Snort, barnyard2, snort pulledpork, and base IDS system Need Help

[securitybreach]

Well first off, Linux is not vulnerable to any known virus so an antivirus is useless on Linux unless your running a mail server with window's clients connecting to it. I understand the reasoning behind an IDS but unless your running a public webserver that generates a lot of traffic, iptables and a decent NAT router will be suffice.

 

When you do get Snort running like you want, you will not see very much activity in the logs unless their failed attempts trying to hack windows or linux(drive-by attacks).

 

It is up to you completely and we will give you as much help as you need but I think it is an overkill for a home user. Nothing is truly secure and if you become a target, you can get hacked given time and it doesn't matter what you are running.

 

Thanks for the info but I am very familiar with infosec and even went to school for it.

 

Now if you wanna have some fun, run a Honeypot and monitor it with an IDS. http://null-byte.wonderhowto.com/how-to/hack-like-pro-set-up-honeypot-avoid-them-0153391/

[atiustira]

I found some thing interesting while poking around and contemplating the removal of barnyard2, and the reinstall, and install of snorby the web front end. It isn’t a install manual per say. But if I run cd /var/log/snort and then sudo u2spewfoo snort.log, from the var/log/snort directory. Then the u2 files that were there, and appeared to be just binary. Now look like packet files!

 

I found the u2spewfoo command here.

http://manual.snort....000000000000000

 

Under out put modules.

 

I used to read all the files daily long ago. About the time of the bug bear virus.. Clam AV has a program for making virus dat. The antivirus downloads these files called updates to be able to find a virus. They are unique pieces of code pertaining to that virus. That cannot get your system infected. Especially if you are running a Linux system There were multiple strains of that virus. I submitted dat's for the first and second strain. Between doing that running computer repair, and a free tech advice/security web site/forum. That I hand coded the pages, and did security front end and back on. I think it was on PHP bb that I installed. And being a member of 2 or more forums, and D-shield. I got lazy about looking through all the logs. Now that they have acid based BASE, and snorby to help with the logs. I thought I would try it again. And I am thinking of running a mail server eventually. So I can submit logs to D-Shield. They compile a blacklist from them from attacking IP's. But that is another topic.

http://marc.info/?l=dshield&m=106938877930908&w=2

Edited March 14, 2015 by atiustira

[atiustira]

So how does one acomplish"completely starting over from scratch"?

[securitybreach]

Remove the packages and delete the configurations you edited.

[atiustira]

Should I uninstall apache2 and mysql too? And pear and DAQ.?

[securitybreach]

I would as it could be related to what issues but it is hard to say as I have not setup snort in many years.

[atiustira]

Uh oh!

I have not setup snort in many years.

 

Wow I was at the banging my head on the key board phase when I started this thread.

We worked through alot of issues. Did they cover this when you had training in security?

Because it seems like we got pretty far,but just didn’t finish. Any ways thanks.

Edited March 20, 2015 by atiustira

[abarbarian]

Did they cover this when you had training in security?

 

 

So his infamy is common knowledge all over the web then.Obviously he will not tell us where ,how and who really trained him or who he is spooking for.Or even if he is spooking.

 

His second "job" has been discussed here before and he never cracked.

[securitybreach]

Uh oh!

I have not setup snort in many years.

 

Wow I was at the banging my head on the key board phase when I started this thread.

We worked through alot of issues. Did they cover this when you had training in security?

Because it seems like we got pretty far,but just didn’t finish. Any ways thanks.

 

No real training, just years and years of using computers. I was big into security years ago (mostly greyhat stuff) and have been using Linux for about 12 years now so accumulated knowledge.

 

Did they cover this when you had training in security?

 

 

So his infamy is common knowledge all over the web then.Obviously he will not tell us where ,how and who really trained him or who he is spooking for.Or even if he is spooking.

 

His second "job" has been discussed here before and he never cracked.

 

Please hire me!! I will work for a lot cheaper than other employees and probably have at least 5x the knowledge...

 

I am more ashamed of my job than anything else as it is not even close to what I should be doing/making (my job isn't even in the computer field)....

 

And no, I am joking

[Guest LilBambi]

Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too.

[securitybreach]

Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too.

 

Yeah but I am barely able to do that each month....

[abarbarian]

Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too.

 

Yeah but I am barely able to do that each month....

 

Yeah you have a tough choice ahead when you need to cut household costs. Which of the five monitors will have to go dark I wonder.

[securitybreach]

Your day will come, Josh. In the meantime, there's no embarrassment in a job that puts food on the table, roof over your head and pays your bills, and a few wants too.

 

Yeah but I am barely able to do that each month....

 

Yeah you have a tough choice ahead when you need to cut household costs. Which of the five monitors will have to go dark I wonder.

 

Yeah, well they go into energy saving mode when I am asleep or at work...

[atiustira]

Sorry to hear that securitybreach. Do you have training in info sec? It pays to get some kind of certification(paper) to show what you know. When applying for work it is good to actually physically show up. Not just submitt a resume on the interenet. I really hope things work out for you. You have been around and working with LInux for a long time. So does any one at all in this security and networking forum know how to trouble shoot a Snort, barnyard2, snort pulledpork, and base IDS system?

I am still at the key board marks on my fore head faze.

 

.

[securitybreach]

I told you what to do.. reinstall it all by following this guide (which is exactly what you are trying to do)

Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanv

 

Run through that guide and when you run into a problem, stop and tell us what the problem is.

 

Heck, if you want, I will set this up in virtualbox right now.

[securitybreach]

Wait... you do have two network adapters (nics), right?

[securitybreach]

Wait... you do have two network interfaces, right?

[atiustira]

These are my network interfaces.

 

zina@zina-desktop:~$ sudo lshw -class network
 *-network:0			
   description: Ethernet interface
   product: RTL-8100/8101L/8139 PCI Fast Ethernet Adapter
   vendor: Realtek Semiconductor Co., Ltd.
   physical id: 3
   bus info: pci@0000:02:03.0
   logical name: eth0
   version: 10
   serial: xxxxxxxxxxxxxxxxx
   size: 100Mbit/s
   capacity: 100Mbit/s
   width: 32 bits
   clock: 33MHz
   capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
   configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=full ip=192.168.1.2 latency=64 link=yes maxlatency=64 mingnt=32 multicast=yes port=MII speed=100Mbit/s
   resources: irq:21 ioport:dc00(size=256) memory:fddff000-fddff0ff
 *-network:1
   description: Network controller
   product: BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller
   vendor: Broadcom Corporation
   physical id: 9
   bus info: pci@0000:02:09.0
   version: 02
   width: 32 bits
   clock: 33MHz
   capabilities: bus_master
   configuration: driver=b43-pci-bridge latency=64
   resources: irq:17 memory:fddfc000-fddfdfff

[atiustira]

Hello Security breach

I told you what to do.. reinstall it all by following this guide (which is exactly what you are trying to do)

Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanv

 

Run through that guide and when you run into a problem, stop and tell us what the problem is.

 

Heck, if you want, I will set this up in virtualbox right now.

I ran into a problem with that guide.

apt-get install mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3-

I have mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3 all ready installed. I was doing some ruby programming, and web work with apache2 and mysql. They are running fine. Also I really like BASE more than Aanval or snorby. Well snorby is ok I guess. I think the problem there maybe with the ruby gem I am running in the other projects I am working on. Conflicts with using the right gem can become difficult. So those are problems.

[securitybreach]

I am kind of confused as to what your problem is. You said that you got stuck on installing some packages but then said that you already had them installed. If you already have them installed, move to the next step. As far as the gems, I highly doubt that one ruby project would affect another.

[Guest LilBambi]

Not going to talk about my situation financially right now -- Just too discouraging.

[atiustira]

Very sorry to hear about your financial situation LilBambi is there anything I can do to help?

[crp]

Hi Lil Bambi,

I am sure there are people here who would be willing to contribute to a goFundMe or Patreon setup.

[crp]

Hello Security breach

I told you what to do.. reinstall it all by following this guide (which is exactly what you are trying to do)

Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanv

 

Run through that guide and when you run into a problem, stop and tell us what the problem is.

 

Heck, if you want, I will set this up in virtualbox right now.

I ran into a problem with that guide.

apt-get install mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3-

I have mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3 all ready installed. I was doing some ruby programming, and web work with apache2 and mysql. They are running fine. Also I really like BASE more than Aanval or snorby. Well snorby is ok I guess. I think the problem there maybe with the ruby gem I am running in the other projects I am working on. Conflicts with using the right gem can become difficult. So those are problems.

there was a problem in doing the apt-get or you are just concerned about a problem maybe occuring?

apt-get will leave alone any package that is already installed at same level or later , will give you option to replace older versions.

 

At this time I'm wondering if maybe dl'ing VirtualBox and installing the whole thing in there.

[Guest LilBambi]

Hi Lil Bambi,

I am sure there are people here who would be willing to contribute to a goFundMe or Patreon setup.

I crp, I have set up a GoFundMe campaign as you mentioned.

 

http://www.gofundme.com/franparker

 

I will post it in my status on the forums. Thanks for the suggestion.

[crp]

Hi Lil Bambi,

I am sure there are people here who would be willing to contribute to a goFundMe or Patreon setup.

I crp, I have set up a GoFundMe campaign as you mentioned.

 

http://www.gofundme.com/franparker

 

I will post it in my status on the forums. Thanks for the suggestion.

glad you took my advice, the 2nd part of goFundMe is publicizing it if you have facebook and/or twitter.

[Guest LilBambi]

I put it on Twitter, thanks!

[atiustira]

Hello crp

 

Actually I have narrowed the problem down even more. Snort is reading packets off of my ethO and puting them in /var/log/snort/ in the u2 format that barnyard2 reads. Here is a screen shot of my BASE install connecting to MySQL on the snort data base using the snort account. I am using a program called mytop which is top clone for MySQL that shows the BASE connection.

 

http://i.imgur.com/cJLbXXB.png

 

And I have found the error in pulled pork, by default it is set to download the paid rules, and not just the community rules. By commenting out the paid rules it will download the community rules. Other wise it just fails without telling one why. So since snort was trouble shooted. And pulled pork also. What I did is set barnyard2 to out put to syslog.

 

http://i.imgur.com/w2MNwbf.png

 

 

It looks like barnyard2 starts and reads the u2 files and the spool files and waldofile correctly. And then for some reason attempts to reinitiate then crashes.

 

Apr 10 01:40:38 zina-desktop snort[3961]: FATAL ERROR: Failed to Lock PID File "/var/run//barnyard2_NULL.pid" for PID "3961"

Apr 10 01:40:38 zina-desktop snort[3961]: Barnyard2 exiting

 

 

So I then ran

 

zina@zina-desktop:~$ locate barnyard|grep etc/;

 

/etc/default/barnyard2

/etc/default/barnyard2~

/etc/init.d/barnyard2

/etc/init.d/runbarnyard2

/etc/rc0.d/K00runbarnyard2

/etc/rc0.d/K98barnyard2

/etc/rc1.d/K00runbarnyard2

/etc/rc1.d/K98barnyard2

/etc/rc2.d/S21runbarnyard2

/etc/rc2.d/S98barnyard2

/etc/rc3.d/S21runbarnyard2

/etc/rc3.d/S98barnyard2

/etc/rc4.d/S21runbarnyard2

/etc/rc4.d/S98barnyard2

/etc/rc5.d/S21runbarnyard2

/etc/rc5.d/S98barnyard2

/etc/rc6.d/K00runbarnyard2

/etc/rc6.d/K98barnyard2

 

And I was wondering which ones of those might be starting it the second time. Or how I could find out?

Any ideas? Thank you.

Edited April 10, 2015 by atiustira

[crp]

maybe the log that keeps the system messages would tell you what tried to use a PID 3961

[atiustira]

Thanks crp

Looks like /etc/init.d/barnyard2 Or /etc/init.d/runbarnyard2 from the syslog. That's what I love about open source code and Linux. You can read the code and work with it.

In some other operating systems my first response would be uninstall and reinstall. But that's easy with exe files. And you don’t learn as much.

So to unlock the files I ran

zina@zina-desktop:~$ sudo service snort stop
[sudo] password for zina:
* Stopping Network Intrusion Detection System  snort				    [ OK ]
zina@zina-desktop:~$ sudo service barnyard2 stop
/etc/init.d/barnyard2: 1: /etc/init.d/barnyard2: #!/bin/sh: not found
$Shutting down Snort Output Processor (barnyard2):

 

Then looked at the property's of the /etc/init.d/barnyard2 and /etc/init.d/runbarnyard2 files by right clicking on them and noticed that they were set to run as program. Cool simple matter of elimination. Deselected the run as program check box on the /etc/init.d/barnyard2 file.

Hey I got lucky it now starts barnyard2 without trying to start it twice and crashing. I checked this through syslog.

 

Now I guess the next thing to do would be to get it to log to the BASE front end running on Apache with a MySQL data base.

 

It is getting better! Any tips will be appreciated thanks.