snort specific question

NST
Joe M
2013-06-25
2013-07-19
  • Joe M

    Joe M - 2013-06-25

    Hi. I'm trying to set this up primarily to use as a snort ids with barnyard2 and rsyslog to splunk.

    After various attempts, I've gotten things to work one way or another.

    I use the following commands to configure the NIC's

    nstnetcfg -m stealth --interface p1p1
    nstnetcfg -m ssl --interface em1 --virtual-host *:443 --server-name xxx:443

    and then i have to copy the /etc/snort diretory to /etc/snort_p1p1 and edit snort.conf.

    problem is, every time it doesn't work correctly, and I have to 'destroy' the instance, everything gets deleted.

    My question is, is there a script somewhere I'm not finding to set up snort correctly? Something that will copy the /etc/snort directory to the correct /etc/snort_p1p1 (or whatever the interface is) and set up things correctly?

    I've scoured the documentation, but don't find anything.

    Thanks.

    p.s. - i'm using the 64 bit pro version.

     
    Last edit: Joe M 2013-06-25
  • Ronald W. Henderson

    Joe:

    Try: /usr/local/bin/setup_snort

    Otherwise what feature in the NST WUI Snort IDS page is not working for you?

    ---RWH

     
  • Joe M

    Joe M - 2013-07-18

    Hi Ronald, sorry it's taken so long to reply.

    I finally gave in (not up) and started scripting my install. My problem now is, when I execute this line from my bash script:

    /bin/su -c '(cd /usr/local/bin;./setup_snort -r local -i '$SnortInterfaceX' -s '$ServerNameX' -ars ftp://hostname/rules/snortrules-snapshot-2946.tar.gz -a full --HOME_NET '$HomeNetX'.0.0.0 --EXTERNAL_NET !'$Home_NetX')'

    I get the following error:

    ./setup_snort: line 726: [: 650: unary operator expected.

    I'm sure the issue is on my end, but your script is too difficult for me to decipher.

    can you please give me a clue where I'm going wrong?

    Thanks.
    Joe.

     
  • Ronald W. Henderson

    Can you please provide what your bash variables resolve to (i.e. $SnortInterfaceX)

    Also: ftp://hostname/rules/snortrules-snapshot-2946.tar.gz - I do not understand this? should it be: $(hostname) - resolves to your hostname

    Thanks
    ---RWH

     
  • Joe M

    Joe M - 2013-07-18

    Here you go:

    Thank you for the fast reply!

    I do a "read" to get the variables. In my testing, I'm using:

    $SnortInterfaceX = p1p1
    $ManagementInterfaceX = em1
    $ServerNameX = abcd-efg-ids01
    $HomeNetX = 10

    And I realized that the --EXTERNAL_NET !'$Home_NetX' should be '--EXTERNAL_NET !$HOME_NET' but that hasn't made a difference.

    The hostname in the ftp statement isn't a variable, it's a hard-coded name ( I just replaced it to keep my stuff obscured).

    thanks!

     
  • Joe M

    Joe M - 2013-07-18

    A little more info. I had a friend help me and we figured out that if we make line 726 read:

    if [[ ${lil} -gt ${clil} ]]; then

    it gets rid of the error msg. I don't know if it "fixes" the issue.

    Please let me know what you think.

    Thanks.

     
  • Ronald W. Henderson

    The error is related to the included snort rule sets bundled in file: "snortrules-snapshot-2946.tar.gz". Where did this file come from? Sourcefire or your own rule set bundle?

    What I think is that your snort config file: /etc/snort_p1p1/snort.conf does not contain any "include $RULE_PATH/*.rules" directives. Can u check?

    ---RWH

     
  • Joe M

    Joe M - 2013-07-19

    I downloaded it from sourcefire. I'm deploying about 35 of these and don't want it downloading directly from S/F.

    there are many "include $RULE_PATH/***.rules" statements in the /etc/snort_p1p1/snort.conf file.

    Would sending you my script help you? I don't want to upload it here, but if it helps you to see what I'm trying to do, I can send it. It's not 100% yet, but close(er).

    thanks!

     
  • Ronald W. Henderson

    Joe:

    Why are you not using the NST WUI Snort page to do what you are trying to do?

    ---RWH

     
  • Joe M

    Joe M - 2013-07-19

    2 reasons.

    1. when if something goes wrong and you destroy the instance, it deletes everything and you can't create any more instances.

    2. I have 35 of these to deploy. much easier to clone the drives and run a script.

     
  • Ronald W. Henderson

    What I am trying to determine if using the NST WUI with your rule set bundle and network interface exhibits the problem. Can you please try?

    Then we can determine if this is an issue with the setup_snort/NST WUI combo or your implementation.

    ---RWH

     
  • Joe M

    Joe M - 2013-07-19

    Oh, gotcha. Sorry, I'm out of the office today so I won't be able to look until Monday. I'll get you an update then. Thanks!

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks