?
Solved

snort on ubuntu 8.04

Posted on 2009-04-27
173
Medium Priority
?
1,965 Views
Last Modified: 2013-11-15
I am following this guide on how to install snort on ubuntu and i am on the mysql part, it tells me to issue this command: mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password'; everytime i do i get this error: ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement how do i fix this?
0
Comment
Question by:scripttron75
  • 104
  • 69
173 Comments
 
LVL 5

Expert Comment

by:louislietaer
ID: 24245517
grant command if not compatible with the option --skip-grant-tables

you may work arround updating table user

mysql> USE mysql;

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> UPDATE user SET Select_priv='Y',Select_priv='Y',Update_priv='Y', Delete_priv='Y', Create_priv='Y', Drop_priv='Y', Reload_priv='Y',Shutdown_priv='Y',Process_priv='Y',File_priv='Y',Grant_priv='Y',References_priv='Y', Index_priv='Y', Alter_priv='Y', Show_db_priv='Y', Super_priv='Y' WHERE user='snort';

Query OK, 2 rows affected (0.02 sec)
Rows matched: 2  Changed: 2  Warnings: 0
mysql> flush privileges;
0
 

Author Comment

by:scripttron75
ID: 24245552
thank you for that but can you make it a little less difficult to understand what this means?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24245640
you have got to option

start mysql without the option "--skip-grant-tables" and "grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password';" will work

or if you leave "--skip-grant-tables" you will have to use the work arround described before
by passing these 3 commands
1) use mysql;
this will select the database
2) update user set ....bla bla ..... where user='snort';
this  will grant all privileges to user snort;
3)flush privileges;
it is a good way to finish you session ;)

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:scripttron75
ID: 24245661
what is the command to start mysql without the option  --skip-grant-tables"
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24245734
Just remove the option "--skip-grant-tables" in your start script
0
 

Author Comment

by:scripttron75
ID: 24246242
there is no start script YET! i am following these directions:

Configure mysql

Next we need to configure a mysql database for snort to use for alerts.

Code:

mysql -u root -p

Enter your mysql password for root (you did write it down didn't you ?)

You will get a mysql prompt "mysql>". I will use this prompt to indicate commands entered in mysql (as opposed to the command line) you do not need to enter the "mysql >".

Quote:
mysql> create database snort;
mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password';
mysql> exit

    * Consider changing the name of the database to something other than "snort".
    * Consider changing the name of mysql user to something other then "snort" (in 'snort'@'localhost').
    * Change the password to something other then "snort_password".


Now, back at the command line, import the snort database scheme

Code:

mysql -D snort -u snort -p < /usr/src/snort-2.8.3/schemas/create_mysql

0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24249110
hello,

It seam that the creation of user snort has been omitted, so before grant command type the command create user

see detail folowing this link
http://dev.mysql.com/doc/refman/5.1/en/create-user.html
0
 

Author Comment

by:scripttron75
ID: 24252540
im sorry i am still having an issue: what is that exact syntax for to create the user snort?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24252929

CREATE USER snort@'localhost' IDENTIFIED BY 'pass1';

0
 

Author Comment

by:scripttron75
ID: 24252951
i get this after i run that command:

ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24253537
Can you please start from strach:

under linux log as root

type command : /etc/init.d/mysql restart

type command : mysql -p
you will be prompt for mysql root password

then create user snort, grant etc
0
 

Author Comment

by:scripttron75
ID: 24253742
thank you louislietaer that worked but makes no sense though as i was already logged in as root. does MYsql have a gui for it or is it just command based.
0
 

Author Comment

by:scripttron75
ID: 24254309
i guess i spoke too soon:

mysql> CREATE USER snort@'localhost' IDENTIFIED BY 'linuxids';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on snort. * to 'snort'@'localhost' identified by 'snort_linuxids';
Query OK, 0 rows affected (0.00 sec)

does this mean it worked?
0
 

Author Comment

by:scripttron75
ID: 24254490
given the document i am following after running the create and grant commands i have to run this command

mysql -D snort -u snort -p < /usr/src/snort-2.8.4/schemas/create_mysql

i get this:

ERROR 1045 (28000): Access denied for user 'snort'@'localhost' (using password: YES)  i used the right password:  snort_linuxids

0
 

Author Comment

by:scripttron75
ID: 24254500
after i put the password:  snort_linuxids

i get this:

ERROR 1049 (42000): Unknown database 'snort'
root@jeff-desktop:/usr/src#
0
 

Author Comment

by:scripttron75
ID: 24254562
i think i got it, there was not a snort db created when there should been since i was following the guide, i created one and it looks like it worked now on to the next command.
0
 

Author Comment

by:scripttron75
ID: 24254654
ok now i am on this command:

Using any editor, open /etc/snort/snort.conf and make the following changes :

    * In nano you can search using ctrl-W
    * In vim you can search using /
    * Search for "HOME_NET" , "EXTERNAL_NET", then mysql (without quotes).


   1. Change "var HOME_NET any" to "var HOME_NET 192.168.0.0/16" (use your netmask here).

how do i know what my netmask is:  i am on a private network of 192.168.75.xxx  ?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24257083
Well Done Let's go futher

You wrote :

1. Change "var HOME_NET any" to "var HOME_NET 192.168.0.0/16" (use your netmask here).
how do i know what my netmask is:  i am on a private network of 192.168.75.xxx  ?

Answer :
in shell Bash, type ifconfig, you should have

eth0      Link encap:Ethernet  HWaddr 00:0f:1f:56:ef:e3
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20f:1fff:fe56:efe3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39232499 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42301781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3762547676 (3.5 GB)  TX bytes:1881975675 (1.7 GB)
          Interrupt:20

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:50433 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50433 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20548511 (19.5 MB)  TX bytes:20548511 (19.5 MB)
--------------------------------------------------------------------------------------

Look for eth0 (a few words futher) mask 255.255.xxx.xxx

With you IP you should have the calue 255.255.255.0 as your ip is class C

You wrote:
does MYsql have a gui ?
My answer :
yes, I use 2.
First is provided by mysql projet : http://dev.mysql.com/downloads/gui-tools/5.0.html
Second : http://www.navicat.com/

But let's finish your installation first.
0
 

Author Comment

by:scripttron75
ID: 24262913
ok thank you this is a slow process i will keep this going.
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24262993
Yes, it is not good for my rank in hall of fame ;)
0
 

Author Comment

by:scripttron75
ID: 24263625
ok thanks for your patience:

i am now on this part where i had to dl a script that bodhi.hahn provided with his guide:

root@jeff-desktop:/etc/init.d# cd /usr/src
root@jeff-desktop:/usr/src# chown root.root /etc/init.d/snort
root@jeff-desktop:/usr/src# chmod 500 /etc/init.d/snort
root@jeff-desktop:/usr/src# exec /etc/init.d/snort boot
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
jeff@jeff-desktop:~$
jeff@jeff-desktop:~$

i downloaded the script and moved it to /etc/init.d/snort then opened the file with openoffice and then changed these settings:

The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that if there are no alerts, snort will lose it's connection with the mysql database.

To solve this, I wrote a script to start / restart snort.

The script is attached to this post and is called "ubuntu.snort.init.txt"

Copy this file to your computer and copy/move it to /etc/init.d/snort

Now lets look at the code. You need to look at two lines.

   1. The first is your interface. The default is eth0. If you wish to use snort on an alternate interface, such as eth1, you will need to edit the line IFACE="eth0" and change "eth0" to "eth1"
          * Note : Snort will not work with wireless interfaces, you need to use airsnort instead.
   2. The second option is to whitelist ip addresses. I advise you do this with caution, but you *may* wish to white IP addresses such as your router and your public ip address.

      To white list an IP , add it to the line WHITELIST='' (note that is two single quotes, ' ' and not a double quote " ) , one ip at a time, separated by a space, like this :

      Code:

      WHITELIST='127.0.0.1 192.168.1.1'

 i changed the eth0 to eth1 and then i put my these ip addresses as i do not want snort to monitor them:

127.0.0.1 192.168.75.1 192.168.75.2 up to 192.168.75.11 then i saved it and now i am on the part above
0
 

Author Comment

by:scripttron75
ID: 24263645
this part:

says there is no directory

root@jeff-desktop:/etc/init.d# cd /usr/src
root@jeff-desktop:/usr/src# chown root.root /etc/init.d/snort
root@jeff-desktop:/usr/src# chmod 500 /etc/init.d/snort
root@jeff-desktop:/usr/src# exec /etc/init.d/snort boot
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
0
 

Author Comment

by:scripttron75
ID: 24263654
this is what he says about his startup script for snort:

Now that you are done editing the file, set ownership and permissions :

Code:

chown root.root /etc/init.d/snort
chmod 500 /etc/init.d/snort

Starting snort on boot

My script has a 20 second sleep built in (sometimes when you start snort it will fail after a 10-15 second delay). To avoid adding a 20 second longer boot time, use the "boot" option.

With this factoid in mind, edit /etc/rc.local and add :

Code:

exec /etc/init.d/snort boot

i did that code and get no directory
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24263826
Can you provide the output of ifconfig on your computer and the famous script
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24263831
Where are you living my time 9:26 PM
0
 

Author Comment

by:scripttron75
ID: 24264843
no i am in pacific time
0
 

Author Comment

by:scripttron75
ID: 24264852
here is ifconfig

root@jeff-desktop:/home/jeff# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:04:5a:7b:54:03  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:1 dropped:0 overruns:0 carrier:2
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:16 Base address:0x1000

eth1      Link encap:Ethernet  HWaddr 00:08:02:cc:d8:bf  
          inet addr:192.168.75.10  Bcast:192.168.75.255  Mask:255.255.255.0
          inet6 addr: fe80::208:2ff:fecc:d8bf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5960 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5590 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4089555 (3.9 MB)  TX bytes:1445379 (1.3 MB)

eth0:avahi Link encap:Ethernet  HWaddr 00:04:5a:7b:54:03  
          inet addr:169.254.3.137  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0x1000

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1130 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:56804 (55.4 KB)  TX bytes:56804 (55.4 KB)
0
 

Author Comment

by:scripttron75
ID: 24264862
this is the script
ubuntu.snort.init.txt
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24267133
Well

the script must be placed in /etc/init.d

run the command chmod +x /etc/init.d/snort

to run the script
/etc/init.d/snort start
to stop
/etc/init.d/snort start
to view status
/etc/init.d/snort status
to restart
/etc/init.d/snort restart

The script needs this command to run properly
/usr/bin/zenity
/usr/bin/gksu
/usr/bin/id -u
/usr/local/bin/snort

you can check with the command 'whereis' example : 'whereis zenity' should printout '/usr/bin/zenity /usr/share/zenity' for example

and this file /etc/snort/snort.conf (can you provide me this file)
0
 

Author Comment

by:scripttron75
ID: 24270594
i tried to upload snort.conf but EE says its a unknown file type?
0
 

Author Comment

by:scripttron75
ID: 24270640
I forgot after following these commands for snort.conf it changed the permission level:

chown root.root /etc/init.d/snort
chmod 500 /etc/init.d/snort

i can open it with openoffice.org but editing has been denied. how can we change that?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24271644
chmod 770 /etc/init.d/snort
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24271654
What about

/usr/bin/zenity
/usr/bin/gksu
/usr/bin/id -u
/usr/local/bin/snort
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24271676
try this command :

find / -name snort.conf -print (you may find on your disk)
0
 

Author Comment

by:scripttron75
ID: 24272154
i ahve not run those yet:

What about

/usr/bin/zenity
/usr/bin/gksu
/usr/bin/id -u
/usr/local/bin/snor

when do i run those

0
 

Author Comment

by:scripttron75
ID: 24272178
I ran that command and here is the ouput:

root@jeff-desktop:/home/jeff# find / -name snort.conf -print
find: /home/jeff/.gvfs: Permission denied
/etc/snort/snort.conf
/usr/src/snort-2.8.4/etc/snort.conf
/usr/src/etc/snort.conf
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272187
provide /usr/src/snort-2.8.4/etc/snort.conf
0
 

Author Comment

by:scripttron75
ID: 24272216
root@jeff-desktop:/home/jeff# /usr/src/snort-2.8.4/etc/snort.conf
bash: /usr/src/snort-2.8.4/etc/snort.conf: Permission denied
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272246
What about

for /usr/bin/zenity type command "whereis zenity"
for /usr/bin/gksu type command "wheris gksu"
for /usr/bin/id -u type command "whereis id"
for /usr/local/bin/snort type command "whereis snort"

those are command used by the script, I want to be sure they are on your system
0
 

Author Comment

by:scripttron75
ID: 24272253
do i run where is zenity in the script or in the command line?  
0
 

Author Comment

by:scripttron75
ID: 24272373
root@jeff-desktop:/home/jeff# /usr/bin/zenity  where is zenity
You must specify a dialog type. See 'zenity --help' for details
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272411
no just
where is zenity

the result should be at least : /usr/bin/zenity  
0
 

Author Comment

by:scripttron75
ID: 24272419
root@jeff-desktop:/home/jeff# where is zenity
bash: where: command not found
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272429
can you provide this file

/usr/src/snort-2.8.4/etc/snort.conf
0
 

Author Comment

by:scripttron75
ID: 24272438
after that command:

root@jeff-desktop:/home/jeff# /usr/src/snort-2.8.4/etc/snort.conf
bash: /usr/src/snort-2.8.4/etc/snort.conf: Permission denied
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272554
I dont want you to execute, just upload it so I see what is in there ;)
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272599
you wrote
do i run where is zenity in the script or in the command line?

whereis is a linux command run it from the shell as user root

the result of this command is the paths where to can find the file you pass as parameter of the command whereis
0
 

Author Comment

by:scripttron75
ID: 24272610
EE says its a not a accepted extension, do you want me to copy and paste?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272657
rename the file with the linux shell command

mv /usr/src/snort-2.8.4/etc/snort.conf /usr/src/snort-2.8.4/etc/snort.conf.txt

we will assume when i will write a # at the begining of line it is a linux shell command for example i will write

type
#mv /usr/src/snort-2.8.4/etc/snort.conf /usr/src/snort-2.8.4/etc/snort.conf.txt

ok ?


0
 

Author Comment

by:scripttron75
ID: 24272693
got it
0
 

Author Comment

by:scripttron75
ID: 24272716
snort.conf.txt
snort.conf.txt
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24272786
send me the results of

#whereis zenity
and
#wheris gksu
and
#whereis id
and
#whereis snort
0
 

Author Comment

by:scripttron75
ID: 24273441
zenity: /usr/bin/zenity /usr/share/zenity /usr/share/man/man1/zenity.1.gz

gksu: /usr/bin/gksu /usr/share/gksu /usr/share/man/man1/gksu.1.gz

gksu: /usr/bin/gksu /usr/share/gksu /usr/share/man/man1/gksu.1.gz

snort: /usr/src/snort-2.8.4/snort.8 /usr/src/etc/snort.conf /etc/snort /usr/local/bin/snort



0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24273463
So try
#/etc/init.d/snort start

0
 

Author Comment

by:scripttron75
ID: 24273719
root@jeff-desktop:/home/jeff# /etc/init.d/snort start
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24274011
why this char ÿ

#nano /etc/init.d/snort

try to clean strange chars
0
 

Author Comment

by:scripttron75
ID: 24274386
sorry that was wrong:

root@jeff-desktop:/home/jeff# /etc/init.d/snort start
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
0
 

Author Comment

by:scripttron75
ID: 24274396
i opened snort and at the begining of the file is:

#!/bin/bash

# This is a "simple" script written by bodhi.zazen to start snort.
# This script is released under the GPL V3.
# Feel free to make modifications.
# If you modify or redistribute this script please give the courtesy of credit.

# This script requires zenity if you wish to run it in X.

# Test root and display

############################################################
###                 Configuration options                ###
############################################################
############################################################
# The following sections are used to configure snort
# Change "eth0" to the interface you wish to use with snort
0
 

Author Comment

by:scripttron75
ID: 24274423
the y character is when i did a copy and paste
0
 

Author Comment

by:scripttron75
ID: 24274619
root@jeff-desktop:/home/jeff# /etc/init.d/snort start
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory

i ran it again and that is what i get above
0
 

Author Comment

by:scripttron75
ID: 24275386
replace the Y character with just #!/bin/bash
0
 

Author Comment

by:scripttron75
ID: 24283891

louislietaer:  please let me know if you are going to continue to help me with this?

0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24284685
Oh Yes, But rather try an another approach.

I found a little tutorial  installing snort on ubuntu from a package. As I am french the tutorial is french, but I will help you to go thru it. (if you agree)

http://doc.ubuntu-fr.org/snort 
0
 

Author Comment

by:scripttron75
ID: 24284860
I have been following this guide:

http://ubuntuforums.org/showthread.php?t=919472

this installs mysql and some other programs does your guide do this or is it just snort?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24285065
yes snort and oinkmaster that is an automatic rules updater for snort
0
 

Author Comment

by:scripttron75
ID: 24286201
ok waht about mysql, base and ossec?  after your guide is done i can just continue with these installations
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24286295
mysql is quite easy to install under ubuntu

#apt-get install mysql-server

plus eventualy some my.conf modification

ossec I don't know
0
 

Author Comment

by:scripttron75
ID: 24287199
what i am saying is that with the guide i have been using i want to utilize all those things in that guide, i provided a link to the guide for you to see it.  i want to use mysql, OSSEC and BASE that is in that guide so what i am going to do is follow your snort install and then go from there but the thing is i am already ahead with the snort install so it does not make sense to start from scratch unless you feel it will benefit this installation. please let me know
0
 

Author Comment

by:scripttron75
ID: 24288077
ok lets do the guide that you have, its in french so i need to be guided on this. thank you
0
 

Author Comment

by:scripttron75
ID: 24296267
louislietaer:  please let me know when you want to do this?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24301970
Sorry, I had to work on the field for a big move of servers

Let me know when you will be awake
0
 

Author Comment

by:scripttron75
ID: 24308331
I am awake now.
0
 

Author Comment

by:scripttron75
ID: 24310017
please let me know when you want to do this.  I am ready to go.  give me the first step
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24319543
Hello,

I am still tired, let's have an appointment tomorrow, call me as soon as you can.

regards
0
 

Author Comment

by:scripttron75
ID: 24321767
k let me know i am up from 7am to 12pm pacific time and sometimes up until 3 am
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24322508
Hello,

Call me on your morning as soon as you are ready to work, I will be there
0
 

Author Comment

by:scripttron75
ID: 24322550
WIll do, it will be pacific time i guess you are hours ahead of me.
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24323758
9 hours
0
 

Author Comment

by:scripttron75
ID: 24327597
ok whenever you are ready
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24327766
Well Yes, I will have to do a little to prepare diner to my childs, but lets go

#sudo apt-get install snort oinkmaster snort-rules-default
0
 

Author Comment

by:scripttron75
ID: 24327924
ok i ran that command and i have this screen that says:

configuring snort looking for an IP address  with host bit:

my ip address scheme is 192.168.75.xxx  and i have 6 machines on my LAN network.  Quick Question will this monitor packets that are on the whole network or just this computer.  I have this desktop connected to a switch along with my other computers then that switch plus into my main router.
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328045
lets start with your computer
0
 

Author Comment

by:scripttron75
ID: 24328078
yes the computer i am on with ubuntu 8.04 so it is asking me for an ip address what should i put?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328110
Put the Ip address of your computer
0
 

Author Comment

by:scripttron75
ID: 24328129
is it like this:  192.168.75.10/24
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328153
I decide to install on my ubuntu to see
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328162
go for 192.168.75.0/24, this will check your all network
0
 

Author Comment

by:scripttron75
ID: 24328399
ok i am back at the prompt!  next step?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328535
snort is running now ;)

#sudo gedit /etc/oinkmaster.conf

comment this line
    #url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz 

add this one
    http://www.emergingthreats.net/rules/emerging.rules.tar.gz
0
 

Author Comment

by:scripttron75
ID: 24328617
this line:

#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz 

do you want me to add that to the .conf file?  what line?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328645
No just comment (find it and put a # at the beginning)
0
 

Author Comment

by:scripttron75
ID: 24328695
find what?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328727
sorry i make a mistake

add this one
    http://www.emergingthreats.net/rules/emerging.rules.tar.gz

is not good

add this one
   url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz

is good
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328734
0
 

Author Comment

by:scripttron75
ID: 24328774
please clarify, this line:

url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz  is already in the .conf
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328832
just add a character# at the beginning of this line this will comment the all line
0
 

Author Comment

by:scripttron75
ID: 24328924
what line number should i put this on?

 url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24328983
Just after the line you just comment
0
 

Author Comment

by:scripttron75
ID: 24329142
let me know if this looks correct

# Location of rules archive
# -------------------------
# NOTE: this might need to be changed based on the Snort version
# you are running. This configuration files uses Snort 2.2.x
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
# url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
# For Snort 2.1
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz

# For Snort 2.0
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz
# To use CVS snapshots
# url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24329306
no it should look like this

let me know if this looks correct

# Location of rules archive
# -------------------------
# NOTE: this might need to be changed based on the Snort version
# you are running. This configuration files uses Snort 2.2.x
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
# For Snort 2.1
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz

# For Snort 2.0
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz
# To use CVS snapshots
# url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
0
 

Author Comment

by:scripttron75
ID: 24330757
ok looks good now, next step!!!  :>)
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24333387
ok

#sudo oinkmaster -o /etc/snort/rules
0
 

Author Comment

by:scripttron75
ID: 24336721
ok ran i ran: #sudo oinkmaster -o /etc/snort/rules

no issues next step we can do this
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24337776
yes as root

#crontab -e

add this line

55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules

ctrl o and ctrl x to save and exit.

then insert a comment line at the end of  snort.conf ():

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf
0
 

Author Comment

by:scripttron75
ID: 24337858
i ran the command crontab -e and this is in that file

# m h  dom mon dow   command

do i delete that and put the 55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24337910
no leave it is a comment. You should know now the the # caracter at the beginning of the line is a comment.
Here this comment work as headers for columns

By the way crontab is the unix scheduler

just add the new line
0
 

Author Comment

by:scripttron75
ID: 24337944
so this 55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules

is not a comment
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24338000
true this will update the every monday at 13:55 the file /etc/snort/rules by running : /usr/sbin/oinkmaster -o /etc/snort/rules
0
 

Author Comment

by:scripttron75
ID: 24338131
louislietaer:  where is snort.conf i have it in numerous places which one do i need to edit?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24338278
/etc/snort/snort.conf
0
 

Author Comment

by:scripttron75
ID: 24338387
is this comment suppose to look like this:

#echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24338715
no this is confusing it is a linux command synthax

try

echo "#EmergingThreats.net Rules"

this whill display #EmergingThreats.net Rules on the screen

this one

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf

will add the line
#EmergingThreats.net Rule

at the end of /etc/snort/snort.conf
0
 

Author Comment

by:scripttron75
ID: 24338786
ok got it next step, i just did this command:

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf

and it added to the conf file
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24338892
go for this two linux commands

cd /etc/snort/rules



for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i ; done » /etc/snort/snort.conf


every character is important so copy paste
0
 

Author Comment

by:scripttron75
ID: 24339144
root@jeff-desktop:/etc/snort/rules# for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i ; done » /etc/snort/snort.conf
bash: syntax error near unexpected token `»'
root@jeff-desktop:/etc/snort/rules# for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i ; done » /etc/snort/snort.conf
bash: syntax error near unexpected token `»'
root@jeff-desktop:/etc/snort/rules#
0
 

Author Comment

by:scripttron75
ID: 24339156
what time is where u are?
0
 

Author Comment

by:scripttron75
ID: 24339162
i will be back later, itis hot out here in California
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24339670

the were a bug in the procedure go for


cd /etc/snort/rules



for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i  » /etc/snort/snort.conf ; done;


every character is important so copy paste

this will add the rules downloaded by oinkmaster to /etc/snort.conf

0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24339687
Here south of france (Montpelier) is 22 PM and temperature is ok 24 Celsius
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24339765
edit this file

namo /etc/snort/snort.conf

at the end of the file after #EmergingThreats.net Rules you will see all rules add by last command

Comment #include $RULE_PATH/emerging-botcc-BLOCK.rules

Comment #include $RULE_PATH/emerging-compromised-BLOCK.rules

Comment #include $RULE_PATH/emerging-drop-BLOCK.rules

Comment #include $RULE_PATH/emerging-dshield-BLOCK.rules

Comment #include $RULE_PATH/emerging-rbn-BLOCK.rules

Comment #include $RULE_PATH/emerging-sid-msg.map

Comment #include $RULE_PATH/emerging-sid-msg.map.txt

snort is ready to run

type this command

/etc/init.d/snort restart
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24339790
I will be back in 1 hour

are you sure you want to install base have a look for this windows clients of snort

http://www.activeworx.org/Default.aspx?tabid=54
0
 

Author Comment

by:scripttron75
ID: 24340087
that client is fine, we can do that
0
 

Author Comment

by:scripttron75
ID: 24340223
louislietaer:  can you look th conf file.  this comment should be changed as well too shouldnt it.  

Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS

or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET any

# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET any
#var EXTERNAL_NET !$HOME_NET

shouldnt we change those to refelect my network?
0
 

Author Comment

by:scripttron75
ID: 24340380
this is getting confusing for both of us.  I have done the install now the conf needs to be configured can i send it to you and you can change the neccesary things in it.
Tell me what configuration file you need?  
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24340822
All you to do is comment those line at the end of the file

Comment #include $RULE_PATH/emerging-botcc-BLOCK.rules

Comment #include $RULE_PATH/emerging-compromised-BLOCK.rules

Comment #include $RULE_PATH/emerging-drop-BLOCK.rules

Comment #include $RULE_PATH/emerging-dshield-BLOCK.rules

Comment #include $RULE_PATH/emerging-rbn-BLOCK.rules

Comment #include $RULE_PATH/emerging-sid-msg.map

Comment #include $RULE_PATH/emerging-sid-msg.map.txt


even it is not mandatory

snort is now working on your system, you have to express your needs, snort will report all network activity and you can configure it nearly to infinite.

Now you have to work on reporting depending on what you are looking for.
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24340865
Collecting information that you don't need is server time and resources consuming. And some new attacks can be found in the future by hackers. That the reason of Oinkmaster keep snort up to date. You will need sometimes to change /etc/snort/snort.conf
0
 

Author Comment

by:scripttron75
ID: 24340896
ok i added those lines at the end of snort.conf without the COMMENT mark on them. only put this:

#include $RULE_PATH/emerging-botcc-BLOCK.rules

 #include $RULE_PATH/emerging-compromised-BLOCK.rules

#include $RULE_PATH/emerging-drop-BLOCK.rules

#include $RULE_PATH/emerging-dshield-BLOCK.rules

 
include $RULE_PATH/emerging-rbn-BLOCK.rules


 #include $RULE_PATH/emerging-sid-msg.map

 #include $RULE_PATH/emerging-sid-msg.map.txt


I do not see this part in the file though:

#EmergingThreats.net

0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24340974
Here my snort.conf file.

you should have the same
snort.conf.txt
0
 

Author Comment

by:scripttron75
ID: 24341073
ok i copied your emerging threats and put it at the bottom.


where do we go from here
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24341084
snort is ready to run

type this command

/etc/init.d/snort restart
0
 

Author Comment

by:scripttron75
ID: 24341139
problem

root@jeff-desktop:/home/jeff# /etc/init.d/snort restart
 * Stopping Network Intrusion Detection System  snort                    [ OK ]
 * Starting Network Intrusion Detection System  snort                    [fail]
root@jeff-desktop:/home/jeff#
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24341165
can you type this command and send me back the result

ls -l /etc/snort/rules/emer*
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24341201
my result

root@ubuntu:/etc/snort# ls -l rules/emer*
-rw-r----- 1 root root   43064 2009-05-08 21:54 rules/emerging-attack_response.rules
-rw-r----- 1 root root   27425 2009-05-08 21:54 rules/emerging-botcc-BLOCK.rules
-rw-r----- 1 root root   26681 2009-05-08 21:54 rules/emerging-botcc.rules
-rw-r----- 1 root root  106283 2009-05-08 21:54 rules/emerging-compromised-BLOCK.rules
-rw-r----- 1 root root  101597 2009-05-08 21:54 rules/emerging-compromised.rules
-rw-r----- 1 root root    2667 2009-05-08 21:54 rules/emerging.conf
-rw-r----- 1 root root   14275 2009-05-08 21:54 rules/emerging-dos.rules
-rw-r----- 1 root root    7197 2009-05-08 21:54 rules/emerging-drop-BLOCK.rules
-rw-r----- 1 root root    6846 2009-05-08 21:54 rules/emerging-drop.rules
-rw-r----- 1 root root    2468 2009-05-08 21:54 rules/emerging-dshield-BLOCK.rules
-rw-r----- 1 root root    2435 2009-05-08 21:54 rules/emerging-dshield.rules
-rw-r----- 1 root root  158997 2009-05-08 21:54 rules/emerging-exploit.rules
-rw-r----- 1 root root   17931 2009-05-08 21:54 rules/emerging-game.rules
-rw-r----- 1 root root    8761 2009-05-08 21:54 rules/emerging-inappropriate.rules
-rw-r----- 1 root root  486871 2009-05-08 21:54 rules/emerging-malware.rules
-rw-r----- 1 root root   33037 2009-05-08 21:54 rules/emerging-p2p.rules
-rw-r----- 1 root root  279979 2009-05-08 21:54 rules/emerging-policy.rules
-rw-r----- 1 root root  131879 2009-05-08 21:54 rules/emerging-rbn-BLOCK.rules
-rw-r----- 1 root root  122474 2009-05-08 21:54 rules/emerging-rbn.rules
-rw-r----- 1 root root   49352 2009-05-08 21:54 rules/emerging.rules
-rw-r----- 1 root root   46837 2009-05-08 21:54 rules/emerging-scan.rules
-rw-r----- 1 root root 2019605 2009-05-08 21:54 rules/emerging-sid-msg.map
-rw-r----- 1 root root 2019605 2009-05-08 21:54 rules/emerging-sid-msg.map.txt
-rw-r----- 1 root root   25560 2009-05-08 21:54 rules/emerging-tor-BLOCK.rules
-rw-r----- 1 root root   23636 2009-05-08 21:54 rules/emerging-tor.rules
-rw-r----- 1 root root  399223 2009-05-08 21:54 rules/emerging-virus.rules
-rw-r----- 1 root root    4518 2009-05-08 21:54 rules/emerging-voip.rules
-rw-r----- 1 root root  149162 2009-05-08 21:54 rules/emerging-web.rules
-rw-r----- 1 root root 2277470 2009-05-08 21:54 rules/emerging-web_sql_injection.rules

0
 

Author Comment

by:scripttron75
ID: 24341399
root@jeff-desktop:/home/jeff# ls -l /etc/snort/rules/emer*
ls: cannot access /etc/snort/rules/emer*: No such file or directory
0
 

Author Comment

by:scripttron75
ID: 24341416
i tried it while under /etc/snort

root@jeff-desktop:/etc/snort# ls -l /etc/snort/rules/emer*
ls: cannot access /etc/snort/rules/emer*: No such file or directory
root@jeff-desktop:/etc/snort#
0
 

Author Comment

by:scripttron75
ID: 24341574
it seems like this install is all messed up.
0
 

Author Comment

by:scripttron75
ID: 24342161
Louis, i went back and did everything you told me too the output is this from the last command you gave me.  Also I am a semi-NEWB to linux but i do understand what we are doing but the Syntax is foreign to me.  I know basic commands.  after i ran the command: ls -l /etc/snort/rules/emer*

root@jeff-desktop:/etc/snort/rules# /etc/init.d/snort restart
 * No snort instance found to be stopped!
root@jeff-desktop:/etc/snort/rules# /etc/init.d/snort restart
 * No snort instance found to be stopped!
root@jeff-desktop:/etc/snort/rules# ls -l /etc/snort/rules/emer*
-rw-r----- 1 root root   43064 2009-05-08 21:03 /etc/snort/rules/emerging-attack_response.rules
-rw-r----- 1 root root   27425 2009-05-08 21:03 /etc/snort/rules/emerging-botcc-BLOCK.rules
-rw-r----- 1 root root   26681 2009-05-08 21:03 /etc/snort/rules/emerging-botcc.rules
-rw-r----- 1 root root  106283 2009-05-08 21:03 /etc/snort/rules/emerging-compromised-BLOCK.rules
-rw-r----- 1 root root  101597 2009-05-08 21:03 /etc/snort/rules/emerging-compromised.rules
-rw-r----- 1 root root    2667 2009-05-08 21:03 /etc/snort/rules/emerging.conf
-rw-r----- 1 root root   14275 2009-05-08 21:03 /etc/snort/rules/emerging-dos.rules
-rw-r----- 1 root root    7197 2009-05-08 21:03 /etc/snort/rules/emerging-drop-BLOCK.rules
-rw-r----- 1 root root    6846 2009-05-08 21:03 /etc/snort/rules/emerging-drop.rules
-rw-r----- 1 root root    2468 2009-05-08 21:03 /etc/snort/rules/emerging-dshield-BLOCK.rules
-rw-r----- 1 root root    2435 2009-05-08 21:03 /etc/snort/rules/emerging-dshield.rules
-rw-r----- 1 root root  158997 2009-05-08 21:03 /etc/snort/rules/emerging-exploit.rules
-rw-r----- 1 root root   17931 2009-05-08 21:03 /etc/snort/rules/emerging-game.rules
-rw-r----- 1 root root    8761 2009-05-08 21:03 /etc/snort/rules/emerging-inappropriate.rules
-rw-r----- 1 root root  486871 2009-05-08 21:03 /etc/snort/rules/emerging-malware.rules
-rw-r----- 1 root root   33037 2009-05-08 21:03 /etc/snort/rules/emerging-p2p.rules
-rw-r----- 1 root root  279979 2009-05-08 21:03 /etc/snort/rules/emerging-policy.rules
-rw-r----- 1 root root  131879 2009-05-08 21:03 /etc/snort/rules/emerging-rbn-BLOCK.rules
-rw-r----- 1 root root  122474 2009-05-08 21:03 /etc/snort/rules/emerging-rbn.rules
-rw-r----- 1 root root   49352 2009-05-08 21:03 /etc/snort/rules/emerging.rules
-rw-r----- 1 root root   46837 2009-05-08 21:03 /etc/snort/rules/emerging-scan.rules
-rw-r----- 1 root root 2019605 2009-05-08 21:03 /etc/snort/rules/emerging-sid-msg.map
-rw-r----- 1 root root 2019605 2009-05-08 21:03 /etc/snort/rules/emerging-sid-msg.map.txt
-rw-r----- 1 root root   25560 2009-05-08 21:03 /etc/snort/rules/emerging-tor-BLOCK.rules
-rw-r----- 1 root root   23636 2009-05-08 21:03 /etc/snort/rules/emerging-tor.rules
-rw-r----- 1 root root  399223 2009-05-08 21:03 /etc/snort/rules/emerging-virus.rules
-rw-r----- 1 root root    4518 2009-05-08 21:03 /etc/snort/rules/emerging-voip.rules
-rw-r----- 1 root root  149162 2009-05-08 21:03 /etc/snort/rules/emerging-web.rules
-rw-r----- 1 root root 2277470 2009-05-08 21:03 /etc/snort/rules/emerging-web_sql_injection.rules
0
 

Author Comment

by:scripttron75
ID: 24342171
I ran this command:

/etc/init.d/snort start i got this

root@jeff-desktop:/etc/snort/rules# /etc/init.d/snort start
 * Starting Network Intrusion Detection System  snort                            {FAIL}
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24342692
copy my snort.conf file and erase yours

rerun

/etc/init.d/snort start
0
 

Author Comment

by:scripttron75
ID: 24343888
I replaced my snort.conf with yours and saved it still failing???

root@jeff-desktop:/etc/snort# /etc/init.d/snort start
 * Starting Network Intrusion Detection System  snort                                                                 [fail]
root@jeff-desktop:/etc/snort#
0
 

Author Comment

by:scripttron75
ID: 24344078
what else can we try
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24345026
Is there a way I can access to your host by ssh for example
0
 

Author Comment

by:scripttron75
ID: 24345326
yes we can
0
 

Author Comment

by:scripttron75
ID: 24345332
no maybe not!  i have had problems with people from europe before sorry.
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24345794
What I say, I have been doing the same process on my host and snort is working on my host.

replay the scenario again, and try to find where was the mistake done
0
 

Author Comment

by:scripttron75
ID: 24345927
that is what i did, i went back through it all over and started from scratch still no go.  do you want to remote in?
0
 

Author Comment

by:scripttron75
ID: 24345998
I ran thru the whole thing again on another machine using vmware client.  it installed all correctly it is only when i get to this part:

/etc/init.d/snort restart that it stops the service then trys to run it and it fails?  

what is the issue.
0
 
LVL 5

Accepted Solution

by:
louislietaer earned 1500 total points
ID: 24347160
go for

cd /etc/snort

and

snort -c ./snort.conf
0
 

Author Comment

by:scripttron75
ID: 24349018
root@jeff-desktop:/etc/snort# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 1
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      514 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2401 client (Footprint)
      3306 client (Footprint)
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Server Flow Depth: 300
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

PortVar 'SSH_PORTS' defined :  [ 22 ]
ERROR: /etc/snort/rules/emerging-sid-msg.map(1) => Unknown rule type: 2000005
Fatal Error, Quitting..
root@jeff-desktop:/etc/snort#
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24349221
hello,

comment this line in /etc/snort/snort.conf

rerun

snort -c ./snort.conf

if another error  appear comment the line

loop the process above until no more errors
0
 

Author Comment

by:scripttron75
ID: 24349492
Louis:

what do you mean comment this line:

/etc/snort/snort.conf
that is a command?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24349903
edit /etc/snort/snort.conf  file

find the line containing "emerging-sid-msg.map" ( the error showed above)

Insert a '#' a the beginning of the line (this will comment the line)

save the file

re run snort -c ./snort.conf

if another error loop the process


0
 

Author Comment

by:scripttron75
ID: 24350521
root@jeff-desktop:/home/jeff# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf
ERROR: Unable to open rules file: ./snort.conf or ././snort.conf
Fatal Error, Quitting..
root@jeff-desktop:/home/jeff#
0
 

Author Comment

by:scripttron75
ID: 24350769
Louis, i looked in the /etc/snort directory and found 2 snort.conf files

root@jeff-desktop:/etc/snort# dir
classification.config  reference.config  snort.conf          threshold.conf
community-sid-msg.map  rules             snort.conf~          unicode.map
gen-msg.map             sid-msg.map       snort.debian.conf

is this a big deal?
0
 

Author Comment

by:scripttron75
ID: 24350802
after running snort -c ./snort.conf i got this:


DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
ERROR: Misconfigured dynamic preprocessor(s)
Fatal Error, Quitting..
root@jeff-desktop:/etc/snort#
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24351398
hello,

this is due to multiple installation, a bad path in the snort.conf file

follow http://eatingsecurity.blogspot.com/2007/10/upgrading-to-snort-280.html

and try to fix it
0
 

Author Comment

by:scripttron75
ID: 24357709
louis that is probably the issue, because i was trying to install snort before using NSMnow which is a all in one program, i am going to reformat this machine and then we can do it again after a clean install
0
 

Author Comment

by:scripttron75
ID: 24359997
I am going to go thru your install again
0
 

Author Comment

by:scripttron75
ID: 24360020
Louis, going back thru your install, i noticed that you are using snort rules 2.2 is this old?
0
 

Author Comment

by:scripttron75
ID: 24360047
Louis this is a long output but i ran :  snort -c ./snort.conf  and it started successfully



root@jeff-Ubuntudesktop:/home/jeff# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Unable to open rules file: ./snort.conf or ././snort.conf
Fatal Error, Quitting..
root@jeff-Ubuntudesktop:/home/jeff# cd /etc/snort
root@jeff-Ubuntudesktop:/etc/snort# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 1
    Bound Addresses: 0.0.0.0/0.0.0.0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      3306 client (Footprint)
    Bound Addresses:0.0.0.0/0.0.0.0
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256
SMTP Config:
      Ports: 25
      Inspection Type:            STATEFUL
      Normalize Spaces:           YES
      Ignore Data:                NO
      Ignore TLS Data:            NO
      Ignore Alerts:              NO
      Max Command Length:         0
      Max Header Line Length:     0
      Max Response Line Length:   0
      X-Link2State Alert:         YES
      Drop on X-Link2State Alert: NO

DCE/RPC Decoder config:
    Autodetect ports ENABLED
    SMB fragmentation ENABLED
    DCE/RPC fragmentation ENABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED

DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
3382 Snort rules read
    3382 detection rules
    0 decoder rules
    0 preprocessor rules
3382 Option Chains linked into 263 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Verifying Preprocessor Configurations!
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'community_uri.size.1050' is set but not ever checked.
37 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Preprocessor/Decoder Rule Count: 0
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size    : 256 Chars
| Sizeof State     : 2 bytes
| Storage Format   : Full
| Num States       : 148353
| Num Transitions  : 4107188
| State Density    : 10.8%
| Finite Automatum : DFA
| Memory           : 120.96Mbytes
+-------------------------------------------------------------
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 2
| Patterns         : 50
| Pattern Chars    : 245
| Num States       : 203
| Num Match States : 50
| Memory           :   6.87Kbytes
|   Patterns       :   1.21K
|   Match Lists    :   1.19K
|   Transitions    :   4.30K
+-------------------------------------------------

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.7.0 (Build 35)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.6  <Build 11>
           Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
           Preprocessor Object: SF_DCERPC  Version 1.0  <Build 4>
           Preprocessor Object: SF_SMTP  Version 1.0  <Build 7>
           Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 10>
           Preprocessor Object: SF_DNS  Version 1.0  <Build 2>
Not Using PCAP_FRAMES
0
 

Author Comment

by:scripttron75
ID: 24360371
Louis good news after reformating works now, i am on this part:

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf
0
 

Author Comment

by:scripttron75
ID: 24360437
i know what the issue was, the snort.conf file at the end with the emerging threats RULES_PATH was not commented all of them have to be commented.
0
 

Author Comment

by:scripttron75
ID: 24360752
i have gone thru all of it and it is now working.  no failure we need to install the GUI for snort?
0
 

Author Comment

by:scripttron75
ID: 24360755
Louis please dont give up on me. we can do this
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24362251
Sorry,I was busy yesterday

well done, for which gui you want to go ?
0
 

Author Comment

by:scripttron75
ID: 24365685
the Gui that you said was better than BASE?
0
 

Author Comment

by:scripttron75
ID: 24365700
also install something to log packets that are incoming like mysql?  lets do the GUI first and get that going and then i will post a screen shot.
0
 

Author Comment

by:scripttron75
ID: 24368931
you sent me a link for activeworx.org can you help me get this installed and also log packets to a database?  also if we are using a database dont we have to worry about how large the database will become?
0
 

Author Comment

by:scripttron75
ID: 24376586
Louis please let me know when you are available to help me finish this installtion. thank you
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24470968
Hello,

I am now available, what is going on ?
0
 

Author Comment

by:scripttron75
ID: 24487609
Louis, i went with an easy solution to the installed it is called EasyIDS, it is Cent-os with no gui and snort is installed with everything. the only thing is now to figure out how it works.
0
 

Author Comment

by:scripttron75
ID: 24577740
Louis I would love to give you the points but do you know how to easyIDS if you do great give me some pointers.
0
 

Author Closing Comment

by:scripttron75
ID: 31575169
did not complete installation
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month13 days, 9 hours left to enroll

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question