Menu
▾
▴
Re: [Os-sim-support] Snort Unified
|
From: Jon U. <jur...@ya...> - 2008-05-14 11:25:28
|
Hi Brian, Building snort is being a strange experience for me, because I get to many issues I can not fully understand. I'm trying not to uninstall any of the standard libs (libpcap) to have a "dual system", and I got binnaries (linked to the correct libs (/usr/local/lib)) with no errors. But the unified file format they generate is wrong because it´s full of messages of this kind: "snortunified.cfg[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]" Even if we have the option to avoid these messages in snort.conf. I guess I get a message for each packet we receive... We have an old snort binnary linked to modified libpcap (that's what ldd says...) that seems to work ok (loads pfring on startup and gives normal alerts), but I compiled it before we had the pfring change (kernel and new libpcaps)??? It shouldn't work this way. But our critical problem now is that we are not getting any snort event in ossim, even with the working snort!! And I can assure that alerts are being generated ... The snortunified.cfg file does not parse the snort.log file by Perl Regular Expressions syntax, so we can not follow what the agent is doing when it's supposed to parse events... The python scripts for this parsing We need help. Thanx, Jon Brian Lavender escribió: > Jon, > > I am going to have to do the snort from scratch. I have finals at the > moment (grad school), so I won't be going into work too much, but I > am inspired by your post to roll this from scratch. Have you looked at > the O'Reilly "Network Security Hacks" book? It has a Barnyard setup and > more. Its hacks have claried a number of security questions I have had. > > For snort, I have only currently relied upon the Ossim install CD. I > know it doesn't have the ring buffer, so I am going to have to figure > this out. I know at my work, we have the Nortel implementation of > Sourcefire. I need to figure out if it can give a feed. > > brian > > On Tue, May 13, 2008 at 06:41:59PM +0200, Jon Uriona wrote: >> Hi again, >> >> The snort issue is about a strange functioning of our compilation. We >> have a new snort that creates a correct snort.log files... >> >> Then I still have the rest of my questions... ossim-agent is not parsing >> snort's log at all. There are alerts generated but no event inserted in >> ossim server. >> >> Any ideas?? >> >> Regards >> >> Jon >> >> Jon Uriona escribió: >>> Hi all, >>> >>> We have snort (with pf_ring) logging in unified format, analizyng a link >>> at about 50 Mbps. The output line is: >>> >>> "output unified: filename snort, limit 128" >>> >>> At this rate, a file (128 MB) is generated every minute or two. My first >>> question is... Is this normal? There has been a snort config depuration >>> and the alert rate is not very high, so even if the whole packets >>> (generating alerts) are logged, it is a very big amount!! The error >>> should be here... What's your opinion about this?? >>> >>> We have an instance of ossim-agent with snortunified plugin, here the >>> config: >>> >>> "[config] >>> type=detector >>> enable=yes >>> source=snortlog >>> process=snort >>> start=no; launch plugin process when agent starts >>> stop=no; shutdown plugin process when agent stops >>> startup=/etc/init.d/%(process)s start >>> shutdown=/etc/init.d/%(process)s stop >>> directory=/var/log/snort/ >>> prefix=snort >>> linklayer=ethernet >>> " >>> >>> But there is no snort event logged into the server. How can I assure >>> that ossim-agent is reading the unified files? lsof does not say >>> anything (no open files). Is it going to be fast enough to read that >>> amount of data?? >>> How can the agent's unified parser be aware of the rotation of this >>> files (snort logs)? I need to rotate them periodically (disk space is >>> not infinite...) and I need to know how much of the agents work is done!! >>> >>> Please help!! Regards, >>> >>> Jon >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Microsoft >>> Defy all challenges. Microsoft(R) Visual Studio 2008. >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Os-sim-support mailing list >>> Os-...@li... >>> https://lists.sourceforge.net/lists/listinfo/os-sim-support >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> Os-sim-support mailing list >> Os-...@li... >> https://lists.sourceforge.net/lists/listinfo/os-sim-support > ______________________________________________ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente. |
