snort
$SNORT -D -c /etc/snort/etc/snort.conf -i eth0 -l $DIR/$DATE
exit
Problem 2
I've only gotten it to log portscans once by changing the 3 to 1 in the snort.conf line below. After that i decided to see what happens when i use option 2. When i changed it to 2 it stoped logging again but i figured thats cool i'll just change it back to 1. I did and it still wouldn't log the portscans despite the switching of the numbers being the only changes i made.
I am certainly no expert on Snort, which is why I use Webmin for certain things. I rarely have to reboot but often tweak rules and settings within Snort so running a startup script for the Snort daemon(s) seemed useless and I never tried it. I start Snort in Webmin like so (this is always changing):
I know you can put snort.conf pretty much anywhere, but mine is /etc/snort/snort.conf by default.
? - Are you attempting to initialize snort on an interface that isn't up yet?
?? - Are you sniffing int or ext -i?
??? - Did you enable portscan2 and conversation? This will produce so many alerts you'll want to set some 'preprocessor portscan2-ignorehosts'
???? - Did you try setting var EXTERNAL_NET !$HOME_NET ?
! - I use Snort/ACID/MySql combo and Webmin for administrating. I can be more specific about this arrangement but would need more info on your setup to be of any further assistance.
Get the pig's config fine tuned before putting it in RC.
Well the script problem sort of fixed itself. Although it won't execute on reboot i can now execute it manually and it will work. I don't get it. I've got a dual boot and rebooted numerous times while trying to get snort to detect portscans and since i rebooted today it has worked if i execute it manually. Hell who knows maybe it will spontaneously start to execute on bootup tomorrow even though i didn't change the script in anyway.
Unfortunately it still isn't detecting port scans. I edited one of the porn rules to alert for website traffic of microsoft and that works fine. Hopefully the other rules work and the portscan detection is the only one that isn't. Could my firewall rules be blocking port scans? I have tryed nmap -sS my local, external, and loopback IP's and even used grc.com and its not detecting anything.
I don't know why snort didn't create a /etc/snort.conf. I ./configured make make install or however the readme suggested. Where did it put your snort rules? Did it create any snort directory?
I dont reccomend running snort. I know a couple of guys who run a small webhosting company and together we tried to get snort to report accuratly for quite some time but you can never really count on it.
I forgot i had some iptables rules to block different types of scans I deleted them and snort was able to detect *some* of them. I'm making progress...
Originally posted by nrunge I dont reccomend running snort. I know a couple of guys who run a small webhosting company and together we tried to get snort to report accuratly for quite some time but you can never really count on it.
//Apologies to Jiggy for an OT remark, but I feel it's necessary to step in.
Nrunge, IMNSHO you can't spread FUD like that. Please explain what Snort can't do, where you people failed or retract your statement.
TIA.
FWIW -- I get zilch from snorts original portscan preprocessor. I guess this is because I'm not sniffing the ext wire. I do get numerous int spp_portscan2 alerts however. As an example of what to expect from this; I get alerts from my NTP server, MSN messanger and really, really busy webpages. It's default is to report 6 hosts 6 ports and I've seen thresholds ranging from 1 to thousands of seconds.
It is possible to have snort running ill configured where you'll see nada. I seen that movie and its sequel. Use Nmap on one of your hostas to see. Generate an icmp alert. Start and stop that pig with different options until it's right. Don't even sniff around outside until you're 100% configd inside. Try using ACID with Snort to view and manipulate results.
BTW -- Since you are attempting to run snort at bootup and maybe think you can leave it alone as you tweak it, you should be aware that you must restart the daemon for any changes to take affect. I used Webmin to install and configure the Pig and its MySQL pen. I don't how your syslog can handle all the mkdir/date stuff cause I ain't a real guru...jus a farmer. Maybe using a database structure is the better way to go...werks 4 me. Don't forget to ./configure --with-mysql. I have to keep it simple, so I depend initially on the Webmin GUI, then migrate to the shell as I become more acquainted with the software. Plus it is a time saver if you can find no better reason to use it. No one has to know if you don't tell and you can even use SSL with Webmin...
Thanks, yeah i'm having the same problem with having ot use spp_portscan2 to detect any port scans. I'm not getting to many logs though... I dunno if thats a good or bad thing cause i could be missing some.
ACID seems very cool but since i'm not getting many logs i don't think i need something like that now. Is there a lighter alternative to ACID? I remember hearing something about "colorlogs", maybe that would work?
I'm not saying that snort is not good work in progress. I had snort setup logging to ACID, it seemed to work really nice but I seemed to have the problem of either too many reports or not enough. It was very present when I started running Nessus and I knew what the attacks were. I found Snort to be very innacurate. Eventually we opted for a commercial product and although I admit it is less versatile than Snort it is far more accurate. I was not trying to bash on what it can't do, just what is seems to do poorly. One thing I have been curious about however (considering that I have not really messed with snort for quite a few months) is if Snort has the ability to examine encapsulated SQL data, and if it canno't is there an open source solution out there will.
I can relate to the "work-in-progress" statement. I used snort 1.8.6 for a year and a half because it took this farmer quite awhile to get it right. I left it alone cuz I didn't want to screw it up. Then a few weeks back I decided to update. I went with 2.0.2, then along came 2.0.3 with core dump issues so I moved to 2.0.4 (current) and now 2.0.5 is just out.
About SQL rules in snort, I only see a few rules in my install and both look for connection attempts in an established stream. I guess it all depends on what you really want to sniff, what is important to your network. I'm no expert but the more deeply you inspect a packet, the higher the overhead required.
Snort fulfills all my expectations and more (cuz I only use half of the pigs features) for a small home network. I am alerted to rogue web sites the family is browseing, unacceptable content and vain attempts to remotely infiltrate network services through inside clients. What more could a farmer ask for? I believe my tractor is safe in the barn, snort will tell me if someone's sneaking around peeking in the windows or toying with the locks.
This farmer has many more tools in the shed besides the alert pigs in the pen. You have to find what works for you. I find that by keeping 'Tripwires' and a 'pot-o-honey' on the 'Bastille', I can be better informed/protected. If only I could get that scarecrow werking....
Thread recap:
I believe it's best to log alerts to a databse - i.e. MySQL
I have had no problems viewing/manipulating alerts through ACID - requires Apache or other server
More Rules = Greater system resources required
Less Resources = More Dropped Packets and Less Alerts
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.