Solved

gui for snort and database ubuntu

Posted on 2009-05-13
10
1,444 Views
Last Modified: 2013-11-29
I have recently installed snort with oinkmaster and emrging threats rules on my Ubuntu 8.04 installation desktop.  I need to know what GUI and database i should use and get it up and running and also confirm that oinkmaster is updating the rules?
0
Comment
Question by:scripttron75
  • 5
  • 5
10 Comments
 
LVL 12

Expert Comment

by:hfraser
ID: 24381218
Most people go with a mysql database, and use BASE for viewing the events.

If you're using oinkmaster to update the rules, you'll need to script a check of the log file it creates to see if snort needs to be restarted to incorporate the new rules. Oinkmaster doesn't restart snort on its own.
0
 

Author Comment

by:scripttron75
ID: 24381352
thanks for that hraser but i need more details how to install Mysql now, configure it and check to see if it is running correctly and also how to use base and install same, i need command sequences.
0
 
LVL 12

Expert Comment

by:hfraser
ID: 24383414
There are several well-written guides on the Snort web site that will walk you through the steps to get snort-mysql and BASE running. Here's one I'd suggest.

http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf

I haven't done an install on Ubuntu, so there may be some minor differences in directory structure. The guide is directed towards Fedora and Centos.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:scripttron75
ID: 24386375
I have already done the snort install with oinkmaster.  i just need to confirm if oinkmaster is updating correctly how do i do this. I guess i should just follow the guide up to mysql.
0
 
LVL 12

Expert Comment

by:hfraser
ID: 24388445
Save the output from oinkmaster, which will contain information about added / updated / deleted rules. I generally trust oinkmaster to do it's job, and only check the logfile for a failure. Since there might be any changes to the ruleset when you run oinkmaster, ia lack of changes to the snort rules files doesn't necessarily mean it didn't work. So checking the log file is the only accurate way.

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi
0
 

Author Comment

by:scripttron75
ID: 24389726
thank you for that hfraser, I did that command you gave me:

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

what is this though?

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi

also how do i install Sguil?
0
 
LVL 12

Expert Comment

by:hfraser
ID: 24391795
I should have explained. This is a little script to do the check I suggested. It checks the log file created by oinkmaster (/tmp/oink.log). If there are any errors, such as being unable to connect to the site, it sends an email.

I haven't used Sguil. I find BASE is good for analyzing Snort events, and for more sophisticated IDS I've used OSSIM.
0
 

Author Comment

by:scripttron75
ID: 24392058
ok thanks of that so how do i install base?
0
 
LVL 12

Accepted Solution

by:
hfraser earned 500 total points
ID: 24393850
There are several steps involved in doing the BASE install. They're all included in the link I posted, which includes a section specifically for installing BASE.
0
 

Author Comment

by:scripttron75
ID: 24443328
I found an easier solution for now, i went with easy ids.  i am going to give this a try and work with it.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Customized VNC 1 36
AWS EC2 HTTP & HTTPS 2 44
Service Specific Account vs 'Administrator' 5 41
Samba 4, Users Permission, 5 46
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question