|
|
|
|
Snort Forums Archive
Archive Home » BSD » challenge, deploying Snort-2.6.1 on OpenBSD3.9
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
challenge, deploying Snort-2.6.1 on OpenBSD3.9
Posted by rachmat on June 19, 2007 05:27:57
straight forward...
when i'm done with this command...
snort -A full -c /etc/snort/etc/snort.conf -l /var/log/snort/
i've some noticed as follows...
No dynamic libraries found in directory /usr/local/lib/snort_dynamicpreprocessor/!
after that, i trying to check...
cd /usr/local/lib/snort_dynamicpreprocessor/
and i get lists of libraries in there...
and then i trying to check snort.conf files, i check the reference line for the dynamic_preprocessor directory was correct...
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
could you help me to solving this challenge...?! |
|
Posted by AleZ on June 20, 2007 20:45:01
Try
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so.0.0
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0.0
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0.0
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0.0
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0.0
It works ( exactly on 4.1 ) .
|
|
Posted by AleZ on June 21, 2007 17:29:05
Another problem with snort 2.6.1.5 + OpenBSD 4.1 -
GetLWSessionFromKey(Stream5SessionCache *sessionCache, SessionKey *key) in
src/preprocessors/Stream5/snort_stream5_session.c don't chek NULL sessionCache parameter .
So, you need
--- snort-2.6.1.5/src/preprocessors/Stream5/snort_stream5_session.c Sat Mar 3 07:56:15 2007
+++ snort-2.6.1.5-my/src/preprocessors/Stream5/snort_stream5_session.c Tue Jun 12 00:29:25 2007
@@ -201,6 +201,8 @@
Stream5LWSession *returned = NULL;
SFXHASH_NODE *hnode;
+ if (!sessionCache) return returned;
+
hnode = sfxhash_find_node(sessionCache->hashTable, key);
if (hnode && hnode->data)
.
|
|
Posted by rachmat on June 28, 2007 06:52:57
it's working
thanks a zillion..
umm...may i have ur advise...
actually, now i'm on my research to build an Intrusion Detection
and prevention system. there is some question that i have to ask
it's..
- is it good to use LIDS or using Snort in seperate systems such as
Snort on OpenBSD and act as NIDS sensor? give me ur season please..
- my plan was...
http://www.geocities.com/alan_skyline99/untitled.bmp
what do you think...and do you have an idea about better topology? give me a suggest... |
|
Posted by rachmat on August 02, 2007 19:11:26
i really getting my self in confuse..
in a first time of research, i have a plan to deploying snort as a reliable, robust, and secure box to become a sensor to monitoring the server farm in the DMZ. with this, i decided to use OpenBSD as an operating system.
i choose...
- barnyard to become an output-plugins
- BASE to become a management console
- oinkmaster to become rules updater
now, if i putting all of that together on a sigle machine (openBSD), how
can i use BASE to manage and monitoring the sensor?
how about deploying BASE in a seperate mechine?
or, are u guys can give me another solution...?
however, when snort running in NIDS mode with this such command typed in console;
snort -d -l /var/log/snort -c /etc/snort/snort.conf
i can't find the way to stop snort process to view the log recorded in the log directory specified above
could u give me a favor? |
|
Posted by rachmat on August 11, 2007 09:43:59
there is anyone can solve such challenge?
i'm getting lonely down here...
|
|
Posted by AleZ on August 17, 2007 19:30:01
I use the settings for logging (snort.conf):
output database: log, mysql, user=... password=... dbname=snort host=... detail=full sensor_name=...
output alert_unified: filename snort.alert, limit 512
output log_unified: filename snort.log, limit 512
The command line for snort:
#/usr/bin/snort -Dq -c /etc/snort/snort.conf -i pflog0 -P1500
(I select trafic for snort va pf, may be you prefer real interface like -i em0 )
Use barnyard to check alerts in snort.alert via console:
barnyard-con.conf:
config sid-msg-map: /etc/snort/sid-msg.map
config gen-msg-map: /etc/snort/gen-msg.map
config class-file: /etc/snort/classification.config
output alert_console
# barnyard -c /etc/snort/barnyard-con.conf -f snort.alert -n -v
Base and mysql located on other machine (my network NMS). Attempts with barnyard+mysql+base is frozen now. barnyard write in mysql the events, but barnyard don't introduce sensor and Base don't show the events in the Web-pages (the problem described in the Snort forums, but recommended workaround not suitable for me ).
In large network (my case) the is a lot of events in the database, so it's a bad idea locate snort+apache+php+mysql+Base on single machine in the case. Snort and mysql are main sources of the memory and processors load.
|
|
Posted by rachmat on August 17, 2007 22:01:20
AleZ, thank u very much...
um.. can i get ur email address, i do need ur help!!!
rachmat_hidayat_01@yahoo.com |
|
Posted by rachmat on August 17, 2007 22:05:46
AleZ, thank u very much...
um.. can i get ur email address, i do need ur help!!!
rachmat_hidayat_01@yahoo.com
|
|
|
|
|
|
