snort 2.2.3 acid de mastersleepy

par **xtraete** » 13 Sep 2007 17:28

salut a tous
j'ai decide d'installe snort 2.2.3 et acid de master sleepy. Tout s'est tres bien passé du premier coup

Par contre j'ai pas l'impression que cela fonctionne.
j'ai verifie et snort se lance bien au boot (voir logs a la fin)
de plus un ps -eaf | grep snort me dit qu'il tourne
par contre acid à tout a zero, meme le nombre de "sensors"
comment verifier qu'il fonctionne bien. je precise qu'un ifconfig m'a bien indique que ma carte reseau etait sur eth0.
je suis avec une sme 6 en mode serveur. (pas passerelle)
d'avance merci
Nico

sep 13 15:03:32 xtraete-home-sme6011 snortd: Starting snort:
Sep 13 15:03:40 xtraete-home-sme6011 kernel: device eth0 entered promiscuous mode
Sep 13 15:03:34 xtraete-home-sme6011 atalkd[1852]: zip_getnetinfo for eth0
Sep 13 15:03:40 xtraete-home-sme6011 snort: Initializing daemon mode
sep 13 15:03:40 xtraete-home-sme6011 snortd: Démarrage de snort succeeded
sep 13 15:03:40 xtraete-home-sme6011 snortd: ^[[60G[
sep 13 15:03:40 xtraete-home-sme6011 snortd:
sep 13 15:03:40 xtraete-home-sme6011 rc: Starting snortd: succeeded
Sep 13 15:03:41 xtraete-home-sme6011 snort: PID path stat checked out ok, PID path set to /var/run/
Sep 13 15:03:41 xtraete-home-sme6011 snort: Writing PID "2022" to file "/var/run//snort_eth0.pid"
Sep 13 15:03:42 xtraete-home-sme6011 snort: Parsing Rules file /etc/snort/snort.conf
Sep 13 15:03:06 xtraete-home-sme6011 httpd: PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php4/odbc.so' - libodbc.so.1: cannot open shared object file: No such file or directory in Unknown on line 0
sep 13 15:03:42 xtraete-home-sme6011 e-smith[2046]: Processing event: local
sep 13 15:03:42 xtraete-home-sme6011 e-smith[2046]: Running event handler: /etc/e-smith/events/local/S06conf-lilo
Sep 13 15:03:42 xtraete-home-sme6011 snort: ,-----------[Flow Config]----------------------
Sep 13 15:03:42 xtraete-home-sme6011 snort: | Stats Interval: 0
Sep 13 15:03:42 xtraete-home-sme6011 snort: | Hash Method: 2
Sep 13 15:03:42 xtraete-home-sme6011 snort: | Memcap: 10485760
sep 13 15:03:43 xtraete-home-sme6011 e-smith[2046]: S06conf-lilo=action|Event|local|Action|S06conf-lilo|Start|1189688622 232179|End|1189688623 471294|Elapsed|1.239115
Sep 13 15:03:43 xtraete-home-sme6011 snort: | Rows : 4099
Sep 13 15:03:44 xtraete-home-sme6011 atalkd[1852]: zip_getnetinfo for eth0
Sep 13 15:03:45 xtraete-home-sme6011 snort: | Overhead Bytes: 16400(%0.16)
Sep 13 15:03:47 xtraete-home-sme6011 snort: `----------------------------------------------
Sep 13 15:03:47 xtraete-home-sme6011 snort: HttpInspect Config:
Sep 13 15:03:47 xtraete-home-sme6011 snort: GLOBAL CONFIG
Sep 13 15:03:48 xtraete-home-sme6011 snort: Max Pipeline Requests: 0
Sep 13 15:03:48 xtraete-home-sme6011 snort: Inspection Type: STATELESS
Sep 13 15:03:48 xtraete-home-sme6011 snort: Detect Proxy Usage: NO
Sep 13 15:03:48 xtraete-home-sme6011 snort: IIS Unicode Map Filename: /etc/snort/unicode.map
Sep 13 15:03:48 xtraete-home-sme6011 snort: IIS Unicode Map Codepage: 1252
Sep 13 15:03:48 xtraete-home-sme6011 snort: DEFAULT SERVER CONFIG:
Sep 13 15:03:48 xtraete-home-sme6011 snort: Ports: 80 8080 8180
Sep 13 15:03:48 xtraete-home-sme6011 snort: Flow Depth: 300
Sep 13 15:03:48 xtraete-home-sme6011 snort: Max Chunk Length: 500000
Sep 13 15:03:48 xtraete-home-sme6011 snort: Inspect Pipeline Requests: YES
Sep 13 15:03:48 xtraete-home-sme6011 snort: URI Discovery Strict Mode: NO
Sep 13 15:03:48 xtraete-home-sme6011 snort: Allow Proxy Usage: NO
Sep 13 15:03:48 xtraete-home-sme6011 snort: Disable Alerting: NO
Sep 13 15:03:48 xtraete-home-sme6011 snort: Oversize Dir Length: 500
Sep 13 15:03:48 xtraete-home-sme6011 snort: Only inspect URI: NO
Sep 13 15:03:48 xtraete-home-sme6011 snort: Ascii: YES alert: NO
Sep 13 15:03:48 xtraete-home-sme6011 snort: Double Decoding: YES alert: YES
Sep 13 15:03:48 xtraete-home-sme6011 snort: %U Encoding: YES alert: YES
Sep 13 15:03:48 xtraete-home-sme6011 snort: Bare Byte: YES alert: YES
Sep 13 15:03:48 xtraete-home-sme6011 snort: Base36: OFF
Sep 13 15:03:48 xtraete-home-sme6011 snort: UTF 8: OFF
Sep 13 15:03:48 xtraete-home-sme6011 snort: IIS Unicode: YES alert: YES
Sep 13 15:03:49 xtraete-home-sme6011 snort: Multiple Slash: YES alert: NO
Sep 13 15:03:49 xtraete-home-sme6011 snort: IIS Backslash: YES alert: NO
Sep 13 15:03:49 xtraete-home-sme6011 snort: Directory Traversal: YES alert: NO
Sep 13 15:03:50 xtraete-home-sme6011 snort: Web Root Traversal: YES alert: YES
Sep 13 15:03:50 xtraete-home-sme6011 snort: Apache WhiteSpace: YES alert: NO
Sep 13 15:03:50 xtraete-home-sme6011 snort: IIS Delimiter: YES alert: NO
Sep 13 15:03:50 xtraete-home-sme6011 snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Sep 13 15:03:50 xtraete-home-sme6011 snort: Non-RFC Compliant Characters: NONE
Sep 13 15:03:50 xtraete-home-sme6011 snort: rpc_decode arguments:
Sep 13 15:03:50 xtraete-home-sme6011 snort: Ports to decode RPC on: 111 32771
Sep 13 15:03:50 xtraete-home-sme6011 snort: alert_fragments: INACTIVE
Sep 13 15:03:50 xtraete-home-sme6011 snort: alert_large_fragments: ACTIVE
Sep 13 15:03:50 xtraete-home-sme6011 snort: alert_incomplete: ACTIVE
Sep 13 15:03:50 xtraete-home-sme6011 snort: alert_multiple_requests: ACTIVE
Sep 13 15:03:50 xtraete-home-sme6011 snort: telnet_decode arguments:
Sep 13 15:03:50 xtraete-home-sme6011 snort: Ports to decode telnet on: 21 23 25 119
Sep 13 15:03:54 xtraete-home-sme6011 atalkd[1852]: config for no router
Sep 13 15:03:56 xtraete-home-sme6011 atalkd[1852]: ready 0/0/0
sep 13 15:03:56 xtraete-home-sme6011 atalk: Démarrage de atalkd succeeded
Sep 13 15:03:59 xtraete-home-sme6011 snort: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Sep 13 15:03:59 xtraete-home-sme6011 snort: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Sep 13 15:03:59 xtraete-home-sme6011 snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Sep 13 15:03:59 xtraete-home-sme6011 snort:
Sep 13 15:03:59 xtraete-home-sme6011 snort: +-----------------------[thresholding-config]----------------------------------
Sep 13 15:03:59 xtraete-home-sme6011 snort: | memory-cap : 1048576 bytes
Sep 13 15:03:59 xtraete-home-sme6011 snort: +-----------------------[thresholding-global]----------------------------------
Sep 13 15:03:59 xtraete-home-sme6011 snort: | none
Sep 13 15:03:59 xtraete-home-sme6011 snort: +-----------------------[thresholding-local]-----------------------------------
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
Sep 13 15:03:59 xtraete-home-sme6011 snort: | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
Sep 13 15:03:59 xtraete-home-sme6011 snort: +-----------------------[suppression]------------------------------------------
Sep 13 15:03:59 xtraete-home-sme6011 snort: | none
Sep 13 15:03:59 xtraete-home-sme6011 snort: +------------------------------------------------------------------------------
Sep 13 15:03:59 xtraete-home-sme6011 snort: Rule application order: ->activation->dynamic->alert->pass->log
Sep 13 15:03:59 xtraete-home-sme6011 snort: Log directory = /var/log/snort
Sep 13 15:04:03 xtraete-home-sme6011 snort: Snort initialization completed successfully (pid=2022)

par **MasterSleepy** » 17 Sep 2007 08:27

Salut,

Cette contribs date vraiment de longtemps.
Elle n'est probablement plus adapter, en plus la version de snort utiliser est vraiment ancienne 2.2 alors que maintenant on est à 2.7!

Le problème est que les nouvelles versions de cette contribs sont pour la version 7.x de la SME et non 6.x

Je te suggère donc soit de mettre ta sme à jour avec une 7.x ou de ne pas utiliser la contrib snort.

Il est a noter que sur le site de snort on ne trouve plus de binaire pour une redhat 7.3 !!!

A+,
MasterSleepy.

par **xtraete** » 17 Sep 2007 10:38

bon en fait ca fonctionne, enfin j'ai eu 4 alertes, par contre ca ne m'alerte pas de tout ? notament le brut force sur ssh ! il y a quelque chose a changer dans la config ?
encore merci
Nico

snort 2.2.3 acid de mastersleepy

snort 2.2.3 acid de mastersleepy

Qui est en ligne ?