Menu
▾
▴
[Os-sim-support] multiple snorts/ ossim agents on one box
|
From: Bartosz B. <bar...@gm...> - 2006-03-03 11:27:44
|
Hi. Ive been trying to deploy moltiple sensors on one box ( with 4 NIC's ).
Dominique Karg wrote in mail that I should do some python hacking to achiev=
e
my goal.
I followed his leads and did few modifications to agent config, plugins and
python code.
1.
In /usr/share/ossim-agent/pyossim
I have created ParserSnort for each snort instance I need:
ParserSnort_INTER16.py
ParserSnort_INTER20.py
ParserSnort_OUTER217.py
Each file is a copy of ParserSnort.py with modified class name ( for
OUTER217 class definition is ass follows: class ParserSnort_OUTER217(
Parser.Parser): )
2.
In /usr/share/ossim-agent/pyossim I have altered Agent.pys parsers
definitions:
"1001": ParserSnort_INTER16.ParserSnort_INTER16,
"1002": ParserSnort_INTER20.ParserSnort_INTER20,
"1003": ParserSnort_OUTER217.ParserSnort_OUTER217,
3.
In /etc/ossim/agent/plugins I have created copies of snort.xml file.
Each one is responsible for different snort/sensor. This way I have three
differen files:
snort_INTER16.xml
snort_INTER20.xml
snort_OUTER217.xml
Those files look as follows
<?xml version=3D"1.0" encoding=3D'UTF-8' ?>
<plugin id=3D"1001" process=3D"snort" type=3D"detector" start=3D"yes" enabl=
e=3D"yes">
<startup>/etc/init.d/snort start eth1 /etc/snort/snort_INTER16.conf
/var/log/snort_INTER16</startup>
<shutdown>/etc/init.d/snort stop</shutdown>
<source>fast</source>
<interface>&interface;</interface>
<sensor>&sensor;</sensor>
<location>/var/log/snort_INTER16/alert</location>
</plugin>
In each file id=3D"" is different ( according to one specified in Agent.py =
).
4. In /etc/ossim/agent.config.xml I have added three entities and three
plugin initializations:
Entities:
<!ENTITY snort_INTER16 SYSTEM
'/etc/ossim/agent/plugins/snort_INTER16.xml'>
<!ENTITY snort_INTER20 SYSTEM
'/etc/ossim/agent/plugins/snort_INTER20.xml'>
<!ENTITY snort_OUTER217 SYSTEM
'/etc/ossim/agent/plugins/snort_OUTER217.xml'>
PLugins:
&snort_INTER16;
&snort_INTER20;
&snort_OUTER217;
Problem with all I did is that it doesnt work.
When I start ossim agent only last snort plugin is beeing started. In
sequence I have in my config.xml only snort_OUTR217 is started, if line
&snort_OUTER217; is commented out that snort_INTER20 gets started.
In agent.log I have:
^[[01;36m (=3D>) ^[[00m pyossim.Agent (2006-03-03 11:52:53): plugin-st=
art
plugin_id=3D"1003" <-- this is snort_OUTER217 id
.....
^[[01;36m (=3D>) ^[[00m pyossim.Agent (2006-03-03 11:52:55): plugin-st=
art
plugin_id=3D"1002" <-- snort_INTER20
^[[01;36m (=3D>) ^[[00m pyossim.Agent (2006-03-03 11:52:55): plugin-st=
art
plugin_id=3D"1001" <-- snort_INTER16
But ps shows only one snort running:
[root@localhost ossim]# ps -ef | grep snort
snort 30706 1 9 12:25 ? 00:00:01 /usr/sbin/snort -A fast -b
-d -D -i eth2 -u snort -g snort -c /etc/snort/snort_OUTER217.conf -l
/var/log/snort_OUTER217
When I change process=3D"snort" in each snort_XXXXX.xml plugin definition
agents starts all three snorts, but he doesnt stop starting them. It looks
like agent isnt aware that he has already initialized three snort's and
keeps trying to get them running.
What did I wrong?
And second issue:
Should lines in each plugin definition file (snort_xxx.xml)
<interface>&interface;</interface>
<sensor>&sensor;</sensor>
be different? interface =3D=3D eth0 and sensor =3D=3D eth0.IP. eth0.IP is I=
P of my
ossim server and agent, but snorts are ment to listen on eth1-3 interfaces.
Should "interface" and "sensor" variables point to interface and ip bound t=
o
it on which snort will listen?
Regards
Bartosz Baranowski
|