Jump to content

Snort, barnyard2, snort pulledpork, and base IDS system Need Help


atiustira

Recommended Posts

Hello I have a snort barnyard2 snort pulledpork and base IDS system compiled and set up on my Ubuntu 14.04 LTS system. I am not sure if it is configured right or running. Would any one be willing to help me test and configure it Please. :smashcomp:

Link to comment
Share on other sites

securitybreach

I'll do my best. Although I have never set it up before, I can probably help you figure out your issues and such. What guide did you use to set it all up?

Link to comment
Share on other sites

Hello thank you :D CLI Phreak

 

I actually used two guides. Well many as I researched this on the internet. The two I used the most are this one http://computer-outlines.over-blog.com/article-nids-snort-barnyard2-apache2-base-with-ubuntu-14-04-lts-123532107.html

 

And this one http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval

 

My system specs are ubuntu 14.04 LTS with all current updates,2.0GB DDR400, AMD Athlon 64 Processor 3800+ , currently running the OS 32 bit

Link to comment
Share on other sites

securitybreach

If you want to know if it is running or not, simply run this:

 

sudo service snort status

 

Also, did you test via Step 2 from the first link you provided?

  • Like 1
Link to comment
Share on other sites

securitybreach
2. First test of Snort

 

sudo snort -i eth0 -v

 

( normally we get a live packet sniffing ). CTRL+C to stop.

 

We do a config loading test :

 

sudo snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T

 

Let's finally launch SNORT in live alert console mode :

 

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

 

If we ping our SNORT IDS or try to browse it from another computer, alerts should be displayed.

 

CTRL+C to stop

  • Like 1
Link to comment
Share on other sites

Hello Securitybreach

I ran those tests. The results of the first one (sudo service snort status).

i0mXLh2.png?1

 

And the results of (sudo snort -i eth0 -v) ran and read some packets.

ilerhpx.gif

 

Running (sudo snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T)returned

 

WARNING: /etc/snort/rules/community-web-php.rules(343) GID 1 SID 100000776 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(344) GID 1 SID 100000777 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(345) GID 1 SID 100000778 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(346) GID 1 SID 100000779 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(347) GID 1 SID 100000780 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(348) GID 1 SID 100000781 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(349) GID 1 SID 100000782 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(350) GID 1 SID 100000783 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(351) GID 1 SID 100000784 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(352) GID 1 SID 100000785 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(353) GID 1 SID 100000786 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(354) GID 1 SID 100000787 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(355) GID 1 SID 100000788 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(356) GID 1 SID 100000789 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(357) GID 1 SID 100000790 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(358) GID 1 SID 100000791 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(359) GID 1 SID 100000792 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(360) GID 1 SID 100000793 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(361) GID 1 SID 100000794 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(362) GID 1 SID 100000795 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(363) GID 1 SID 100000796 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(364) GID 1 SID 100000797 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(365) GID 1 SID 100000798 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(366) GID 1 SID 100000799 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(367) GID 1 SID 100000800 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(368) GID 1 SID 100000801 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(369) GID 1 SID 100000802 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(370) GID 1 SID 100000803 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(371) GID 1 SID 100000804 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(372) GID 1 SID 100000805 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(373) GID 1 SID 100000806 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(374) GID 1 SID 100000807 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(375) GID 1 SID 100000808 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(376) GID 1 SID 100000809 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(377) GID 1 SID 100000810 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(378) GID 1 SID 100000811 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(379) GID 1 SID 100000812 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(380) GID 1 SID 100000813 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(381) GID 1 SID 100000814 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(382) GID 1 SID 100000815 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(383) GID 1 SID 100000816 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(384) GID 1 SID 100000817 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(385) GID 1 SID 100000818 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(386) GID 1 SID 100000820 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(387) GID 1 SID 100000821 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(388) GID 1 SID 100000822 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(389) GID 1 SID 100000823 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(390) GID 1 SID 100000824 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(391) GID 1 SID 100000825 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(392) GID 1 SID 100000826 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(393) GID 1 SID 100000827 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(394) GID 1 SID 100000828 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(395) GID 1 SID 100000829 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(396) GID 1 SID 100000830 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(397) GID 1 SID 100000831 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(398) GID 1 SID 100000832 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(399) GID 1 SID 100000833 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(400) GID 1 SID 100000834 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(401) GID 1 SID 100000835 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(402) GID 1 SID 100000836 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(403) GID 1 SID 100000837 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(404) GID 1 SID 100000838 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(405) GID 1 SID 100000839 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(406) GID 1 SID 100000840 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(407) GID 1 SID 100000841 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(408) GID 1 SID 100000842 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(409) GID 1 SID 100000843 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(410) GID 1 SID 100000844 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(411) GID 1 SID 100000845 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(412) GID 1 SID 100000846 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(413) GID 1 SID 100000847 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(414) GID 1 SID 100000849 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(415) GID 1 SID 100000850 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(416) GID 1 SID 100000851 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(417) GID 1 SID 100000852 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(418) GID 1 SID 100000853 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(419) GID 1 SID 100000854 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(420) GID 1 SID 100000855 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(421) GID 1 SID 100000856 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(422) GID 1 SID 100000857 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(423) GID 1 SID 100000858 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(424) GID 1 SID 100000859 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(425) GID 1 SID 100000860 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(426) GID 1 SID 100000861 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(427) GID 1 SID 100000862 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(428) GID 1 SID 100000863 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(431) GID 1 SID 100000865 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(432) GID 1 SID 100000866 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(433) GID 1 SID 100000867 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(434) GID 1 SID 100000868 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(435) GID 1 SID 100000869 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(436) GID 1 SID 100000870 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(437) GID 1 SID 100000871 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(438) GID 1 SID 100000872 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(439) GID 1 SID 100000873 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(441) GID 1 SID 100000882 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(443) GID 1 SID 100000883 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(444) GID 1 SID 100000884 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(445) GID 1 SID 100000885 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(446) GID 1 SID 100000886 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(447) GID 1 SID 100000887 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(448) GID 1 SID 100000888 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(449) GID 1 SID 100000889 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(450) GID 1 SID 100000906 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(451) GID 1 SID 100000907 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(452) GID 1 SID 100000908 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(453) GID 1 SID 100000909 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(454) GID 1 SID 100000910 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(455) GID 1 SID 100000911 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(456) GID 1 SID 100000912 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(457) GID 1 SID 100000913 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(458) GID 1 SID 100000914 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(459) GID 1 SID 100000915 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(460) GID 1 SID 100000916 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(461) GID 1 SID 100000917 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(462) GID 1 SID 100000918 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(463) GID 1 SID 100000919 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(464) GID 1 SID 100000920 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(465) GID 1 SID 100000921 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(466) GID 1 SID 100000922 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(467) GID 1 SID 100000925 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(468) GID 1 SID 100000926 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(469) GID 1 SID 100000929 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(470) GID 1 SID 100000930 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(471) GID 1 SID 100000931 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(472) GID 1 SID 100000932 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(473) GID 1 SID 100000933 in rule duplicates previous rule. Ignoring old rule.

 

WARNING: /etc/snort/rules/community-web-php.rules(474) GID 1 SID 100000934 in rule duplicates previous rule. Ignoring old rule.

 

4152 Snort rules read

3478 detection rules

0 decoder rules

0 preprocessor rules

3478 Option Chains linked into 290 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------

| tcp udp icmp ip

| src 151 18 0 0

| dst 3307 126 0 0

| any 383 48 146 22

| nc 28 8 95 20

| s+d 12 5 0 0

+----------------------------------------------------------------------------

 

+-----------------------[detection-filter-config]------------------------------

| memory-cap : 1048576 bytes

+-----------------------[detection-filter-rules]-------------------------------

| none

-------------------------------------------------------------------------------

 

+-----------------------[rate-filter-config]-----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[rate-filter-rules]------------------------------------

| none

-------------------------------------------------------------------------------

 

+-----------------------[event-filter-config]----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[event-filter-global]----------------------------------

| none

+-----------------------[event-filter-local]-----------------------------------

| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2

| gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60

| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60

| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2

| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10

| gen-id=1 sig-id=1991 type=Limit tracking=src count=1 seconds=60

| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60

| gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60

| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60

| gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60

+-----------------------[suppression]------------------------------------------

| none

-------------------------------------------------------------------------------

Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log

Verifying Preprocessor Configurations!

ICMP tracking disabled, no ICMP sessions allocated

IP tracking disabled, no IP sessions allocated

WARNING: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.

WARNING: flowbits key 'ms_sql_seen_dns' is checked but not ever set.

33 out of 1024 flowbits in use.

 

[ Port Based Pattern Matching Memory ]

+- [ Aho-Corasick Summary ] -------------------------------------

| Storage Format : Full-Q

| Finite Automaton : DFA

| Alphabet Size : 256 Chars

| Sizeof State : Variable (1,2,4 bytes)

| Instances : 213

| 1 byte states : 202

| 2 byte states : 11

| 4 byte states : 0

| Characters : 64990

| States : 32139

| Transitions : 874054

| State Density : 10.6%

| Patterns : 5056

| Match States : 3856

| Memory (MB) : 16.09

| Patterns : 0.36

| Match Lists : 0.56

| DFA

| 1 byte states : 1.00

| 2 byte states : 13.95

| 4 byte states : 0.00

+----------------------------------------------------------------

[ Number of patterns truncated to 20 bytes: 1039 ]

pcap DAQ configured to passive.

Acquiring network traffic from "eth0".

Set gid to 143

Set uid to 129

 

--== Initialization Complete ==--

 

,,_ -*> Snort! <*-

o" )~ Version 2.9.6.0 GRE (Build 47)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

Copyright © 2014 Cisco and/or its affiliates. All rights reserved.

Copyright © 1998-2013 Sourcefire, Inc., et al.

Using libpcap version 1.5.3

Using PCRE version: 8.31 2012-07-06

Using ZLIB version: 1.2.8

 

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.1 <Build 1>

Preprocessor Object: SF_GTP Version 1.1 <Build 1>

Preprocessor Object: SF_SMTP Version 1.1 <Build 9>

Preprocessor Object: SF_IMAP Version 1.0 <Build 1>

Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>

Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>

Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>

Preprocessor Object: SF_DNS Version 1.1 <Build 4>

Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>

Preprocessor Object: SF_POP Version 1.0 <Build 1>

Preprocessor Object: SF_SSH Version 1.1 <Build 3>

Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>

Preprocessor Object: SF_SDF Version 1.1 <Build 1>

Preprocessor Object: SF_SIP Version 1.1 <Build 1>

Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>

 

Snort successfully validated the configuration!

Snort exiting

zina@zina-desktop:~$

 

I then ran (sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0) It dropped down to a blinking prompt.

q4BOV6W.gif?1

 

 

 

 

 

I did not have another system to ping from. So I opened another terminal on this system and ran this (ping 192.168.1.1) I then used the Ctrl button and the c key to stop the terminals from running.

 

6DBt0jN.gif?1

 

 

Thank you Securitybreach. What do you think? And what should we do next? And I appreciate your time and help :clap:

Link to comment
Share on other sites

securitybreach

From your above output, it looks like Snort is doing what it is supposed to. As far as these errors:

 

WARNING: /etc/snort/rules/community-web-php.rules(438) GID 1 SID 100000872 in rule duplicates previous rule. Ignoring old rule.

 

 

Snort will use the latest rules so you can ignore those errors: http://seclists.org/snort/2014/q1/715

  • Like 1
Link to comment
Share on other sites

securitybreach
Now Barnyard2 is configured to work with Snort. To test, let’s run Snort and Barnyard2 and generate some alerts. First, we run Snort as a daemon. We use the same parameters as before, with the addition of the -D flag, which tells snort to run as a daemon, and we removed -A Console since we don’t want alerts to show on the screen. Take note of the PID of the process so you can kill it later if needed:

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

 

Ping the IP address of the interface specified above (eth0). If you check Snort’s log directory, you should see a file calledsnort.u2.nnnnnnnnnn (the n’s are replaced by numbers). These are the binary alerts that snort has written out for Barnyard2 to process.

 

http://sublimerobots...g-snort-part-4/

  • Like 1
Link to comment
Share on other sites

Thank you Securitybreach. Pulled pork is returning this

 

bash: /usr/local/bin/pulledpork.pl: No such file or directory

 

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

returns

 

sudo: /usr/local/bin/snort: command not found

Edited by atiustira
Link to comment
Share on other sites

securitybreach

Thank you Securitybreach. Pulled pork is returning this

 

bash: /usr/local/bin/pulledpork.pl: No such file or directory

 

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

returns

 

sudo: /usr/local/bin/snort: command not found

 

Try changing /usr/local/bin/snort to /usr/bin/snort and see if that works on the second command

sudo /usr/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

 

Try the same with the pulledpork command as well:

 

sudo /usr/bin/pulledpork.pl -V

  • Like 1
Link to comment
Share on other sites

Running

sudo /usr/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

returns

sudo: /usr/bin/snort: command not found

 

Running

sudo /usr/bin/pulledpork.pl -V

Returns

 

 

sudo: /usr/bin/pulledpork.pl: command not found

Link to comment
Share on other sites

securitybreach

Well I dunno then. Search for snort and pulledpork.pl to find their executable location. Their not being found and as I am not in front of your machine, nor do I have it installed; I do not know the location of their executables.

  • Like 1
Link to comment
Share on other sites

Hello securitybreach.

 

which snort

 

When ran from a terminal returns this

 

/usr/sbin/snort

 

which barnyard2

 

returns this

 

/usr/local/bin/barnyard2

 

which pulledpork

 

Does'nt return any thing

 

Not finding pulledpork.pl right now will look in the morning. Thanks off to work.

Link to comment
Share on other sites

Hello sorry we had a power outage due to a local storm. I located the pulledpork It is in /usr/local/src/snort/pulledpork-0.7.0/pulledpork.pl

 

From a terminal running running sudo /usr/local/src/snort/pulledpork-0.7.0/pulledpork.pl -V

 

Returns command not found. But running

 

sudo su /usr/local/src/snort/pulledpork-0.7.0/pulledpork.pl -V

su: invalid option -- 'V'

Usage: su [options] [LOGIN]

 

Options:

-c, --command COMMAND pass COMMAND to the invoked shell

-h, --help display this help message and exit

-, -l, --login make the shell a login shell

-m, -p,

--preserve-environment do not reset environment variables, and

keep the same shell

-s, --shell SHELL use SHELL instead of the default in passwd

 

Returns that above. Not sure I want to be root though as that sudo su puts me as running as root. Things get a little different in Ubuntu.

 

 

This when ran in a terminal

 

sudo /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

Spawning daemon child...

My daemon child 11572 lives...

Daemon parent exiting (0)

 

Gets the above result.

 

 

That does that help with where things are Securitybreach?

Link to comment
Share on other sites

securitybreach

That just means that the -V switch is no longer used with the version you are using.

 

The command sudo su logins you as root, not the user with sudo privileges. Ubuntu does not use a root account by default so any command that needs superuser privileges uses sudo instead. Did you try it with only sudo instead of sudo su? Nevermind, it looks like your system is not finding pulledpork. Are you sure it is installed?

 

The last command output looks like it is saying that snort is already running so it is exiting.

 

I am just shooting in the dark posting stuff I found. It is a bit difficult without sitting in front of it troubleshooting the setup....

  • Like 1
Link to comment
Share on other sites

I tried this cd in to the directory

zina@zina-desktop:~$ cd /usr/local/src/snort/

 

Ran ls to show what is in the directory

zina@zina-desktop:/usr/local/src/snort$ ls

barnyard2-1.9 barnyard2-1.9.tar.gz pulledpork-0.7.0 pulledpork-0.7.0.tar.gz

 

cd into the pulledpork directory.

zina@zina-desktop:/usr/local/src/snort$ cd /usr/local/src/snort/pulledpork-0.7.0

 

ran ls to see what was there.

zina@zina-desktop:/usr/local/src/snort/pulledpork-0.7.0$ ls

contrib doc etc LICENSE pulledpork.pl README

 

Copied pulledpork.pl into /usr/local/bin

zina@zina-desktop:/usr/local/src/snort/pulledpork-0.7.0$ sudo cp pulledpork.pl /usr/local/bin

[sudo] password for zina:

 

chmod to get the permissions on pulledpork.pl (Do these permissions look right?)

zina@zina-desktop:/usr/local/src/snort/pulledpork-0.7.0$ sudo chmod +x /usr/local/bin/pulledpork.pl

 

Copied the config files over to /etc/snort

zina@zina-desktop:/usr/local/src/snort/pulledpork-0.7.0$ sudo cp etc/*.conf /etc/snort

 

Then tried to run that /usr/local/bin/pulledpork.pl -V again and got this result.

zina@zina-desktop:/usr/local/src/snort/pulledpork-0.7.0$ /usr/local/bin/pulledpork.pl -V

PulledPork v0.7.0 - Swine Flu!

 

zina@zina-desktop:/usr/local/src/snort/pulledpork-0.7.0$

Link to comment
Share on other sites

securitybreach

Honestly, that is probably some of your problem...your jumping between guides... If I were you, I would go through the guide I mentioned above. If one of the steps doesn't work, then you can research why that didn't work but mixing different guides will probably cause you to miss something. Why did you bother following various guides if you found a guide that was exactly for your setup (ubuntu 12.04). I can understand if something didn't work properly, but you did not mention any problems with a guide.

 

Just a thought...

  • Like 1
Link to comment
Share on other sites

Thanks

 

This one looked promising too. http://youresuchageek.blogspot.com/2012/11/howto-guide-to-snort-ids-in-debian.html

But what did you meen by starting over from scratch exactly?

Starting over on the config files? Recompiling everything? Um not sure where to start. But willing to get un-stuck, because this is really doesn’t feel very good.

Logged into my WRT110 router today and the year was changed to 1970, instead of 2015. Looks like most of what I am getting out of snort is binary code.

Link to comment
Share on other sites

securitybreach

Yes, I meant completely starting over from scratch and following one guide. It is hard to troubleshoot anything when you follow numerous guides setting things up.

  • Like 2
Link to comment
Share on other sites

Ok so I have been lurking on the snort list. And it looks like there were some issues with the barnyard2. I found a fork off of barnyard2 that the snort users say has the issues fixed. And I was informed that the acid based BASE is kinda out dated. And that snorby is the more current web front end to the data base where snort is logging to. But pulled pork is pulling down current community rules. And snort isn’t at a production stable state(the new one). And appears to running with out throwing errors. So I am thinking that reinstalling the forked barnyard2 and snorby might be a better idea. What do you think?

Link to comment
Share on other sites

Hello of course there are differences in want's and needs. But this PDF is a good place for some one interested in networking, and security to start reading about it. It covers the wants.

http://www.sans.org/reading-room/whitepapers/detection/understanding-intrusion-detection-systems-337

 

When I first came here, a few years ago. I wanted to automate virus scanning on my then Mandrake system. I managed to get not to involved in the discussion of why any one would want to automate a virus scanner on Linux.

And everyone pitched in and we got it done. That's the thing I love about this forum. The community. I am kinda old. And I probably wont see it again. See well there was a time when every one on the internet helped each other.

And they realized that the internet meant we are all interconnected. That is a important thing. And it is the opinion I had when I came here,years ago. In the mean time in last few years we have seen network spreading worms, viruses,

and things that attack Linux, and Macintosh systems. If you monitor a network with say a IDS. You can see things a lot sooner. We saw bug bear before it was named bug bear on the D Shield list. https://www.dshield.org/diaryarchive.html

The way they saw that coming was by watching the packets that went over the wire on there networks. I was a member of there site when I came here years ago, and I was a complete NuB with Linux. I recognize and admire the expertise here. That why years later when really stuck and alone(or so it seemed to me) I came here for help. I do see the right out look here! Everyone helps and looks out for each other.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...