(All Variants) Intrusion Detection (Archive) - Ubuntu Forums
(All Variants) Intrusion Detection (Archive) - Ubuntu Forums
(All Variants) Intrusion Detection (Archive) - Ubuntu Forums
Ubuntu Forums > The Ubuntu Forum C ommunity > Ubuntu Specialised Support > Security > [all variants] Intrusion
Detection
PDA
View Full Version : [all variants] Intrusion Detection
Pages : [1] 2
http://www.idsia.ch/%7Ejuergen/galaxy180grey.jpg
Quote :
Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia
~ Pete Granger
C ontents
Introduction ~ post #1
Install Snort ~ post #2 (http://ubuntuforums.org/showpost.php?p=5786055&postcount=2)
C onfigure snort ~ post #3 (http://ubuntuforums.org/showpost.php?p=5786252&postcount=3)
Install base ~ post #4 (http://ubuntuforums.org/showpost.php?p=5786356&postcount=4)
Using snort / base ~ post #5 (http://ubuntuforums.org/showpost.php?p=5786477&postcount=5)
Install ossec-hids ~ post #6 (http://ubuntuforums.org/showpost.php?p=5786503&postcount=6)
Install ossec-hids web interface ~ post #7 (http://ubuntuforums.org/showpost.php?p=5786522&postcount=7)
Using ossec-hids ~ post #8 (http://ubuntuforums.org/showpost.php?p=5786575&postcount=8)
Introduction
This post is quite long, and for what I hope is greater readability, I have broken it into separate posts.
In a nut-shell, HIDS monitors you system files for unauthorized changes. Examples of this type of monitoring
methodology might include techniques such as scanning for viruses, tripwire
(http://sourceforge.net/projects/tripwire/), Tiger (http://www.nongnu.org/tiger/), rkhunter
(http://rkhunter.sourceforge.net/), and chkrootkit (http://www.chkrootkit.org/).
Similarly, NIDS monitors your network traffic for DOS attacks, port scans, or other suspicious network activity.
Examples include watching your firewall in Windows for alerts, snort (http://www.snort.org/), or Wireshark
(http://www.wireshark.org/).
Although there are other options, both for applications and configuration, in this tutorial I will show you how to install
ossec-hids and snort:
Snort :
Snort will monitor your network traffic by checking packets against "rules". We will configure snort to log "alerts" to a
mysql database. We will then use base to display this information in a web browser (Firefox). Although seemingly
foreign at first, base is a very nice web based gui front end for snort. Base is basically point and click and contains
numerous links to help interpret alerts.
SNORT is an open source network intrusion prevention and detection system utilizing a rule-driven language, which
https://ubuntuforums.org/archive/index.php/t-919472.html 1/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to
date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the
de facto standard for the industry.
Note : Snort will not work with wireless interfaces, you need to use airsnort (http://airsnort.shmoo.com/) instead.
OSSEC -HIDS :
OSSEC -HIDS will monitor your log files, monitor the integrity of system files, check for root kits, and perform active
response. Active response means ossec will blacklist (block connections) from potential crackers "automagically".
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking,
Windows registry monitoring, rootkit detection, real-time alerting and active response.OSSEC will, amongst other
things, monitor snort and blacklist offending ip addresses.
Note : There are of course other options for HIDS, NIDS, as well as alternate configuration options for both snort and
ossec.
1. Installing from source (don't worry I will walk you through it).
4. If you wish to access base and the OSSEC web interface outside your LAN you will need to know how to configure
your router (you do have a router don't you?). In addition be sure to understand the security implications of running
LAMP. In addition you may wish to use ,htaccess (http://www.javascriptkit.com/howto/htaccess.shtml) or ssl
(http://www.tc.umn.edu/%7Ebrams006/selfsign_ubuntu.html).
Reference: community/ApacheMySQLPHP
5. Installing and configuring snort will take some time, give yourself a few hours.
So either add "sudo" in front of these commands or open a terminal and obtain a root shell:
sudo -i
You will need to download a set of rules for snort. The downloads page is here :
http://www.snort.org/pub-bin/downloads.cgi
1. prep ~ Install the various tools and dependencies for Snort and OSSEC .
https://ubuntuforums.org/archive/index.php/t-919472.html 2/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
For reference : /community/Repositories/ApacheMySQLPHP
During the installation of these applications, make note of (write down) your mysql root password.
2. Obtain snort source code ~ be sure to check the snort home page (http://www.snort.org/) for updated versions of
snort.
Although snort is in the repositories you will need to compile snort yourself. This is because the binary in Ubuntu does
not have support for snort logging to a mysql database enabled.
This procedure has been tested (and is working) on both 32 bit 64 bit arch.
cd /usr/src
wget http://www.snort.org/dl/current/snort-2.8.3.tar.gz
tar zxvf snort-2.8.3.tar.gz3. Obtain a set of rules. Snort uses rules to examine packets and report suspicious activity
to your logs and mysql.
In order to get a set of rules you have a set of options listed on the snort rules page (http://www.snort.org/pub-
bin/downloads.cgi)
The "C ommunity Rules", at the bottom of the page, are available without any further registration. For a more "up to
date" set of rules you must either register or subscribe.
wget http://www.snort.org/the_rules_you_wish_to_use
cd snort-2.8.3
tar zxvf ../snortrules*In addition you may be interested in obtaining a copy of "bleeding" rules from here :
Bleeding Edge Threats (http://www.bleedingthreats.net/)
You can keep your rules up to date with oinkmaster (http://oinkmaster.sourceforge.net/features.shtml). Oinkmaster
is in the reops.
cd /usr/src/snort-2.8.3/rules
wget http://www.bleedingthreats.net/rules/bleeding-all.rules4. C ompile snort :
cd /usr/src/snort-2.8.3
./configure -enable-dynamicplugin --with-mysql
make
make installSnort *should* compile and install without errors.
If, however, you do get errors when compiling snort, see This thread (http://ubuntuforums.org/showthread.php?
t=1040886)
C onfigure mysql
Next we need to configure a mysql database for snort to use for alerts.
mysql -u root -pEnter your mysql password for root (you did write it down didn't you ?)
You will get a mysql prompt "mysql>". I will use this prompt to indicate commands entered in mysql (as opposed to
the command line) you do not need to enter the "mysql >".
https://ubuntuforums.org/archive/index.php/t-919472.html 3/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
C onsider changing the name of the database to something other than "snort".
C onsider changing the name of mysql user to something other then "snort" (in 'snort'@'localhost').
C hange the password to something other then "snort_password".
Now, back at the command line, import the snort database scheme
We need to configure snort and write a start script, and add a cron job.
If things are too quiet, and snort goes a few hours without logging an alert to mysql, snort loses the connection with
mysql. You then need to restart snort to re-establish a connection with the mysql database.
First lets create a user for snort. Again change the user name if you wish.
adduser snortEnter a password (it does not matter, we will be locking the account anyways)
cd /usr/src/snort-2.8.3
mkdir -p /etc/snort/rules /var/log/snort
chown -R root.snort /var/log/snort
chmod -R 770 /var/log/snort
cp etc/* /etc/snort/
cp rules/* /etc/snort/rulesWe next need to make a few edits to /etc/snort/snort.conf :
Using any editor, open /etc/snort/snort.conf and make the following changes :
C hange "var HOME_NET any" to "var HOME_NET 192.168.0.0/16" (use your netmask here).
C hange "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET". This sets the external variable to everything
other then your network.
C hange "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules". This tells snort where to find the rule set.
Search for "mysql" or scroll down the list to the section with "# output database: log, mysql, user= ...", remove the
"#" at the front of this line and change the syntax to :
output database: log, mysql, user=snort password=snort_password dbname=snort host=localhost
The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that
if there are no alerts, snort will lose it's connection with the mysql database.
Now lets look at the code. You need to look at two lines.
The first is your interface. The default is eth0. If you wish to use snort on an alternate interface, such as eth1, you will
https://ubuntuforums.org/archive/index.php/t-919472.html 4/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
need to edit the line IFAC E="eth0" and change "eth0" to "eth1"
Note : Snort will not work with wireless interfaces, you need to use airsnort (http://airsnort.shmoo.com/) instead.
The second option is to whitelist ip addresses. I advise you do this with caution, but you *may* wish to white IP
addresses such as your router and your public ip address.
To white list an IP , add it to the line WHITELIST='' (note that is two single quotes, ' ' and not a double quote " ) , one
ip at a time, separated by a space, like this :
WHITELIST='127.0.0.1 192.168.1.1'
Now that you are done editing the file, set ownership and permissions :
My script has a 20 second sleep built in (sometimes when you start snort it will fail after a 10-15 second delay). To
avoid adding a 20 second longer boot time, use the "boot" option.
exec /etc/init.d/snort bootAdd this single line above "exit 0" if your have an exit 0 in the file
Did I mention, Snort may lose the connection to the mysql data base if no alerts are received for several hours
(which can happen once we eliminate false positives and install OSSEC -HIDS)? In addition if you clear your data in
base you may need to re-start snort.
/etc/init.d/snort restartThe script will use zenity (a gui interface) if you have it installed (zenity is included in a default
Ubuntu or Xubuntu desktop installation, but you will need to add it if you are running Kubuntu). On servers, without X,
the script will run without zenity (the script runs either with or without X). In addition, if you run the script as a user
you will need to be in the admin group and will be prompted for your password (unless you are in the 15 minute grace
period for sudo/gksu).
Base is a web interface for snort and the snort alerts. See the "using base" section for a brief introduction.
cd
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gzNote : Later versions of base do
not work (with Ubuntu at least).
cd /var/www
tar zvxf ~/base-1.3.9.tar.gz
mv base-1.3.9 base
cd base
cp -R /usr/src/snort-2.8.3/doc/signatures .
cd ..
https://ubuntuforums.org/archive/index.php/t-919472.html 5/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
chown -R www-data.www-data baseInstall a few Pear modules:
pear install Image_C olor Image_C anvas-alpha Image_Graph-alphaC onfigure apache to use php5, use any editor
(nano)
DirectoryIndex index.html index.cgi index.pl index.php index.xhtmlSave your changes and re-start apache:
Sometimes when setting up base , after this first step I get a white page, just repeat step 1
Step 2 of 5:
Database type = MySQL, Database name = snort, Database Host = localhost, Database username = snort, Database
Password = snort_password
Step 3 of 5: If you want to use authentication (used to log into the web interface) enter a username and password
here and check the box.
Step 5 of 5: once step 4 is done at the bottom click on Now continue to step 5 and log in.
C ongratulations ! You should now see something that looks like this :
http://bodhizazen.net/img/IDS/base_1_sm.JPG (http://bodhizazen.net/img/IDS/base_1.JPG)
C lick to enlarge pictureYou can password protect the base directory with .htaccess
(http://www.javascriptkit.com/howto/htaccess.shtml) and/or use ssl (http://blog.offbytwo.com/2008/01/22/apache2-
ssl-in-ubuntu-710-gutsy/).
Although seemingly foreign, everything in base is point and click. C lick on your alerts for example and they will be
listed. C lick on various links and you will be brought to web pages(s) where the alert is explained in more detail.
http://bodhizazen.net/img/IDS/base_1_sm.JPG (http://bodhizazen.net/img/IDS/base_1.JPG)
C lick to enlarge pictureC lilck on the blue "19" by "Total Number of Alerts" and base will show you ...
http://bodhizazen.net/img/IDS/base_2_sm.JPG (http://bodhizazen.net/img/IDS/base_2.JPG)
C lick to enlarge pictureAlerts :
#0-(72-1) [nessus] [local] [snort] WEB-MISC robots.txt access 2008-09-07 08:38:48 74.6.17.188:34357
192.168.1.3:80 TC Pclick on the [nessus] (http://www.nessus.org/plugins/index.php?view=single&id=10302), [local],
or [snort] (http://www.snort.org/pub-bin/sigs.cgi?sid=1:1852) takes you to a web page explaining the alert.
click on the ip address (74.6.17.188) to take you to a page where you can select a link to look up the offending ip.
http://bodhizazen.net/img/IDS/base_3_sm.JPG (http://bodhizazen.net/img/IDS/base_3.JPG)
https://ubuntuforums.org/archive/index.php/t-919472.html 6/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
On this second page, click on ARIN (http://ws.arin.net/whois/?queryinput=74.6.17.188) (or any other) which will take
us to a page where we can see this ip address belongs to Yahoo.com
===============
#18-(72-19) [snort] (http_inspect) NON-RFC DEFINED C HAR 2008-09-11 16:49:57 192.168.1.5:52093 192.168.1.3:80
TC PHere we only have the option [snort] which takes us to :
http://www.snort.org/pub-bin/sigs.cgi?sid=119:14
This alert was generated by my portscan to show the active response of ossec (see below).
First, when you first install snort, you will likely get a large number of alerts. Most of these are legitimate traffic (false
positives).
YOU WILL NEED TO RESEARC H EAC H ALERT AND DETERMINE IF YOU ARE VULNERABLE. IF SO, FIX YOUR
VULNERABILITY.
For "false positives, once you have confirmed an alert is indeed either a false positive or legitimate traffic, either
modify or comment out the rule (writing snort rules is beyond this tutorial, see How to snort rules
(http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node14.html)).
Note: There are better ways of managing robots.txt, see the snort links and apache documentation, I am using this
only as an example of editing snort rules.
/etc/snort/rules/web-misc.rules:# NOTES: this signature looks for someone accessing the file "robots.txt" via
/etc/snort/rules/web-misc.rules:# engines) more efficient. robots.txt is often used to inform a web spider
/etc/snort/rules/web-misc.rules:# Verify that the robots.txt does not include any sensitive information.
/etc/snort/rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; metadata:service http;
reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:4;)so now open /etc/snort/rules/web-misc
and comment out the line:
sudo nano -w /etc/snort/rules/web-misc.rulesHit C trl-W to search, search for "robots.txt" (without quotes). Keep
hitting C rtl-W to go to the next robots.txt.
When you find the appropriate line (the one that starts with a "alert"), add a # to the front of the line.
Re-start snort.
Once you have managed the false positives, watch for repeat offenders. If I see an IP address persistently triggering
snort, I black list it in iptables.
OSSEC -HIDS is much easier to install. Basically it is downloading and then running a script.
https://ubuntuforums.org/archive/index.php/t-919472.html 7/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Go to the ossec download page and download the most recent version :
http://www.ossec.net/main/downloads/
wget http://www.ossec.net/files/ossec-hids-1.6.tar.gz
tar xzvf ossec-hids-1.6.tar.gzNow run the installation script :
cd ossec-hids-1.6
./install.shYou will be asked a series of questions. Basically select your language, use a "local" installation, and enter
an e-mail address. Otherwise go with the defaults.
- Do you want to add more IPs to the white list? (y/n)? [n]: Answer y and add additional IP if you wish to white list
them.
The only "problem" is that the post is a little outdated. The information about running the install script is accurate, but
you DO NOT need to write an init script. ossec 1.6 will install a script for you into /etc/init.d/ossec
Not much needs to be done. HOWEVER I would caution you that OSSEC has an active response to threats. If OSSEC
detects a bad ip address, it will block that ip address using iptables. This means that if your snort rules are giving you
false alerts legitimate traffic to your server will be blocked.
This also means you can lose access to your server as well.
Fortunately this is a temporary ban. It is more than sufficient to deter the script kiddies and if your access is blocked,
access is restored in a few minutes.
This means , however, you need to monitor snort (base) and fine tune your rules so you are not blocking legitimate
traffic.
Again, if there are repeat offending IP addresses, black list them in iptables (See the using snort/base post for how to
do this).
This configuration file is well commented and you will see a white list section where you may white list additional ip
addresses if needed.
cd
wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
cd /var/www
tar xzvf ~/ossec-wui-0.3.tar.gz
mv ossec-wui* ossec
cd ossec
./setup.shDuring the setup you will be asked for a user name and password. You will use this user name and
password to access the web interface.
https://ubuntuforums.org/archive/index.php/t-919472.html 8/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
When the script is finished running, change ownership of the directory and add www-data to the ossec group
cd /var/www
chown -R www-data.www-data ossec
usermod -G ossec -a www-dataRestart apache
From the web interface you can see any changes to system files and alerts.
Once you log into the web interface you will have a number of tabs.
I did find this wiki page on integrating base + ossec, but I have not tried it.
root@hardy:~#ping 192.168.0.3
PING 192.168.1.3 (192.168.0.3) 56(84) bytes of data.
64 bytes from 192.168.0.3: icmp_seq=1 ttl=64 time=0.378 ms
64 bytes from 192.168.0.3: icmp_seq=2 ttl=64 time=0.377 ms
64 bytes from 192.168.0.3: icmp_seq=3 ttl=64 time=0.359 ms
root@hardy:~#ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
https://ubuntuforums.org/archive/index.php/t-919472.html 9/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Now for a short little addendum to the main guide, for those interested in low system impact.
If you would like to take this guide for a run without heavily messing with their current system configuration, you can
still get the full effect by setting up Ubuntu in a Virtual Machine (VM) and following the guide from there. The concepts
here apply to whatever virtualization software you prefer, I just use vbox as an example since that is what I used.
The only work that needs to be done on your host machine (not the VM) is to setup a network bridge so that your VM
will have an IP assigned by your network's DHC P server (in a home network, this is usually the central router). You
can also opt set a static IP that is recognized by the rest of the network. With this network IP, you can then actually
see what is happening on the network, unlike with the default private IP that VMs normally get assigned.
Example:
Setup your virtual machine with an Ubuntu installation - there are many guides out there on how to do this (ex:
community/VirtualBox). Don't forget to install LAMP (https://help.ubuntu.com/community/ApacheMySQLPHP) and the
build-essential metapackage which are needed for the above tutorial.
Now create a network bridge on your host machine by following the directions at community/VirtualBox#Networking.
Our guru, bodhi.zazen, also suggested the following link which will also work for vbox - community/KVM#C reating a
network bridge on the host. I found it helps to first set your host to DHC P temporarily if you are using a static IP so
that you can easily configure the bridge. Then you can setup your static IP after your bridge is successfully created
and tested. The VM won't know the difference, other than it will get an IP immediately compatible with your network.
Also, don't forget to create the scripts to bring the bridge up and down as described in the VirtualBox wiki link.
Here is my /etc/network/interfaces file, with static IP on the host, for your reference (yours will vary). I have edited
out my username, and I am using a Linksys WRT54G router:
auto eth0
iface eth0 inet manual
address 0.0.0.0
auto br0
iface br0 inet static
bridge_ports eth0
address 192.168.1.201
netmask 255.255.255.0
gateway 192.168.1.1
auto lo
iface lo inet loopback
auto tap1
iface tap1 inet manual
up ifconfig $iface 0.0.0.0 up
down ifconfig $iface down
tunctl_user username
where username is your username which is used in /etc/vbox/interfaces (see the Network portion of vbox guide
linked above).
If you're in to using static IPs, you can now set a static IP on your VM as well. This makes it convenient to access the
web service interfaces for BASE and OSSEC from another system (like the host).
Enjoy!
https://ubuntuforums.org/archive/index.php/t-919472.html 10/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Thanks bodhi, this thread is great, I think it's your best so far. I look forward to putting it to good use very soon.
you have done a huge effort you are very nice ,,,,,,
Thanks so much.
Daniel
snort and ossec perform different tasks and are complementary. See :
Yes you can run them together. "lot of C PU" is subjective and means different things to different people. In general
snort and ossec do not slow down your web server and if they do, IMO, your server is probably underpowered.
You are asking the right questions, but you will get a range of answers depending on who you ask.
Rather then turn this thread into a meandering debate re: firewalls and security I would prefer to keep it on topic, ie
intrusion detection.
My best advice is that you start by asking yourself what it is you are trying to accomplish and determine your own
level of "paranoia". Next read through some of the links I provided and determine the right tool for the job.
ossec == HIDS
snort == NIDS
As most people come from a Windows background, the HIDS systems are most familiar. These are tools to monitor
your host (desktop) for changes in system files. For example on Windows one scans for viruses or other malware
(adblock software is often HIDS).
You are asking about NIDS, ie monitoring network traffic. Snort captures or monitors all network activity (packets)
going to and coming from your Desktop (or server). You will likely recieve several thousand packets in short order,
Snort filters through these thousands of packets by checking each packet against a set of "rules" and logs sustpcious
activity to a database (mysql). You then use Base to generate a "report" you can view on any web browser. From
there you will need to research any "alerts". How you manage alterts then is also a matter of style.
There are other tools for each of these tasks including wireshark (which will keep the contents of all packets, not just
alerts) , barnyard (as an alternate to mysql) etc.
IMO, as we are talking about security, in this case it is better to compile form source (and compiling snort is quite
easy (as well as downloading a more up-to-date rule set).
One advantage of installing from the repos, it will include an init script for snort.
One thing might need to be updated, when I pasted the download for snort I found the address didn't work on my
computer. So I went over to snort's website and copied the link and pasted that onto my command line.
https://ubuntuforums.org/archive/index.php/t-919472.html 12/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
attribute error: open with O_C REAT in second argument needs 3 arguments
You must be root to perform the following procedure. You may also open the file below and save it in your home
folder, then copy it (as root) to its original directory (../snort2.8.*/src/preprocessors/flow/portscan/).
This resulted in other problems related to MySQL using Snort-2.8.3. I then attempted to use the current Snort-2.8.3.1
and it compiled and installed beautifully on my Intrepid server.
thanks
The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that
if there are no alerts, snort will lose it's connection with the mysql database.
Now lets look at the code. You need to look at two lines.
1. The first is your interface. The default is eth0. If you wish to use snort on an alternate interface, such as eth1, you
will need to edit the line IFAC E="eth0" and change "eth0" to "eth1"
* Note : Snort will not work with wireless interfaces, you need to use airsnort instead.
2. The second option is to whitelist ip addresses. I advise you do this with caution, but you *may* wish to white IP
addresses such as your router and your public ip address.
To white list an IP , add it to the line WHITELIST='' (note that is two single quotes, ' ' and not a double quote " ) , one
ip at a time, separated by a space, like this :
C ode:
WHITELIST='127.0.0.1 192.168.1.1'
https://ubuntuforums.org/archive/index.php/t-919472.html 13/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Now that you are done editing the file, set ownership and permissions :
C ode:
My script has a 20 second sleep built in (sometimes when you start snort it will fail after a 10-15 second delay). To
avoid adding a 20 second longer boot time, use the "boot" option.
C ode:
Add this single line above "exit 0" if your have an exit 0 in the file
Try this :
wget http://bodhizazen.net/ubuntu.snort.init.txt
attribute error: open with O_C REAT in second argument needs 3 arguments
I ran into the same issue. I didn't have any problems following the Howto Forge
(http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10-updated) for 7.10 on an
8.04 machine. I thought maybe some of the packages in the Howto Forge tutorial may been outdated or whatever and
I wanted to try an 8.10 tutorial. I'm not a developer - I'm a user - so I don't know the affect of what appears to be
adding one more argument of value 0600 to the fd function, which I believe is a kernel function, has to do with this
but I guess that type of uncertainty is one of the downfalls of not learning and understanding the operating system
and how it is created.
In any event, I did this and followed the rest of the tutorial without any problems. OP, you may want to change this
line:
https://ubuntuforums.org/archive/index.php/t-919472.html 14/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
cp -R /usr/src/snort-2.8.3.1/doc/signatures .
i have a question though. i did the nmap portscan (from 192.168.0.100 to 192.168.0.100) and snort blocked my
further pings as expected. however, i then wasn't able to refresh the base and ossec web interfaces for a small period
- even though i have 192.168.0.100 whitelisted in /etc/init.d/snort. base web interface doesn't show any info on this,
have i misinterpreted the guide at some point?
thank you
i have a question though. i did the nmap portscan (from 192.168.0.100 to 192.168.0.100) and snort blocked my
further pings as expected. however, i then wasn't able to refresh the base and ossec web interfaces for a small period
- even though i have 192.168.0.100 whitelisted in /etc/init.d/snort. base web interface doesn't show any info on this,
have i misinterpreted the guide at some point?
thank you
So you would need to whitelist your IP address in OSSEC (it is in the config file).
Try this: Disable (stop) ossec and re-scan. You *should* also see more alerts in snort.
scan ...
restart ossec
scan again
Your IP is now blocked, and you may not see as many alerts in snort :twisted:
https://ubuntuforums.org/archive/index.php/t-919472.html 15/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Rules can be commented out though there is a better way to do this. C ommentating rules is problematic because
rules by an admin get updated periodically (hopefully everyone is using oinkmaster). When these new rules are put
into /etc/snort/rules they erase the previous commented out versions.
If people are using oinkmaster this can be done very easily. In /etc/oinkmaster.conf look at the section for SIDs
down toward the bottom. Each rule has a unique SID (Snort ID) enter in the SID's:
I was going to make a post on oinkmaster, but this was already too long.
And you did a better, much more succinct tutorial then I would have written :twisted:
Now for the question, when I fire up BASE I see no activity whatsoever, yet I know there are things happening
because if I type snort -v I get screenfulls of activity.
Last but not least first time in Ubuntu and revisiting *nix after 10 years of not having used it.
The other problem I have seen is that if there is no activity they mysql database loses it's connection. In that case
you need to restart snort.
alert icmp any any -> any any (msg: "IC MP Test Rule";sid: 1000005;)
Then stop and restart snort, and start pinging a computer. If you want to get even simpler, just go to:
http://www.testmyids.com
https://ubuntuforums.org/archive/index.php/t-919472.html 16/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Ok, found a portscan tool and yes!!! I now get something displaying in BASE.
Thanks for the rule tip, will have to investigate some more on the rules section as there is more work to be done
there, in addition I am behind a firewall which most likely stops 98% of stuff but I would like to find out what is getting
through.
Start :
Stop :
Snort is confusing at first. Network activity is broken into packets of information. Snort analyzes each packet and if
there is a violation of the snort rules then an alert is generated.
If you followed my how to you also installed mysql (a database) and base (a front end for the data). If not I am not
sure where and how snort (from the repos) will send alerts.
http://ubuntuforums.org/showthread.php?t=483488
Snort will gather data for you and store it in the mysql database you installed. This data is usually "who scanned me"
and "what type of scan was it" by default. I think what you want to know is HOW to view this information. I took a
security class and I had this very same question - I installed Snort but I didn't know what snort was doing or how to
view what it detects. The common way of viewing this data is to install apache and a customized view of the Snort
data called BASE. BASE will put the data in a nice graphical format, fully customizable, so you can see this
information. I just typed "snort base" in google images and here's the first picture returned. Let me know if that
makes sense. http://homepage.mac.com/duling/halfdozen/resources/snort-base1.png There are also some tricks to
installing BASE that aren't mentioned - a couple php-pear modules you need to install that aren't installed by default
(or at least weren't when I installed snort/mysql/apache/base).
What I'd really like is some type of auditory alarm like we did in the windows-portion of the Snort lab. With base, you
have to keep looking at /localhost/base-php4 and hitting refresh to catch someone attacking.
https://ubuntuforums.org/archive/index.php/t-919472.html 17/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
hello could you supply me with the all the terminal commands you use to install base and apache and also the pear
modules that is if thats all you have to do to install if other instructions needed please feel free to tell me those too. i
dont know any terminal commands on my own yet also if you can install the mysql database from terminal can you
tell me how to do that too still reading up on that and if you could it would save me alot of time. that is if its not too
much trouble for you so far commands that i have seen have been pretty short thank you
:lolflag:
See the first few posts in this thread as well as the link I gave in my last post.
cd /usr/src/snort-2.8.3
./configure -enable-dynamicplugin --with-mysql
make
make install
error:
In function open,
inlined from server_stats_save at server_stats.c:349:
/usr/include/bits/fcntl2.h:51: error: call to __open_missing_mode declared with attribute error: open with O_C REAT
in second argument needs 3 arguments
make[4]: *** [server_stats.o] Error 1
make[4]: Leaving directory `/usr/src/snort-2.8.3.1/src/preprocessors/flow/portscan'
make[3]: *** [install-recursive] Error 1
make[3]: Leaving directory `/usr/src/snort-2.8.3.1/src/preprocessors/flow'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory `/usr/src/snort-2.8.3.1/src/preprocessors'
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory `/usr/src/snort-2.8.3.1/src'
make: *** [install-recursive] Error 1
Yes.
http://www.securityfocus.com/infocus/1640
http://www.securityfocus.com/infocus/1643
https://ubuntuforums.org/archive/index.php/t-919472.html 18/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
sudo command
sudo -i
Open /etc/snort/snort.conf with your favorite text editor (nano, vi, vim, etc.).
when i made the changes i tried to save them and close the document but a pop box said that i did not have the
correct permissions.
so i did not use the terminal to edit it how come i dont have permissions even if im logged in as administrator.thanks
Open /etc/snort/snort.conf with your favorite text editor (nano, vi, vim, etc.).
when i made the changes i tried to save them and close the document but a pop box said that i did not have the
correct permissions.
so i did not use the terminal to edit it how come i dont have permissions even if im logged in as administrator.thanks
The administrator account on Linux (Ubuntu) is called root. If you are and administrator that means you can access
root via sudo.
https://help.ubuntu.com/community/RootSudo
sudo nano /file/to/edit #you can use emacs, nano, vim, ....
https://ubuntuforums.org/archive/index.php/t-919472.html 19/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
To use grapgical applications, such as gedit, use gksu
I would caution you against using word processors such as OpenOffice or Abiword to edit config files as config files
are text files and we want to keep them that way (not convert them to OOO or Abiword formated documents).
Yes you can. I have not done this so I can give you some links :
http://www.linux.com/feature/29856
http://www.linuxsecurity.com/content/view/117377/171/
http://www.linux.com/feature/29856
http://www.linuxsecurity.com/content/view/117377/171/
but when i try to compile snort like the OP said above i get errors like:
cd /usr/src/snort-2.8.3
./configure -enable-dynamicplugin --with-mysql
make
make install
error:
In function open,
inlined from server_stats_save at server_stats.c:349:
/usr/include/bits/fcntl2.h:51: error: call to __open_missing_mode declared with attribute error: open with O_C REAT
in second argument needs 3 arguments
make[4]: *** [server_stats.o] Error 1
make[4]: Leaving directory `/usr/src/snort-2.8.3.1/src/preprocessors/flow/portscan'
make[3]: *** [install-recursive] Error 1
make[3]: Leaving directory `/usr/src/snort-2.8.3.1/src/preprocessors/flow'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory `/usr/src/snort-2.8.3.1/src/preprocessors'
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory `/usr/src/snort-2.8.3.1/src'
make: *** [install-recursive] Error 1
some compiling goes on but at the end thier are the errors above. also i have ubuntu 8.10 i was thinking that maybe
its because i have the new version and some people have the old one?
thx
Best regards
Francesco
Italy
Thanks
Thanks
C ool question bmwman! A lot of it is going to have to deal with how it is bridged. I just woke up but I will do my best
to try and explain this clearly but please forgive me if I fall short in doing so.
When you set up snort, there is a config file. In this config file you declare the IP(s), range, or block that you want
snort to listen on. Obviously, in order for snort to listen on these IPs, they generally need to be bound to the box on
which Snort is snorting ;)
I understand that when you bridge the IP, you get two separate IPs but how is traffic treated? If I have read your
question properly, there may be 2 separate IPs but the host IP and the virtual machine IP are bridged and as such,
traffic should be able to move freely. This means that any traffic directed to the host/main computer should hit the
virtual machine as well. And since the virtual machine is listening on the IPs declared in the var HOME_NET it should
log alerts.
If that doesn't give you the information you were looking for, try directing hostile traffic to the host machine from
another machine on the network.
I do not advise you retaliate as that will get you into trouble. Search the IP (look up) and report it to the IP provider.
https://ubuntuforums.org/archive/index.php/t-919472.html 21/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
:lolflag:
Any ideas why is it happening? Or at least how to find out what is failing during boot?
Sounds like a hard ware problem to me, my guess is your hard drive is old and/or failing. When there are disk errors
they are remounted read only.
Is this a known issue? (when i installed apache i only did apt-get apache2 and php modules).
Is this a known issue? (when i installed apache i only did apt-get apache2 and php modules).
https://ubuntuforums.org/archive/index.php/t-919472.html 22/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Ah, i figured there was something about .htaccess. But how do i go about and make it require https ?
http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html
http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html
Thanks alot :)
I use base to look at alerts generated by snort. You can look at mysql directly or what ever you wish.
If you want to test it, hit your box (snort) with a port scanner.
Snort does not, buy default, capture all packets. To do that use wireshark.
https://ubuntuforums.org/archive/index.php/t-919472.html 23/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
I think the permissions and everything else is as you stated. I am not sure why I get this error.
@thunder:/usr/local/bin$ snort -v
Running in packet dump mode
root@thunder:/etc/snort# snort -v
Running in packet dump mode
Thank you very much for the tutorial it was more than great.
https://ubuntuforums.org/archive/index.php/t-919472.html 24/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
I have a strange issue, after I installed everything with no problems at all, and Snort + BASE + OSSEC are all
working and I can access BASE + OSSEC from a browser, I don't see any activity in the BASE page !!!
I even disabled my firewall to make sure that the sensor of snort is not being blocked (if I'm correct) and still nothing
!!!
If snort does not log an alert to mysql, the connection times out. I am not sure how long it takes, but I re-start snort
every 6 hours.
Hit your machine with a port scanner to test snort. And yes, iptables and ossec will block traffic so turn them off when
you test snort.
If snort does not log an alert to mysql, the connection times out. I am not sure how long it takes, but I re-start snort
every 6 hours.
Hit your machine with a port scanner to test snort. And yes, iptables and ossec will block traffic so turn them off when
you test snort.
Thank you very much for your reply. I do the same as you do "restart snort every 6 hours" using the cron jobs you
explained in your tutorial.
It seems that my network is cleaner than I imagined, today I got my first ALERT :)
BTW: what are the best tutorials, papers or useful information to go beyond what is displayed here? (Ex: advance
config, writing rules, howto know which rule raised the alert, etc). I only asked because I see you have great
experience in SNORT.
After following your instructions and placing commands in the proper startup files, snort never starts as a daemon; it
doesn't start at all. The thing is I can run snort from a command line with no problems.
I'll be grateful for anything you can do to set me in the right direction.
Mike McC oy
I would just add the command to start snort in /etc/rc.local , then it will start on boot.
https://ubuntuforums.org/archive/index.php/t-919472.html 25/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Signed,
Truly a noob
I think the current setup shall only monitor the traffic going into the IDS system, or going out of the IDS system, if we
are in a switched network. If we want to monitor the whole network? then we need a TAP, or a switch with monitoring
ports enabled.
If the network is built on HUBs then there is no problem, everything shall be monitored weather destined to the
system holding the IDS or not.
Q: Does the white list mean: don't monitor these systems? IF yes? then I think it is wrong to assign such an IP,
because SNORT shall not monitor it.
Signed,
Truly a noob
Perhaps it would help if you were to provide a more detailed description of the problem.
what makes you think snort is not running ? what is the output of
simply stating that it is not working does not seem to be an effective means of communication.
I think the current setup shall only monitor the traffic going into the IDS system, or going out of the IDS system, if we
are in a switched network. If we want to monitor the whole network? then we need a TAP, or a switch with monitoring
ports enabled.
If the network is built on HUBs then there is no problem, everything shall be monitored weather destined to the
system holding the IDS or not.
Q: Does the white list mean: don't monitor these systems? IF yes? then I think it is wrong to assign such an IP,
because SNORT shall not monitor it.
yes a white list , as with other white lists, basically means do not monitor traffic from ip address. White lists have their
uses ;)
In terms of your previous question re: snort info : Either buy a book on snort or google.
https://ubuntuforums.org/archive/index.php/t-919472.html 26/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
After you run snort for a while though you should be good to go.
Thanks,
John
For example the command you start snort is ..... snort -c /etc/snort/snort.conf
what makes you think snort is not running ? what is the output of
simply stating that it is not working does not seem to be an effective means of communication. I thought I was a little
clearer than that, but my apologies for making things hard for you.
MM
MM
well heck i cant remove it xD cant remove it in the repositories ?!?! is this malicious software!?!?!
I get this:
But when I issue the two commands that run the script, nothing happens:
root@thunder:/usr/share/doc# snort -v
Running in packet dump mode
Please ignore the previous post, I am geting closer. Now I see this when I run snort with -c option pointing the the
snort.conf file:
ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.
I am going to recompile. I know for sure I used the -mysql option during the compilation.
I downloaded nmap, and issued nmap x.x.x.x ( ip of my snort machine ). But I do not see any alerts in /var/log/snort
Help please.
Oh the machine that is doing the nmap scan is connected through a wireless, and going through a hub/router with
firewall functionality. I also have firewall turned on at the host that runs the snort. I use fireStarter to manage the
Ubuntu firewall. Should I disable it to test?
I haven't had any success yet. As I stated earlier, I am able to start snort from the command line, but when I attempt
to start when I boot (from rc.local), it does not start (no PID). I have backtracked my work, and it looks like I have
mirrored your tutorial step by step. (The best by far anywhere) I am continuing to investigate. Are there any
environmental situations that could cause my problem (like a mis-configured network, etc.)?
Best regards,
Mike McC oy
https://ubuntuforums.org/archive/index.php/t-919472.html 30/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
C ode:
cd
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
Great tutorial
wget http://www.snort.org/pub-bin/downloads.cgi/snortrules-snapshot-2.8.tar.gz:(
https://ubuntuforums.org/archive/index.php/t-919472.html 31/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
No idea ;)
need help getting the rules downloaded, i use your commands i get a permission denied i typed in this"
tronnix : You need to register with snort before you can download rules.
Notice, they limit how often you can download, I think there is a 10 or 15 minute time out.
http://www.snort.org/pub-bin/downloads.cgi
Good luck
https://ubuntuforums.org/archive/index.php/t-919472.html 32/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
22 rows in set (0.00 sec)
I just do not see them in BASE. I also do not see a sensor. BTW, I did not see anything about us having to install
AC ID. Did I miss a step? Other procedures I have seen about this, involves installing AC ID.
wget http://www.snort.org/the_rules_you_wish_to_use
http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-2.8.tar.gz
Bodhi just wrote it that way, meaning you need to select which version or rules matches your snort file.
tar zxvf ../snortrules* i need step by step like baby steps thank you in advance.
https://ubuntuforums.org/archive/index.php/t-919472.html 33/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
I did exactly what you said to do with that URL it downloads really quick then i try to use the tar command does not
work errors out what am i doing wrong?
in your guide:
cp -R /usr/src/snort-2.8.3/doc/signatures .
I am using snort 2.8.4 and there is no such directory (doc/signatures). What should I do here?
snort -c /etc/snort/snort.conf
I get errors stating that I don't have the appropriate rules (local.rules, icmp.rules, ...). I commented out the includes
of those files in snort.conf, and inserted includes for all the community rules. Maybe it would be helpfull to also
incorporate that in your guide.
Another small thing: the machine I am installing on is my gateway, so it only has 2 NIC s. C urrently I configured snort
to run on eth1 which is my internet interface, but I guess since snort puts eth1 in promiscuous mode, it would kill
performance (however it's only my home network so not too much traffic)... Is it possible to deploy snort on this
machine or should I buy an extra NIC ; or worse: should I have an inline machine in front of my gateway?
/etc/init.d/snort start
My entry in /var/log/messages:
Apr 21 14:43:32 artoo kernel: [158473.114012] device eth1 entered promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.114040] audit(1240317812.170:22): dev=eth1 prom=256 old_prom=0
auid=4294967295
Apr 21 14:43:32 artoo kernel: [158473.143981] device eth1 left promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.143999] audit(1240317812.200:23): dev=eth1 prom=0 old_prom=256
auid=4294967295
Apr 21 14:43:32 artoo kernel: [158473.174009] device eth1 entered promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.174041] audit(1240317812.230:24): dev=eth1 prom=256 old_prom=0
auid=4294967295
Apr 21 14:43:32 artoo kernel: [158473.204105] device eth1 left promiscuous mode
Apr 21 14:43:32 artoo kernel: [158473.204138] audit(1240317812.260:25): dev=eth1 prom=0 old_prom=256
auid=4294967295
Then I tried:
snort -v &
I let this run for a couple minutes and my packet wire totals were:
==================================================
=============================
Packet Wire Totals:
Received: 11
Analyzed: 10 (90.909%)
Dropped: 0 (0.000%)
Outstanding: 1 (9.091%)
==================================================
https://ubuntuforums.org/archive/index.php/t-919472.html 34/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
=============================
Breakdown by protocol (includes rebuilt packets):
ETH: 6 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 6 (100.000%)
All the rest was 0%. I find this weird, since I pinged from another machine and since I am remotely logged in on my
machine through SSH and I was surfing the web. Isn't this weird since the amount of packets from SSH/web traffic
coming through for example? On top of that, nothing logged in BASE (mysql).
I am having the same problems. I followed the snort/base instructions exactly on a fresh install of Hardy server.
Does anyone have any suggestions? I've been trying to troubleshoot this for a week, and I'm about ready to install
the package from the repos (but I don't want to!)...
You really should register with snort so that you may download a more updated set of rules.
The community rules do not have signatures, so you will have to live without them if you use the community rules.
Signatures are nothing more then an explanation of alerts, and the same information is available on line if you wish.
You will see links in Base when you look at an alert. "Local" == signatures.
As far as configuration, I am not sure you will need to look at your config file. Snort places your network card in
promiscuous mode (snort is a packet sniffer after all, lol), which is fine with modern switches.
Does anyone have any suggestions? I've been trying to troubleshoot this for a week, and I'm about ready to install
the package from the repos (but I don't want to!)...
Just to clarify, snort is running, I've made another database and also installed base 1.4.1 (which works fine!), but I
still get a big-fat-zero for sensors in base:
Sensors/Total: 0 / 0
Unique Alerts: 0
C ategories: 0
Total Number of Alerts: 0
I have snort set to run as a daemon (which it is), but I'll try 'snort -v' anyway, and run 'nmap -v -A
my_snort_machine's_ip' from my windows machine, and here's what I get:
root@guinness:~# snort -v
Possibilities are :
2. snort lost it's connection with mysql. To test this, clear the database in base (from the admin panel) even though it
reads "0", then restart snort. You should now see 1 sensor in base.
However, I too have problems in BASE seeing the sensor. I believe BASE _can_ connect to mysql, since I can log in
(I have enabled authentication on BASE, table base_users in database snort).
Both have one row (the latter has a timestamp from just moments ago).
However, table "sensor" does not have any rows.
https://ubuntuforums.org/archive/index.php/t-919472.html 36/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Number 2 of your list does not work at my setup, I cleared data tables (from the C ache & Status menu) and then
restarted snort. Still no sensor.
Any advice?
tar zxvf ../snortrules* i need step by step like baby steps thank you in advance.
Hi Tronnix
.. refers to a directory above where you are currently. Bodhi wants you to unpack all the tar files that start with
snortrules from the parent directory, into the directory you are in. So if you downloaded a couple (I just downloaded
one, but there is different ones like bleeding edge, current etc. - I say for now just download one. ) of tar files
containing the rules into:
/usr/src/snort2.8.4, then I believe the procedures call for creating a directory called /usr/src/snort2.8.4/rules. So
from the rules directory the command tar zxvf ../snortrules* would unpack all the rules and place them in the rules
directory. I hope I got all the directory names right; I am trying to do it from memory. Good luck.
Thanks
Snort ran fine for a couple of days, including the restart in the cron job. Now snort doesn't start anymore because of
this:
I changed the ownership to "snort.snort" on the pid files (includign pid.lck) but it seems this file gets deleted and
remade, thus giving the new file root ownership (as the start command is ran by root).
Any suggestions? Or should I just start snort through its own user?
I've been working on this configuration, and it works, but I'm surprised that it doesn't seem to be as popular..
I had a really old Intrusion PDS that I pulled the HDD out of, and loaded up Hardy on it. Before returning it to the
system, I configured a serial console port. After returning the HDD to the box and hooking up to the console, I fiddled
with the 3 onboard 10/100 ethernets, so that eth0 and eth1 are hooked up to the tap, bonded together using the
bonding module, so that snort can see full-duplex traffic, with eth2 used to connect back to the internal network for
logging, etc. C heck out the diagrams attached for the tap construction as well as the deployment scenario..
auto bond0
iface bond0 inet manual
up ifconfig $IFAC E 0.0.0.0 up
https://ubuntuforums.org/archive/index.php/t-919472.html 37/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
down ifconfig $IFAC E down
post-up ifenslave bond0 eth0 eth1
pre-down ifenslave -d bond0 eth0 eth1
auto eth2
iface eth2 inet static
address x.y.z.100
netmask 255.255.255.0
gateway x.y.z.1
Of course, snort is sniffing on bond0. Logging is done to a mysql db on an internal server on the x.y.z.0/24 network,
which is running BASE to put a somewhat prettier face on things..
Regarding the construction of the tap, the Snort docs have a nice bit on the wiring diagram for a passive tap
(http://www.snort.org/docs/tap/), which is where that wiring diagram came from. I grabbed a 14 cu inch electric box
(blue plastic type) from home depot (get the "old work" kind and remove the anchor flaps), and 4 C at 5e jacks (2
white colored, 2 blue colored). I used the white jacks for the "Host" jacks, and the blue ones for the "Tap" jacks, as
shown in the diagram.
I changed the default username to idsuser and now I'm having problems with line 85 of the startup script that reads:
I know the problem is now with my group because I've changed the username. How do I check for the proper group
name? I've attempted the following with no luck:
root
idsuser
snort
I know this has got to be something simple. Is it looking to use the username/group from mysql or from the host
itself? Please help =)
both user and group must exist on the system, so from your post I am guessing :
Do you have any idea how I can fix my previously mentioned problem (http://ubuntuforums.org/showpost.php?
p=7157967&postcount=142)?
I guess the problem still is that that the /var/run/snort_eth*.pid file gets made by root, but snort tries to delete it,
thus failing because of permissions. Is there any way I can let the snort user make the pid file, or another
workaround?
Thanks
https://ubuntuforums.org/archive/index.php/t-919472.html 38/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Snort sometimes leaves a stale file if it terminates abnormally. Simply stop snort and delete the file.
I start snort with: sudo /etc/init.d/snort start (your startup script). Maybe it's because of the "sudo" that root makes
the file and then delegates the rest to snort? I'm just thinking wild here..
BASE will not pull any of the sensors (like many other people here), but I feel like my problem may be on the snort
side. If I try and run "/etc/init.d/snort start" I get "Snort failed to start". But if I run "snort -v" it starts up just fine. I
have a feeling there is some piece of the puzzle i'm missing, but i'm not sure what diagnostics I can do to find it.
You mentioned:
P
ossibilities are :
2. snort lost it's connection with mysql. To test this, clear the database in base (from the admin panel) even though it
reads "0", then restart snort. You should now see 1 sensor in base.
I still just can't get past the /etc/init.d/snort commands though. I copied over your script and did not make any
changes (the default eth0 is fine and I didn't bother with a whitelist until i can at least get it up and running), but still
cannot get it to launch. Anybody have any ideas? If you need any more info please just let me know.
/etc/init.d/snort would be a start script to start snort (obviously), but that script is part of the ubuntu package and not
part of snort . So if you installed snort from source you can not use that init script to start snort.
/usr/local/bin/snort -c /etc/snort/snort.confIf snort now starts, go to base and you will see it register as a senor.
/usr/local/bin/snort -c /etc/snort/snort.conf -u snort -g snort -DWith a cron job to restart it every 6-12 hours.
I did however try and start it manually as you recommended. It did not work, but here are the errors:
The more I think about it the more I wonder if I shouldn't try and find the exact version you had in your guide. I know
some other people mentioned they were using 2.8.4.1, but they also mentioned they were having problems too :-/.
Edit: I am actually running this on two different networks (one at work and one at home). I'm doing this mostly just
so I can really learn it, but it is providing a good practice in action consistency. They are both acting in the same
manner.
When I get to the part below, this is where I get hung up.... Is this correct, to copy the txt file to /etc/init.d/snort,
since its not really a dir?
The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that
if there are no alerts, snort will lose it's connection with the mysql database.
Now lets look at the code. You need to look at two lines.
1. The first is your interface. The default is eth0. If you wish to use snort on an alternate interface, such as eth1, you
will need to edit the line IFAC E="eth0" and change "eth0" to "eth1"
* Note : Snort will not work with wireless interfaces, you need to use airsnort instead.
2. The second option is to whitelist ip addresses. I advise you do this with caution, but you *may* wish to white IP
addresses such as your router and your public ip address.
To white list an IP , add it to the line WHITELIST='' (note that is two single quotes, ' ' and not a double quote " ) , one
ip at a time, separated by a space, like this :
At any rate, I followed the instructions through to the part where you do a restart on snort and i get an error snort
failed to start.
Please let me know what I need to post or where I should be looking for specific errors. Maybe its unable to use the
rules file when its starting?
The error I get is just snort failed to start. Is there an error log in /var/log/snort I'm assuming. Sorry, I'm a little slow
this morning, haven't had enough coffee. Perhaps this may have something to do with it. When I went to go into the
/log/snort directory I'm getting permission denied.
https://ubuntuforums.org/archive/index.php/t-919472.html 40/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
where did you get the init.d script ?
open the init.d script with any editor, find the line that actually starts snort, start snort from the command line
open the init.d script with any editor, find the line that actually starts snort, start snort from the command line
the init.d script? Are you referring to the .txt file on the first page?
# Declair variables
SNORT='/usr/local/bin/snort -c /etc/snort/snort.conf -u snort -g snort -D'
cd /usr/src/snort-2.8.3
mkdir -p /etc/snort/rules /var/log/snort
chown -R root.snort /var/log/snort
chmod -R 770 /var/log/snort
cp etc/* /etc/snort/
cp rules/* /etc/snort/rules
Not sure why everything ended up in /etc/snort. its running now after moving the files to the right place... will see
what happens. Right now its sitting at "Not using PC AP_FRAMES"
If I do create the base_conf.php myself I get this error when trying to get to localhost/base
<?php
/************************************************** *****************************
** Basic Analysis and Security Engine (BASE)
** C opyright (C ) 2004 BASE Project Team
** C opyright (C ) 2000 C arnegie Mellon University
**
** (see the file "base_main.php" for license details)
**
** Project Leads: Kevin Johnson <[email protected]>
** Sean Muller <[email protected]>
** Built upon work by Roman Danyliw <[email protected]>, <[email protected]>
**
** Purpose: Vanilla C onfig file
************************************************** ******************************
** Authors:
************************************************** ******************************
** Kevin Johnson <[email protected]
**
************************************************** ******************************
*/
session_start();
$BASE_VERSION = '1.3.9 (anne)';
/*
Set the below to the language you would like people to use while viewing
https://ubuntuforums.org/archive/index.php/t-919472.html 43/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
your install of BASE.
*/
$BASE_Language = '';
/*
Set the $Use_Auth_System variable to 1 if you would like to force users to
authenticate to use the system. Only turn this off if the system is not
accessible to the public or the network at large. i.e. a home user testing it
out!
*/
$Use_Auth_System = ;
/*
Set the below to 0 to remove the links from the display of alerts.
*/
$BASE_display_sig_links = 1;
/*
Set the base_urlpath to the url location that is the root of your BASE install.
This must be set for BASE to function! Do not include a trailing slash!
But also put the preceding slash. e.g. Your URL is http://127.0.0.1/base
set this to /base
*/
$BASE_urlpath = '/base';
Merci
Merci
cd /etc/init.d
and then
ls
https://ubuntuforums.org/archive/index.php/t-919472.html 44/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
Thanks
http://localhost/base
does your browser try to download the file ? Or does it display a page with an error message ?
If the browser can not write the file, that is a permissions problem.
C hange the ownership and permissions of the base directory so www-data can rw the files.
I was getting
Now I am getting 403 forbidden afer changing permissions when access /base. Both these errors are from accessing
externally with IP/base.
If I use links via putty and go to /base I get the same thing.
/var/www/???
https://ubuntuforums.org/archive/index.php/t-919472.html 45/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
The directory itself needs permissions of 770 and files in the directory permissions of 660.
$Use_Auth_System = ;
https://ubuntuforums.org/archive/index.php/t-919472.html 46/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
It depends on how you install snort. If you install snort form source there is no init.d script included and you need to
either write your own or use my script or write your own script.
If you install snort from the Ubuntu repositories an init script is included (and there is some additiona automation as
well).
You can not use the snort init script from the repositories with snort installed from source. You would need to modify it
/ re-write it.
Obviously I'm in over my head, and I think having a better understanding of how logging works in general, how I can
tweak it, etc. would go a long way. I've been toying with iptables logging, where things go, adding an entry to
syslog.conf to have iptables logs go there. So I guess I will see where I ended up.
Jul 1 10:54:54 tux snort[19444]: database: Problem inserting a new signature '(portscan) Open Port': INSERT INTO
signature (sig_name,sig_priority,sig_sid,sig_gid) VALUES ('(portscan) Open Port',3,27,122)
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES (2, 46196, 0,
'2009-07-01 10:54:54')
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=ROLLBAC K
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=BEGIN
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=INSERT INTO signature (sig_name,sig_priority,sig_sid,sig_gid) VALUES
('(portscan) Open Port',3,27,122)
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
Jul 1 10:54:54 tux snort[19444]: database: Problem inserting a new signature '(portscan) Open Port': INSERT INTO
signature (sig_name,sig_priority,sig_sid,sig_gid) VALUES ('(portscan) Open Port',3,27,122)
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES (2, 46197, 0,
'2009-07-01 10:54:54')
Jul 1 10:54:54 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=ROLLBAC K
Jul 1 10:54:57 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=BEGIN
Jul 1 10:54:57 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
Jul 1 10:54:57 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=INSERT INTO signature (sig_name,sig_priority,sig_sid,sig_gid) VALUES
('(portscan) Open Port',3,27,122)
Jul 1 10:54:57 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
Jul 1 10:54:57 tux snort[19444]: database: Problem inserting a new signature '(portscan) Open Port': INSERT INTO
signature (sig_name,sig_priority,sig_sid,sig_gid) VALUES ('(portscan) Open Port',3,27,122)
Jul 1 10:54:57 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES (2, 46198, 0,
'2009-07-01 10:54:57')
Jul 1 10:54:57 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=ROLLBAC K
Jul 1 10:54:58 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2) SQL=BEGIN
Jul 1 10:54:58 tux snort[19444]: database: mysql_error: C an't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2)
Hi,
a) In your configuration of snort, you have a typo. It should be $HOME_NET not !$HOME_NET, as it is lower in the
configuration file multiple times.
b) I have a question: Why is my Firefox trying to download a file instead of going to the page that should be
displayed? I went through the snort setup just fine from my laptop, however afterwards the computer I set snort up
on is still not going to /base correctly. EDIT: Now I can't access /base from any machine. What is wrong?
i have problem in this command. the 'signature' is not exist. do i have to create it?
root@salax-laptop:/var/www/base# cp -R /usr/src/snort-2.8.4.1/doc/signatures .
cp: cannot stat `/usr/src/snort-2.8.4.1/doc/signatures': No such file or directory
i have problem in this command. the 'signature' is not exist. do i have to create it?
root@salax-laptop:/var/www/base# cp -R /usr/src/snort-2.8.4.1/doc/signatures .
cp: cannot stat `/usr/src/snort-2.8.4.1/doc/signatures': No such file or directory
/etc/init.d/snort restart
/etc/init.d/snort: line 39: syntax error near unexpected token `then'
/etc/init.d/snort: line 39: ` D="z" fi uid=$(/usr/bin/id -u) if [ ! "$uid" = "0" ];then'
Any ideas?
/etc/init.d/snort restart
/etc/init.d/snort: line 39: syntax error near unexpected token `then'
/etc/init.d/snort: line 39: ` D="z" fi uid=$(/usr/bin/id -u) if [ ! "$uid" = "0" ];then'
Any ideas?
Just a shot in the dark here, but have you tried moving 'then' to another line and removing the ';'?
Semicolons act as a terminator, thus the if statement ends after the conditions.
Just a shot in the dark here, but have you tried moving 'then' to another line and removing the ';'?
Semicolons act as a terminator, thus the if statement ends after the conditions.
I'll play around some more with the code. I had went through it when I posted here. I had moved around some ; and
{} I belive in several places to get rid of errors, only to get to the last few lines in the file and get errors I have no
clue.... Like I said, I'll go through it again and post my results.
When I get all the way end after "fixing" the above (probably incorrectly), I get this...
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MYSQL
server version for the right syntax to use near '?snort'@'localhost' identified by 'snort_password' at line 1
I'm thinking it has to do with the fact that I have to hit ' twice before it'll show up on the screen in the VM terminal? I
initially didn't set a password when I did the install of mysql, so I thought that was the reason. So, I then used the
mysqladmin -u root password NEWPASSWORD
Any suggestions?
Perhaps try typing the command manually. Otherwise, the syntax is correct...
Perhaps try typing the command manually. Otherwise, the syntax is correct...
That's what I thought too, but I'm not cutting pasting. I'm figuring it has something to do with the fact that it's a VM in
C itrix and I'm using the C itrix console.
Now I'm having another issue. Seems to be the user doesn't have permissions. Didn't I just grant him all the
permissions?
% mysql -u root -p
mysql> use mysql
mysql> select user,host,password from user where user='snort';
https://ubuntuforums.org/archive/index.php/t-919472.html 50/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
+--------+-----------+-------------------------------------------+
| user | host | password |
+--------+-----------+-------------------------------------------+
| snort | localhost | *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
+--------+-----------+-------------------------------------------+
% mysql -u root -p
mysql> use mysql
mysql> select user,host,password from user where user='snort';
Do you see something like this?
+--------+-----------+-------------------------------------------+
| user | host | password |
+--------+-----------+-------------------------------------------+
| snort | localhost | *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
+--------+-----------+-------------------------------------------+
Rebooted and the user showed up. But I still get the access denied for user 'snort'@'localhost'
Try typing
in gedit, rather than openoffice. Maybe it is just my superstition, but I think gedit is more of a plain text editor, while
openoffice is more of a "fancy" text editor.
When you copy and paste into the gnome-terminal, make sure your quotation marks look like
the one circled in green, rather than the one in red.
Try typing
grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password'; in gedit, rather than openoffice.
Maybe it is just my superstition, but I think gedit is more of a plain text editor, while openoffice is more of a "fancy"
https://ubuntuforums.org/archive/index.php/t-919472.html 51/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
text editor.
When you copy and paste into the gnome-terminal, make sure your quotation marks look like
the one circled in green, rather than the one in red.
That's actually what I did this time. But, I "think" I may have gotten it. I just used a different user instead of snort.
So, wherever else it says snort, I used the other user name. I've got snort running according to ps and am logged
into Base. Now it's time to test.
Thanks !
How come?
Also with this tutorial, for Ossec the command to add an agent is missing, so when you start Ossec the first time, it
tries to start the 0:0:0:0 80 ip address which doesn't work. So I found additional instructions on the Ossec-Hids
website which I can't get to work either. That question is in another thread of mine here:
http://ubuntuforums.org/showthread.php?t=1269022
I also get this message when I try to use the Ossec-GUI command which is my ip address/ossec:
Not Found
https://ubuntuforums.org/archive/index.php/t-919472.html 52/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
1. C reated a symlink in /usr/local/lib with the command ln -s /usr/src/snort-2.8.5/so_rules/precompiled/Ubuntu-
6.01.1/i386/2.8.4.1 snort_dynamicrules
This symlinks the .so rules to the snort_dynamicrules that snort looks in when it starts up.
Then I was getting and error when I tried start snort of: FATAL ERROR: /etc/snort/rules/exploit.rules(23): C ouldn't
resolve hostname HOME_NET
So, I looked in the snort.conf file and saw I had my EXTERNAL_NET set at
var EXTERNAL_NET !HOME_NET
All the error logging is done to /var/log/syslog for those who don't know.
I'm going to start testing it now with 2.8.5 and see what I can find. But, I have to get back to my real job of testing
Snort 2.8.5 on our equipment. :)
cd
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
Is it to /var/www?
Saying that:
root@alex-laptop:/etc/init.d/snort# cd /var/www
root@alex-laptop:/var/www# ls
base-1.3.9.tar.gz index.html
root@alex-laptop:/var/www# tar zvxf ~/base-1.3.9.tar.gz
tar: /root/base-1.3.9.tar.gz: C annot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: C hild returned status 2
tar: Error exit delayed from previous errors
root@alex-laptop:/var/www#
cd
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gzIs it to /var/www?
Saying that:
root@alex-laptop:/etc/init.d/snort# cd /var/www
root@alex-laptop:/var/www# ls
base-1.3.9.tar.gz index.html
https://ubuntuforums.org/archive/index.php/t-919472.html 53/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
root@alex-laptop:/var/www# tar zvxf ~/base-1.3.9.tar.gz
tar: /root/base-1.3.9.tar.gz: C annot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: C hild returned status 2
tar: Error exit delayed from previous errors
root@alex-laptop:/var/www#
Anyone please help? Thanks. C lueless.
The error is telling you the exact problem. You are trying to untar it from the /root/ but it isn't there. You need to put
the path to where the file is located. Leaving out the ~/ would do it, but I don't remember (without looking) where you
want to untar it to.
Hi abrrymnvette,
I see. Then I shall assume that it should be extracted to /var/www and work on from there.
Thanks.
cd /var/www
chown -R www-data.www-data ossec
usermod -G ossec -a www-dataRestart apache
From the web interface you can see any changes to system files and alerts.
Hey all,
Not Found
The requested URL /ossec was not found on this server.
https://ubuntuforums.org/archive/index.php/t-919472.html 54/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
This was a most enlightened post. I learned a lot about running Snort on Ubuntu. Your directions throughout this
thread helped me with clearing my final hurdles.
This was a most enlightened post. I learned a lot about running Snort on Ubuntu. Your directions throughout this
thread helped me with clearing my final hurdles.
Ok i am not the best cow in the paddock but I could not get this working on KK (Ubuntu 9:10) I am not that fluent and
I was following the instructions.. but for some reason I kept getting "C an't access mysql" blah blah blah...
So instead of going moo I decided to remove it and wait for someone with better knowledge to get me step by step
guide... tho I found your instructions quiet easy, I just didnt understand Y or what was happening.. C heers Bodhi...
and thanks for the instructions...
o.
Ok i am not the best cow in the paddock but I could not get this working on KK (Ubuntu 9:10) I am not that fluent and
I was following the instructions.. but for some reason I kept getting "C an't access mysql" blah blah blah...
So instead of going moo I decided to remove it and wait for someone with better knowledge to get me step by step
guide... tho I found your instructions quiet easy, I just didnt understand Y or what was happening.. C heers Bodhi...
and thanks for the instructions...
o.
Sorry 8it did not work out for you. Sounds as if you were unable to set up mysql.
I did not read though all 23 pages of posts to this thread, so I'm not sure if my question has been addressed.
I'm looking for something very simple to monitor connections to a few specific ports. Snort seems very heavy for my
purposes. Is there some easier application(s) that can send messages to a log whenever network activity occurs on
some user-specified ports?
I installed and tinkered with snort, but it just seems a bit overwhelming. Is there a way to tell it I simply want a log
entry when any type of connection is attempted or successful to ports 890, 45000, and 61289 (for example). I don't
want to log any of the other large ruleset packs that come with it. Thanks.
I did not read though all 23 pages of posts to this thread, so I'm not sure if my question has been addressed.
I'm looking for something very simple to monitor connections to a few specific ports. Snort seems very heavy for my
purposes. Is there some easier application(s) that can send messages to a log whenever network activity occurs on
some user-specified ports?
I installed and tinkered with snort, but it just seems a bit overwhelming. Is there a way to tell it I simply want a log
entry when any type of connection is attempted or successful to ports 890, 45000, and 61289 (for example). I don't
https://ubuntuforums.org/archive/index.php/t-919472.html 55/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
want to log any of the other large ruleset packs that come with it. Thanks.
I guess, you could use IPTables for that.
I did not read though all 23 pages of posts to this thread, so I'm not sure if my question has been addressed.
I'm looking for something very simple to monitor connections to a few specific ports. Snort seems very heavy for my
purposes. Is there some easier application(s) that can send messages to a log whenever network activity occurs on
some user-specified ports?
I installed and tinkered with snort, but it just seems a bit overwhelming. Is there a way to tell it I simply want a log
entry when any type of connection is attempted or successful to ports 890, 45000, and 61289 (for example). I don't
want to log any of the other large ruleset packs that come with it. Thanks.
You can do what you are asking with ufw/GUFW/iptables , but then you are going to be looking through logs. And what
will you look for ? simply blocked connections ? you can get this information with a portscanner. How are you going to
recognize problematic traffic ?
Snort monitors network traffic and, using a set of rules, "alerts" you of worrisome traffic. This is in fact exactly what
you want in NIDS.
If you wish to "lighten up", and not run base, you can look at barnyard.
If I learn anything in my class not covered here, which is doubtful, I will let you know. I will also point my classmates
in this direction, so they can take advantage of your expertise.
Thanks.:)
You can do what you are asking with ufw/GUFW/iptables , but then you are going to be looking through logs. And what
will you look for ? simply blocked connections ? you can get this information with a portscanner. How are you going to
recognize problematic traffic ?
Snort monitors network traffic and, using a set of rules, "alerts" you of worrisome traffic. This is in fact exactly what
you want in NIDS.
If you wish to "lighten up", and not run base, you can look at barnyard.
Hello Bodhi.
I agree with you completely, and I guess, he just seems to view/log the attempted connections to specific ports
[blocked/permitted/dropped], I am not sure why is he just up-to it? because I don't see much performance/somekind
of issue with snort/ossec, and what he is looking for is obviously, easily done by OSSEC .
I totally agree firewalls will not be total replacement for IDS/IPS, but for certain scenarios, I did see "fwsnort" being
employed.
@mocha, if interest you, you could take a look at simple "fwsnort" [ http://cipherdyne.org/fwsnort/ ].
I guess my new question therefore is, how do you restrict snort to only monitor specifc ports? When I had it installed
it kept filling the alert log with messages about port 80 traffic for webpages I was viewing. I also need to filter out
anything to do with my lan IP.
https://ubuntuforums.org/archive/index.php/t-919472.html 56/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
you can use the script in that post or (easily) modify it.
Once you log into the web interface you will have a number of tabs.
I did find this wiki page on integrating base + ossec, but I have not tried it.
root@hardy:~#ping 192.168.0.3
PING 192.168.1.3 (192.168.0.3) 56(84) bytes of data.
64 bytes from 192.168.0.3: icmp_seq=1 ttl=64 time=0.378 ms
64 bytes from 192.168.0.3: icmp_seq=2 ttl=64 time=0.377 ms
64 bytes from 192.168.0.3: icmp_seq=3 ttl=64 time=0.359 ms
root@hardy:~#ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
Here's my situation: running a laptop in a university network littered with security problems. Viruses fly around
everywhere (one reason I switched from windows), and basically I want to feel secure using my email, internet
banking, etc. I don't want people putting root kits or trojans on this happy ubuntu installation. I want to be safe from
crackers trying to steal my information.
I think a very important step was to install no-script in firefox. The other one is of course ensuring ufw or something
is operating and denying everything! Finally, I have avg anti-virus installed, purely to clean flash drives which get
infected when I use them in university computers, and to help friends clean theirs. I'm in Thailand, and viruses and
trojans are found at every step.
Do I actually need ossec? I'm not running any servers. I'm not paranoid, I just want to be safe.
https://ubuntuforums.org/archive/index.php/t-919472.html 57/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
I got ossec up-and-running thanks to the great instructions, though I still can't get email notifications. Perhaps that's a
problem with my email provider. Anyway, how do I actually test that it's working? As in the original post, I tried
ping 192.168.0.3, but it was denied in the first place, without going to the next step.
If I actually need ossec (and if I don't, it would save me some time learning about it!), I would like to know what it is
doing, what it is blocking, how to understand logs and alerts.
Many thanks.
Thank you Bodhi Zazen. You have the uncommon gift of real clarity!
Do I need to bother with periodic checks such as rkhunter or chkrootkit? Are they only for people running servers,
too?
When I make an SSH connection from an outside IP to my machine running snort (192.168.0.2), I get this in the alert
log:
[**] [1:100000160:2] C OMMUNITY SIP TC P/IP message flooding directed to SIP proxy [**]
[C lassification: Attempted Denial of Service] [Priority: 2]
01/06-08:16:01.301279 XXX.XXX.XXX.XXX:2369 -> 192.168.0.2:XXX
TC P TTL:115 TOS:0x0 ID:54614 IpLen:20 DgmLen:92 DF
***AP*** Seq: 0x5D48F098 Ack: 0x5B19DC 73 Win: 0xFD5C TcpLen: 20
Similarly, I see a log of messages like this simply when browsing websites:
[**] [1:100000160:2] C OMMUNITY SIP TC P/IP message flooding directed to SIP proxy [**]
[C lassification: Attempted Denial of Service] [Priority: 2]
01/06-06:51:03.411603 XXX.XXX.XXX.XXX:80 -> 192.168.0.2:40322
TC P TTL:57 TOS:0x0 ID:7101 IpLen:20 DgmLen:1440 DF
***A**** Seq: 0xA55381E0 Ack: 0xC 513FA5F Win: 0x237E TcpLen: 32
TC P Options (3) => NOP NOP TS: 574475743 29379010
Do I need to bother with periodic checks such as rkhunter or chkrootkit? Are they only for people running servers,
too?
Depends on how paranoid you are. I know coming from windows you feel the need to check these things, but, root kit
checkers and antivirus give so many warnings and false positives they just do not help that much.
As I see you are interested in security I suggest you look at the big security sticky and work you way though it.
Then go ahead and run tiger (see security stick for info on tiger) and the root kit checks, and antivirus on a FRESH
INSTALL OR LIVE C D, then on your desktop, if nothing else to get a sense of how these tools work, what a "normal
system" looks like, what the reports from these tools look like.
Then decide for yourself if you wish to use them long term.
My experience was, in the absence of running a server, relax and enjoy Linux.
ufw, noscript, and apparmor, those will give you more bang for you time then rk hunters, tiger, or antivirus.
ufw, noscript, and apparmor prevent the damage in the first place, the other tools detect the problem (if you are
lucky) after it is too late. Anyone with more experience then a "script kiddie" will evade the rk hunters anyway, and
the logs I have seen from compromised systems were:
1. not discovered by a rk hunter or antivirus. The were detected by somebody who knows their system, what
"normal" is, and that "something" was different.
In order to detect a modern intruder you need to be able to read the logs, read bash_history, identify who is logged
in, or recognize that those files have been altered.
w
last
ps aux #(or variants)
topLearn to read the logs !!!
Alerts are generated by rule sets, and in general are designed to err on the side of false positives rather then false
negatives. Only you can determine how you use your box and what activity is normal. You need to
1. Understand the rule sets are generic, some are even for windows boxes. Not at first this may seem useless, but,
someone performing recon on yoru server may start with Windows vulnerabilities (especially script kiddies) and this
may be an early warning.
2. Learn how the rules work and fine tune them to your use. Understand the risk / benefit of inactivating a rule.
3. Give feed back to those who write the rules (notify them of a false positive so they can modify the rule set).
4. Decide what to do. Are you going to blacklist an ip because of one ssh attempt ? two ? ten ?
I find most traffic is from script kiddies and they go away or change IP fast, so I ignore them.
I block ip with persistent, prolonged, or diverse alerts (ones that start with a port scan, then they try ssh, then a few
mysql injections ... ). Again usually script kiddies, but at least determined ones or crackers that like to make a lot of
noise.
You can also deploy strategies to make these people "waste their time" or you can crack the crackers (honey pots).
As I see you are interested in security I suggest you look at the big security sticky and work you way though it.
Then go ahead and run tiger (see security stick for info on tiger) and the root kit checks, and antivirus on a FRESH
INSTALL OR LIVE C D, then on your desktop, if nothing else to get a sense of how these tools work, what a "normal
system" looks like, what the reports from these tools look like.
Then decide for yourself if you wish to use them long term.
My experience was, in the absence of running a server, relax and enjoy Linux.
ufw, noscript, and apparmor, those will give you more bang for you time then rk hunters, tiger, or antivirus.
https://ubuntuforums.org/archive/index.php/t-919472.html 59/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
ufw, noscript, and apparmor prevent the damage in the first place, the other tools detect the problem (if you are
lucky) after it is too late. Anyone with more experience then a "script kiddie" will evade the rk hunters anyway, and
the logs I have seen from compromised systems were:
1. not discovered by a rk hunter or antivirus. The were detected by somebody who knows their system, what
"normal" is, and that "something" was different.
In order to detect a modern intruder you need to be able to read the logs, read bash_history, identify who is logged
in, or recognize that those files have been altered.
w
last
ps aux #(or variants)
topLearn to read the logs !!!
In terms of removal, I do not recall if they include a removal script or option in the install script, look in the extracted
filed for an uninstall.sh.
If not, they you wil need to search for all ossec files and manually delete them.
Thanks.
Thanks.
You may install them on a desktop if you wish, but it would almost certainly be over kill to install snort on a desktop.
odaatgnome
C ould you tell me, please, what does mean tar zxvf ../snortrules* in this context:
wget http://www.snort.org/the_rules_you_wish_to_use
cd snort-2.8.3
tar zxvf ../snortrules*
I've downloaded rules and have now a zip-package snortrules-snapshot-C URRENT.tar.gz
What do I have to do now with this rules - unpack them in snort-x.x.x.x directory? Under which name?
C ould you tell me, please, what does mean tar zxvf ../snortrules* in this context:
wget http://www.snort.org/the_rules_you_wish_to_use
cd snort-2.8.3
tar zxvf ../snortrules*
I've downloaded rules and have now a zip-package snortrules-snapshot-C URRENT.tar.gz
What do I have to do now with this rules - unpack them in snort-x.x.x.x directory? Under which name?
Rules for snort are obtained from the web site and there are several options depending on if you wish to register or
pay or not. Basically ther are 3 sets
Extract the rules (it is like unziping a zip archive) and move them into place.
Next problem :)
No, I didn't write my mysql password. Did the system give it to me or ..? My root-password (of course) doesn't match.
Should I uninstall snort and start from the beginning? :(
http://ubuntu.flowconsult.at/en/mysql-set-change-reset-root-password/
Then you have to copy the decoder, preprocessor, and so rules to the $RULE_PATH you specify to get the most out of
the rule set.
Powered by vBulletin Version 4.2.2 C opyright 2017 vBulletin Solutions, Inc. All rights reserved.
https://ubuntuforums.org/archive/index.php/t-919472.html 61/62
8/16/2017 [all variants] Intrusion Detection [Archive] - Ubuntu Forums
https://ubuntuforums.org/archive/index.php/t-919472.html 62/62