Solved

gui for snort and database ubuntu

Posted on 2009-05-13
10
1,478 Views
Last Modified: 2013-11-29
I have recently installed snort with oinkmaster and emrging threats rules on my Ubuntu 8.04 installation desktop.  I need to know what GUI and database i should use and get it up and running and also confirm that oinkmaster is updating the rules?
0
Comment
Question by:scripttron75
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 12

Expert Comment

by:hfraser
ID: 24381218
Most people go with a mysql database, and use BASE for viewing the events.

If you're using oinkmaster to update the rules, you'll need to script a check of the log file it creates to see if snort needs to be restarted to incorporate the new rules. Oinkmaster doesn't restart snort on its own.
0
 

Author Comment

by:scripttron75
ID: 24381352
thanks for that hraser but i need more details how to install Mysql now, configure it and check to see if it is running correctly and also how to use base and install same, i need command sequences.
0
 
LVL 12

Expert Comment

by:hfraser
ID: 24383414
There are several well-written guides on the Snort web site that will walk you through the steps to get snort-mysql and BASE running. Here's one I'd suggest.

http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf

I haven't done an install on Ubuntu, so there may be some minor differences in directory structure. The guide is directed towards Fedora and Centos.
0
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

 

Author Comment

by:scripttron75
ID: 24386375
I have already done the snort install with oinkmaster.  i just need to confirm if oinkmaster is updating correctly how do i do this. I guess i should just follow the guide up to mysql.
0
 
LVL 12

Expert Comment

by:hfraser
ID: 24388445
Save the output from oinkmaster, which will contain information about added / updated / deleted rules. I generally trust oinkmaster to do it's job, and only check the logfile for a failure. Since there might be any changes to the ruleset when you run oinkmaster, ia lack of changes to the snort rules files doesn't necessarily mean it didn't work. So checking the log file is the only accurate way.

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi
0
 

Author Comment

by:scripttron75
ID: 24389726
thank you for that hfraser, I did that command you gave me:

./oinkmaster.pl -o /etc/snort/rules -C /etc/oinkmaster.conf >/tmp/oink.log 2>&1

what is this though?

if [ `grep Error /tmp/oink.log | wc -l` -gt 0 ]; then
      mail -s "Oinkmaster download failed" your-email-address@your-site
      exit
fi

also how do i install Sguil?
0
 
LVL 12

Expert Comment

by:hfraser
ID: 24391795
I should have explained. This is a little script to do the check I suggested. It checks the log file created by oinkmaster (/tmp/oink.log). If there are any errors, such as being unable to connect to the site, it sends an email.

I haven't used Sguil. I find BASE is good for analyzing Snort events, and for more sophisticated IDS I've used OSSIM.
0
 

Author Comment

by:scripttron75
ID: 24392058
ok thanks of that so how do i install base?
0
 
LVL 12

Accepted Solution

by:
hfraser earned 500 total points
ID: 24393850
There are several steps involved in doing the BASE install. They're all included in the link I posted, which includes a section specifically for installing BASE.
0
 

Author Comment

by:scripttron75
ID: 24443328
I found an easier solution for now, i went with easy ids.  i am going to give this a try and work with it.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question