Solved

gui for snort and database ubuntu

Posted on 2009-05-13
10
1,408 Views
Last Modified: 2013-11-29
I have recently installed snort with oinkmaster and emrging threats rules on my Ubuntu 8.04 installation desktop.  I need to know what GUI and database i should use and get it up and running and also confirm that oinkmaster is updating the rules?
0
Comment
Question by:scripttron75
  • 5
  • 5
10 Comments
 
LVL 12

Expert Comment

by:hfraser
Comment Utility
Most people go with a mysql database, and use BASE for viewing the events.

If you're using oinkmaster to update the rules, you'll need to script a check of the log file it creates to see if snort needs to be restarted to incorporate the new rules. Oinkmaster doesn't restart snort on its own.
0
 

Author Comment

by:scripttron75
Comment Utility
thanks for that hraser but i need more details how to install Mysql now, configure it and check to see if it is running correctly and also how to use base and install same, i need command sequences.
0
 
LVL 12

Expert Comment

by:hfraser
Comment Utility
There are several well-written guides on the Snort web site that will walk you through the steps to get snort-mysql and BASE running. Here's one I'd suggest.

http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf

I haven't done an install on Ubuntu, so there may be some minor differences in directory structure. The guide is directed towards Fedora and Centos.
0
 

Author Comment

by:scripttron75
Comment Utility
I have already done the snort install with oinkmaster.  i just need to confirm if oinkmaster is updating correctly how do i do this. I guess i should just follow the guide up to mysql.
0
 
LVL 12

Expert Comment

by:hfraser
Comment Utility
Save the output from oinkmaster, which will contain information about added / updated / deleted rules. I generally trust oinkmaster to do it's job, and only check the logfile for a failure. Since there might be any changes to the ruleset when you run oinkmaster, ia lack of changes to the snort rules files doesn't necessarily mean it didn't work. So checking the log file is the only accurate way.

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:scripttron75
Comment Utility
thank you for that hfraser, I did that command you gave me:

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

what is this though?

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi

also how do i install Sguil?
0
 
LVL 12

Expert Comment

by:hfraser
Comment Utility
I should have explained. This is a little script to do the check I suggested. It checks the log file created by oinkmaster (/tmp/oink.log). If there are any errors, such as being unable to connect to the site, it sends an email.

I haven't used Sguil. I find BASE is good for analyzing Snort events, and for more sophisticated IDS I've used OSSIM.
0
 

Author Comment

by:scripttron75
Comment Utility
ok thanks of that so how do i install base?
0
 
LVL 12

Accepted Solution

by:
hfraser earned 500 total points
Comment Utility
There are several steps involved in doing the BASE install. They're all included in the link I posted, which includes a section specifically for installing BASE.
0
 

Author Comment

by:scripttron75
Comment Utility
I found an easier solution for now, i went with easy ids.  i am going to give this a try and work with it.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now