Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Other » Henwen - revival experiment

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Henwen - revival experiment


Posted by muaddib64 on January 08, 2008 19:16:32

Hi
I'm doing a bit of experimenting to see if I can revive Henwen by updating the snort binary
and ruleset, assuming Henwen is just a GUI layer.
I noticed the snort process is started using:
snort -D -c /Applications/HenWen.app/Contents/Resources/snort.conf -i en0

So I did this:
1. Built snort using fink
2. Copied the fink built snort executable to replace the bundled one in Henwen
- look in /Applications/HenWen.app/Contents/macos
3. Downloaded a current ruleset from snort.org
4. Replaced the Henwen bundled ruleset in (no auto update)
/Applications/HenWen.app/Contents/Resources/rules
5. Started snort and my system.log snapshot is below
6. Start some testing to see if it works properly
7. Wondering if anyone else has tried this :)

---- /var/log/system.log henwen startup snapshot -----

Jan 9 12:56:28 administrators-macbook HenWen[25436]: LCC Scroll Enhancer loaded
Jan 9 12:56:38 administrators-macbook authexec[25437]: executing
/Applications/HenWen.app/Contents/MacOS/gluprunner
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25437]: Initializing daemon mode
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: WARNING: _PATH_VARRUN is
invalid, trying /sw/var/log...
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: Writing PID "25438" to file
"/sw/var/log//snort_en0.pid"
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: Parsing Rules file
/Applications/HenWen.app/Contents/Resources/snort.conf
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: ,-----------[Flow Config]----------
------------
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: | Stats Interval: 0
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: | Hash Method: 2
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: | Memcap: 10485760
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: | Rows : 4099
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: | Overhead Bytes: 16400(%0.16)
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: `----------------------------------
------------
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: X-Link2State Config:
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: Ports: 25 691
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: rpc_decode arguments:
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: Ports to decode RPC on: 111
32771
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: alert_fragments: INACTIVE
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: alert_large_fragments: ACTIVE
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: alert_incomplete: ACTIVE
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: alert_multiple_requests:
ACTIVE
Jan 9 12:56:38 administrators-macbook
/Applications/HenWen.app/Contents/MacOS/snort[25438]: /sw/var/log/snort/snort_alert file
doesn't exist or isn't writable!
Jan 9 12:56:39 administrators-macbook snort[25438]: Warning: flowbits key
'smb.tree.bind.nddeapi' is checked but not ever set.
Jan 9 12:56:39 administrators-macbook snort[25438]: Warning: flowbits key
'sslv3.client_hello.request' is checked but not ever set.
Jan 9 12:56:39 administrators-macbook snort[25438]: Warning: flowbits key
'dce.bind.nddeapi' is set but not ever checked.
Jan 9 12:56:39 administrators-macbook snort[25438]:
Jan 9 12:56:39 administrators-macbook snort[25438]: +-----------------------[thresholding-
config]----------------------------------
Jan 9 12:56:39 administrators-macbook snort[25438]: | memory-cap : 1048576 bytes
Jan 9 12:56:39 administrators-macbook snort[25438]: +-----------------------[thresholding-
global]----------------------------------
Jan 9 12:56:39 administrators-macbook snort[25438]: | none
Jan 9 12:56:39 administrators-macbook snort[25438]: +-----------------------[thresholding-
local]-----------------------------------
Jan 9 12:56:39 administrators-macbook snort[25438]: | gen-id=1 sig-id=2924
type=Threshold tracking=dst count=10 seconds=60
Jan 9 12:56:39 administrators-macbook snort[25438]: | gen-id=1 sig-id=2923
type=Threshold tracking=dst count=10 seconds=60
Jan 9 12:56:39 administrators-macbook snort[25438]: | gen-id=1 sig-id=5323
type=Limit tracking=src count=1 seconds=60
Jan 9 12:56:39 administrators-macbook snort[25438]: | gen-id=1 sig-id=5321
type=Limit tracking=src count=1 seconds=60
Jan 9 12:56:39 administrators-macbook snort[25438]: | gen-id=1 sig-id=3527
type=Limit tracking=dst count=5 seconds=60
Jan 9 12:56:39 administrators-macbook snort[25438]: | gen-id=1 sig-id=5322
type=Limit tracking=src count=1 seconds=60
Jan 9 12:56:39 administrators-macbook snort[25438]: +-----------------------
[suppression]------------------------------------------
Jan 9 12:56:39 administrators-macbook snort[25438]: | none
Jan 9 12:56:39 administrators-macbook snort[25438]: +-------------------------------------
-----------------------------------------
Jan 9 12:56:39 administrators-macbook snort[25438]: Rule application order: ->activation-
>dynamic->alert->pass->log
Jan 9 12:56:39 administrators-macbook snort[25438]: Log directory = /sw/var/log/snort
Jan 9 12:56:39 administrators-macbook snort[25438]: Snort initialization completed
successfully (pid=25438)


Posted by muaddib64 on January 10, 2008 17:33:24

Looks like its working :)

Posted by p2409 on January 26, 2008 19:12:13

I got HenWen going under native intel Mac OSX 10.4, MySQL5 and the latest snort.
If you're au fait with XCode and cocoa, I've posted instructions at HenWen sourceforge site if
anyone's interested.

Note with your instructions above, I think you would have to switch of security in HenWen
preferences - HenWen does an MD5 check of your binary to protect against a man-in-the-middle
breakin.


site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.