securitybreach Posted March 14, 2015 Share Posted March 14, 2015 Well first off, Linux is not vulnerable to any known virus so an antivirus is useless on Linux unless your running a mail server with window's clients connecting to it. I understand the reasoning behind an IDS but unless your running a public webserver that generates a lot of traffic, iptables and a decent NAT router will be suffice. When you do get Snort running like you want, you will not see very much activity in the logs unless their failed attempts trying to hack windows or linux(drive-by attacks). It is up to you completely and we will give you as much help as you need but I think it is an overkill for a home user. Nothing is truly secure and if you become a target, you can get hacked given time and it doesn't matter what you are running. Thanks for the info but I am very familiar with infosec and even went to school for it. Now if you wanna have some fun, run a Honeypot and monitor it with an IDS. http://null-byte.wonderhowto.com/how-to/hack-like-pro-set-up-honeypot-avoid-them-0153391/ Quote Link to comment Share on other sites More sharing options...
atiustira Posted March 14, 2015 Author Share Posted March 14, 2015 (edited) I found some thing interesting while poking around and contemplating the removal of barnyard2, and the reinstall, and install of snorby the web front end. It isn’t a install manual per say. But if I run cd /var/log/snort and then sudo u2spewfoo snort.log, from the var/log/snort directory. Then the u2 files that were there, and appeared to be just binary. Now look like packet files! I found the u2spewfoo command here. http://manual.snort....000000000000000 Under out put modules. I used to read all the files daily long ago. About the time of the bug bear virus.. Clam AV has a program for making virus dat. The antivirus downloads these files called updates to be able to find a virus. They are unique pieces of code pertaining to that virus. That cannot get your system infected. Especially if you are running a Linux system There were multiple strains of that virus. I submitted dat's for the first and second strain. Between doing that running computer repair, and a free tech advice/security web site/forum. That I hand coded the pages, and did security front end and back on. I think it was on PHP bb that I installed. And being a member of 2 or more forums, and D-shield. I got lazy about looking through all the logs. Now that they have acid based BASE, and snorby to help with the logs. I thought I would try it again. And I am thinking of running a mail server eventually. So I can submit logs to D-Shield. They compile a blacklist from them from attacking IP's. But that is another topic. http://marc.info/?l=dshield&m=106938877930908&w=2 Edited March 14, 2015 by atiustira 1 Quote Link to comment Share on other sites More sharing options...
atiustira Posted March 20, 2015 Author Share Posted March 20, 2015 So how does one acomplish"completely starting over from scratch"? Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 20, 2015 Share Posted March 20, 2015 Remove the packages and delete the configurations you edited. 1 Quote Link to comment Share on other sites More sharing options...
atiustira Posted March 20, 2015 Author Share Posted March 20, 2015 Should I uninstall apache2 and mysql too? And pear and DAQ.? Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 20, 2015 Share Posted March 20, 2015 I would as it could be related to what issues but it is hard to say as I have not setup snort in many years. 1 Quote Link to comment Share on other sites More sharing options...
atiustira Posted March 20, 2015 Author Share Posted March 20, 2015 (edited) Uh oh! I have not setup snort in many years. Wow I was at the banging my head on the key board phase when I started this thread. We worked through alot of issues. Did they cover this when you had training in security? Because it seems like we got pretty far,but just didn’t finish. Any ways thanks. Edited March 20, 2015 by atiustira Quote Link to comment Share on other sites More sharing options...
abarbarian Posted March 20, 2015 Share Posted March 20, 2015 Did they cover this when you had training in security? So his infamy is common knowledge all over the web then.Obviously he will not tell us where ,how and who really trained him or who he is spooking for.Or even if he is spooking. His second "job" has been discussed here before and he never cracked. 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 21, 2015 Share Posted March 21, 2015 Uh oh! I have not setup snort in many years. Wow I was at the banging my head on the key board phase when I started this thread. We worked through alot of issues. Did they cover this when you had training in security? Because it seems like we got pretty far,but just didn’t finish. Any ways thanks. No real training, just years and years of using computers. I was big into security years ago (mostly greyhat stuff) and have been using Linux for about 12 years now so accumulated knowledge. Did they cover this when you had training in security? So his infamy is common knowledge all over the web then.Obviously he will not tell us where ,how and who really trained him or who he is spooking for.Or even if he is spooking. His second "job" has been discussed here before and he never cracked. Please hire me!! I will work for a lot cheaper than other employees and probably have at least 5x the knowledge... I am more ashamed of my job than anything else as it is not even close to what I should be doing/making (my job isn't even in the computer field).... And no, I am joking 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 21, 2015 Share Posted March 21, 2015 Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 21, 2015 Share Posted March 21, 2015 Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too. Yeah but I am barely able to do that each month.... Quote Link to comment Share on other sites More sharing options...
abarbarian Posted March 21, 2015 Share Posted March 21, 2015 Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too. Yeah but I am barely able to do that each month.... Yeah you have a tough choice ahead when you need to cut household costs. Which of the five monitors will have to go dark I wonder. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 21, 2015 Share Posted March 21, 2015 Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too. Yeah but I am barely able to do that each month.... Yeah you have a tough choice ahead when you need to cut household costs. Which of the five monitors will have to go dark I wonder. Yeah, well they go into energy saving mode when I am asleep or at work... Quote Link to comment Share on other sites More sharing options...
atiustira Posted March 22, 2015 Author Share Posted March 22, 2015 Sorry to hear that securitybreach. Do you have training in info sec? It pays to get some kind of certification(paper) to show what you know. When applying for work it is good to actually physically show up. Not just submitt a resume on the interenet. I really hope things work out for you. You have been around and working with LInux for a long time. So does any one at all in this security and networking forum know how to trouble shoot a Snort, barnyard2, snort pulledpork, and base IDS system? I am still at the key board marks on my fore head faze. . Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 22, 2015 Share Posted March 22, 2015 I told you what to do.. reinstall it all by following this guide (which is exactly what you are trying to do) Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanv Run through that guide and when you run into a problem, stop and tell us what the problem is. Heck, if you want, I will set this up in virtualbox right now. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 22, 2015 Share Posted March 22, 2015 Wait... you do have two network adapters (nics), right? Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 22, 2015 Share Posted March 22, 2015 Wait... you do have two network interfaces, right? Quote Link to comment Share on other sites More sharing options...
atiustira Posted March 23, 2015 Author Share Posted March 23, 2015 These are my network interfaces. zina@zina-desktop:~$ sudo lshw -class network *-network:0 description: Ethernet interface product: RTL-8100/8101L/8139 PCI Fast Ethernet Adapter vendor: Realtek Semiconductor Co., Ltd. physical id: 3 bus info: pci@0000:02:03.0 logical name: eth0 version: 10 serial: xxxxxxxxxxxxxxxxx size: 100Mbit/s capacity: 100Mbit/s width: 32 bits clock: 33MHz capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=full ip=192.168.1.2 latency=64 link=yes maxlatency=64 mingnt=32 multicast=yes port=MII speed=100Mbit/s resources: irq:21 ioport:dc00(size=256) memory:fddff000-fddff0ff *-network:1 description: Network controller product: BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller vendor: Broadcom Corporation physical id: 9 bus info: pci@0000:02:09.0 version: 02 width: 32 bits clock: 33MHz capabilities: bus_master configuration: driver=b43-pci-bridge latency=64 resources: irq:17 memory:fddfc000-fddfdfff Quote Link to comment Share on other sites More sharing options...
atiustira Posted March 27, 2015 Author Share Posted March 27, 2015 Hello Security breach I told you what to do.. reinstall it all by following this guide (which is exactly what you are trying to do)Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanv Run through that guide and when you run into a problem, stop and tell us what the problem is. Heck, if you want, I will set this up in virtualbox right now. I ran into a problem with that guide. apt-get install mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3- I have mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3 all ready installed. I was doing some ruby programming, and web work with apache2 and mysql. They are running fine. Also I really like BASE more than Aanval or snorby. Well snorby is ok I guess. I think the problem there maybe with the ruby gem I am running in the other projects I am working on. Conflicts with using the right gem can become difficult. So those are problems. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 27, 2015 Share Posted March 27, 2015 I am kind of confused as to what your problem is. You said that you got stuck on installing some packages but then said that you already had them installed. If you already have them installed, move to the next step. As far as the gems, I highly doubt that one ruby project would affect another. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted March 28, 2015 Share Posted March 28, 2015 Not going to talk about my situation financially right now -- Just too discouraging. Quote Link to comment Share on other sites More sharing options...
atiustira Posted April 3, 2015 Author Share Posted April 3, 2015 Very sorry to hear about your financial situation LilBambi is there anything I can do to help? Quote Link to comment Share on other sites More sharing options...
crp Posted April 7, 2015 Share Posted April 7, 2015 Hi Lil Bambi, I am sure there are people here who would be willing to contribute to a goFundMe or Patreon setup. 1 Quote Link to comment Share on other sites More sharing options...
crp Posted April 7, 2015 Share Posted April 7, 2015 Hello Security breach I told you what to do.. reinstall it all by following this guide (which is exactly what you are trying to do)Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanv Run through that guide and when you run into a problem, stop and tell us what the problem is. Heck, if you want, I will set this up in virtualbox right now. I ran into a problem with that guide. apt-get install mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3- I have mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3 all ready installed. I was doing some ruby programming, and web work with apache2 and mysql. They are running fine. Also I really like BASE more than Aanval or snorby. Well snorby is ok I guess. I think the problem there maybe with the ruby gem I am running in the other projects I am working on. Conflicts with using the right gem can become difficult. So those are problems. there was a problem in doing the apt-get or you are just concerned about a problem maybe occuring?apt-get will leave alone any package that is already installed at same level or later , will give you option to replace older versions. At this time I'm wondering if maybe dl'ing VirtualBox and installing the whole thing in there. 2 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 9, 2015 Share Posted April 9, 2015 Hi Lil Bambi, I am sure there are people here who would be willing to contribute to a goFundMe or Patreon setup. I crp, I have set up a GoFundMe campaign as you mentioned. http://www.gofundme.com/franparker I will post it in my status on the forums. Thanks for the suggestion. Quote Link to comment Share on other sites More sharing options...
crp Posted April 9, 2015 Share Posted April 9, 2015 Hi Lil Bambi, I am sure there are people here who would be willing to contribute to a goFundMe or Patreon setup. I crp, I have set up a GoFundMe campaign as you mentioned. http://www.gofundme.com/franparker I will post it in my status on the forums. Thanks for the suggestion. glad you took my advice, the 2nd part of goFundMe is publicizing it if you have facebook and/or twitter. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 9, 2015 Share Posted April 9, 2015 I put it on Twitter, thanks! Quote Link to comment Share on other sites More sharing options...
atiustira Posted April 10, 2015 Author Share Posted April 10, 2015 (edited) Hello crp Actually I have narrowed the problem down even more. Snort is reading packets off of my ethO and puting them in /var/log/snort/ in the u2 format that barnyard2 reads. Here is a screen shot of my BASE install connecting to MySQL on the snort data base using the snort account. I am using a program called mytop which is top clone for MySQL that shows the BASE connection. http://i.imgur.com/cJLbXXB.png And I have found the error in pulled pork, by default it is set to download the paid rules, and not just the community rules. By commenting out the paid rules it will download the community rules. Other wise it just fails without telling one why. So since snort was trouble shooted. And pulled pork also. What I did is set barnyard2 to out put to syslog. http://i.imgur.com/w2MNwbf.png It looks like barnyard2 starts and reads the u2 files and the spool files and waldofile correctly. And then for some reason attempts to reinitiate then crashes. Apr 10 01:40:38 zina-desktop snort[3961]: FATAL ERROR: Failed to Lock PID File "/var/run//barnyard2_NULL.pid" for PID "3961" Apr 10 01:40:38 zina-desktop snort[3961]: Barnyard2 exiting So I then ran zina@zina-desktop:~$ locate barnyard|grep etc/; /etc/default/barnyard2 /etc/default/barnyard2~ /etc/init.d/barnyard2 /etc/init.d/runbarnyard2 /etc/rc0.d/K00runbarnyard2 /etc/rc0.d/K98barnyard2 /etc/rc1.d/K00runbarnyard2 /etc/rc1.d/K98barnyard2 /etc/rc2.d/S21runbarnyard2 /etc/rc2.d/S98barnyard2 /etc/rc3.d/S21runbarnyard2 /etc/rc3.d/S98barnyard2 /etc/rc4.d/S21runbarnyard2 /etc/rc4.d/S98barnyard2 /etc/rc5.d/S21runbarnyard2 /etc/rc5.d/S98barnyard2 /etc/rc6.d/K00runbarnyard2 /etc/rc6.d/K98barnyard2 And I was wondering which ones of those might be starting it the second time. Or how I could find out? Any ideas? Thank you. Edited April 10, 2015 by atiustira 1 Quote Link to comment Share on other sites More sharing options...
crp Posted April 12, 2015 Share Posted April 12, 2015 maybe the log that keeps the system messages would tell you what tried to use a PID 3961 1 Quote Link to comment Share on other sites More sharing options...
atiustira Posted April 14, 2015 Author Share Posted April 14, 2015 Thanks crp Looks like /etc/init.d/barnyard2 Or /etc/init.d/runbarnyard2 from the syslog. That's what I love about open source code and Linux. You can read the code and work with it. In some other operating systems my first response would be uninstall and reinstall. But that's easy with exe files. And you don’t learn as much. So to unlock the files I ran zina@zina-desktop:~$ sudo service snort stop [sudo] password for zina: * Stopping Network Intrusion Detection System snort [ OK ] zina@zina-desktop:~$ sudo service barnyard2 stop /etc/init.d/barnyard2: 1: /etc/init.d/barnyard2: #!/bin/sh: not found $Shutting down Snort Output Processor (barnyard2): Then looked at the property's of the /etc/init.d/barnyard2 and /etc/init.d/runbarnyard2 files by right clicking on them and noticed that they were set to run as program. Cool simple matter of elimination. Deselected the run as program check box on the /etc/init.d/barnyard2 file. Hey I got lucky it now starts barnyard2 without trying to start it twice and crashing. I checked this through syslog. Now I guess the next thing to do would be to get it to log to the BASE front end running on Apache with a MySQL data base. It is getting better! Any tips will be appreciated thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.