Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1503
  • Last Modified:

gui for snort and database ubuntu

I have recently installed snort with oinkmaster and emrging threats rules on my Ubuntu 8.04 installation desktop.  I need to know what GUI and database i should use and get it up and running and also confirm that oinkmaster is updating the rules?
0
scripttron75
Asked:
scripttron75
  • 5
  • 5
1 Solution
 
Hugh FraserConsultantCommented:
Most people go with a mysql database, and use BASE for viewing the events.

If you're using oinkmaster to update the rules, you'll need to script a check of the log file it creates to see if snort needs to be restarted to incorporate the new rules. Oinkmaster doesn't restart snort on its own.
0
 
scripttron75Author Commented:
thanks for that hraser but i need more details how to install Mysql now, configure it and check to see if it is running correctly and also how to use base and install same, i need command sequences.
0
 
Hugh FraserConsultantCommented:
There are several well-written guides on the Snort web site that will walk you through the steps to get snort-mysql and BASE running. Here's one I'd suggest.

http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf

I haven't done an install on Ubuntu, so there may be some minor differences in directory structure. The guide is directed towards Fedora and Centos.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
scripttron75Author Commented:
I have already done the snort install with oinkmaster.  i just need to confirm if oinkmaster is updating correctly how do i do this. I guess i should just follow the guide up to mysql.
0
 
Hugh FraserConsultantCommented:
Save the output from oinkmaster, which will contain information about added / updated / deleted rules. I generally trust oinkmaster to do it's job, and only check the logfile for a failure. Since there might be any changes to the ruleset when you run oinkmaster, ia lack of changes to the snort rules files doesn't necessarily mean it didn't work. So checking the log file is the only accurate way.

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi
0
 
scripttron75Author Commented:
thank you for that hfraser, I did that command you gave me:

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

what is this though?

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi

also how do i install Sguil?
0
 
Hugh FraserConsultantCommented:
I should have explained. This is a little script to do the check I suggested. It checks the log file created by oinkmaster (/tmp/oink.log). If there are any errors, such as being unable to connect to the site, it sends an email.

I haven't used Sguil. I find BASE is good for analyzing Snort events, and for more sophisticated IDS I've used OSSIM.
0
 
scripttron75Author Commented:
ok thanks of that so how do i install base?
0
 
Hugh FraserConsultantCommented:
There are several steps involved in doing the BASE install. They're all included in the link I posted, which includes a section specifically for installing BASE.
0
 
scripttron75Author Commented:
I found an easier solution for now, i went with easy ids.  i am going to give this a try and work with it.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now