LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Virtual Honeywall, snort 2.8.6, hflow2, rules update
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-31-2011, 05:56 AM   #1
konradk
LQ Newbie
 
Registered: Sep 2010
Posts: 2

Rep: Reputation: 0
Virtual Honeywall, snort 2.8.6, hflow2, rules update

Hi,

I have been involved in a student project about Virtual Honeynets.

One of the main aims of it is to design and implement laptop based detection system based on virtual honeynet (Honeywall roo CDROM). Its main role is to analyze LAN traffic and alert accordingly.

I have tried to investigate whether Virtual Honeynets/honeypots using sebek could be implemented in a modern network environment.

Perhaps Honeynet framework is not suitable for new threats?!

One of the problems I have come across are out-of-date snort rules. roo-1.4 is based on snort 2.6 but rules for are not available for this version. 2.8.6.1 is the lowest version available (Jan 2011).

I am stuck now with unsuccessful attempts to update rules on a system that has snort ver. 2
What I have done so far:
- Hwall was successfully updated using CentOS 5.5 repos,
- compiled and installed snort 2.8.6
- installed new set of rules 2.8.6.1 using oinkmaster

After the last step when I issue command
Quote:
Code:
/snort -T -c /etc/snort/snort.conf
/I get
/Segmentation fault
/
However when snort is started, it works and logs packets with no errors./
/
After updating Honeywall and restarting, I get hflow error/s
Code:
/starting hflow: premature failure
/
In /var/log/hflow/hflow.d I get:
/cannot read file header from snort .. aborting/
also it complains about not reading
Tried to restart/start/stop hflow several times and error appears every time.
command:/ service hflow start/stop/restart/

On the honeywall forum http://www.mail-archive.com/honeywal.../msg01032.htmljeffrey and mutziman were discussing enabling patching snort 2.8.4 to work with hflow2.

Unfortunately, lowest version of snort rules update is 2.8.6.0.

Perhaps somebody may help me to point me into the right direction

I realize that Honeynet project has not been developed for a while.


Configuration:
host: Toshiba laptop 3gb ram, backtrack 4 rc2 nemesis kernel 2.6.34
vmware: workstation 7.1

honeynet:
VM1: roo-1.4, honeywall, 1gb ram, default config
yum repositories taken from standard CentOS 5.5 installation
snort 2.8.6: compiled from source
snort-rules updated via oinkmaster tcpdump 3.9.4
libpcap 0.9.4

Thanks
Konrad
 
Old 02-01-2011, 04:14 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Quote:
Unfortunately, lowest version of snort rules update is 2.8.6.0.
I know it doesn't help your situation, but one of the things I have noticed about snort is that they are relentless in their upgrade policy. Support for rules is only available for a certain, small, period of time following the release of new versions and version 2.6 is long out of date. While it may be inconvenient at times, I do understand why they would adopt this policy given the nature of the product.
 
Old 02-08-2011, 08:09 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Why not use ET sigs? Would that be a bit better?

http://www.emergingthreats.net/ (ET)
 
Old 02-09-2011, 03:46 PM   #4
konradk
LQ Newbie
 
Registered: Sep 2010
Posts: 2

Original Poster
Rep: Reputation: 0
rules update et
Unixfool,
Thanks for suggestion. To be honest I have not considered this yet. If I get some time I will test ET signatures.
Konrad
 
Old 01-12-2012, 10:09 AM   #5
Ale_4
LQ Newbie
 
Registered: Jan 2012
Posts: 1

Rep: Reputation: Disabled
Hello. I'm working with the honeynet project and I have the same problem with snort. Did you find any solution? I'll waiting for your answer.. Thank you!

Ale
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with snort rules aikiscotsman Linux - Security 1 11-17-2010 08:55 AM
[snort] Understanding Snort Rules Fracker Linux - Security 3 04-13-2009 09:34 AM
Snort rules NBA2009 Linux - Security 1 08-11-2008 10:18 AM
How to write two snort detection rules to alert on packets to those rules romafiel *BSD 0 06-08-2007 07:00 PM
Snort, Rules Tredo Linux - Security 1 12-20-2004 12:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:19 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration