# Need help with a firewall script. (SOLVED)

## vaguy02

Everyone, 

I'm trying to merge the standard Gentoo Security Handbook firewall (I don't hink you need the link for that) and this cool pearl script I found for automatically banning IP during brute force attacks ( http://www.pettingers.org/code/sshblack.html ), but I can't seem to get it working. Let me know if you have any ideas.

```
#!/sbin/runscript

IPTABLES=/sbin/iptables

IPTABLESSAVE=/sbin/iptables-save

IPTABLESRESTORE=/sbin/iptables-restore

FIREWALL=/etc/firewall.rules

DNS1=192.168.0.1

DNS2=212.242.40.51

#inside

IIP=127.0.0.1

IINTERFACE=lo

#LOCAL_NETWORK=10.0.0.0/24

#outside

OIP=192.168.0.200

OINTERFACE=eth1

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

  need net

}

rules() {

  stop

  ebegin "Setting internal rules"

  einfo "Setting default rule to drop"

  $IPTABLES -P FORWARD DROP

  $IPTABLES -P INPUT   DROP

  $IPTABLES -P OUTPUT  DROP

  #default rule

  einfo "Creating states chain"

  $IPTABLES -N allowed-connection

  $IPTABLES -F allowed-connection

  $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix "Bad packet from ${IINTERFACE}:"

  $IPTABLES -A allowed-connection -j DROP

  #ICMP traffic

  einfo "Creating icmp chain"

  $IPTABLES -N icmp_allowed

  $IPTABLES -F icmp_allowed

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

  $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"

  $IPTABLES -A icmp_allowed -p icmp -j DROP

  #Incoming traffic

  einfo "Creating incoming ssh traffic chain"

  $IPTABLES -N allow-ssh-traffic-in

  $IPTABLES -N BLACKLIST

  $IPTABLES -I INPUT -p tcp --dport 22 -j BLACKLIST

  $IPTABLES -F allow-ssh-traffic-in

  #Flood protection

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT

$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT

  #outgoing traffic

  einfo "Creating outgoing ssh traffic chain"

  $IPTABLES -N allow-ssh-traffic-out

  $IPTABLES -F allow-ssh-traffic-out

  $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

  einfo "Creating outgoing dns traffic chain"

  $IPTABLES -N allow-dns-traffic-out

  $IPTABLES -F allow-dns-traffic-out

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT

  einfo "Creating outgoing http/https traffic chain"

  $IPTABLES -N allow-www-traffic-out

  $IPTABLES -F allow-www-traffic-out

  $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT

  $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT

  #Catch portscanners

  einfo "Creating portscan detection chain"

  $IPTABLES -N check-flags

  $IPTABLES -F check-flags

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  # Apply and add invalid states to the chains

  einfo "Applying chains to INPUT"

  $IPTABLES -A INPUT -m state --state INVALID -j DROP

  $IPTABLES -A INPUT -j icmp_allowed

  $IPTABLES -A INPUT -j check-flags

  $IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -A INPUT -j allow-ssh-traffic-in

  $IPTABLES -A INPUT -j allowed-connection

  einfo "Applying chains to FORWARD"

  $IPTABLES -A FORWARD -m state --state INVALID -j DROP

  $IPTABLES -A FORWARD -j icmp_allowed

  $IPTABLES -A FORWARD -j check-flags

  $IPTABLES -A FORWARD -o lo -j ACCEPT

  $IPTABLES -A FORWARD -j allow-ssh-traffic-in

```

etc..... rest is not important, it's just the standard stuff. Let me know if anyone has any ideas.Last edited by vaguy02 on Fri Aug 05, 2005 3:01 am; edited 1 time in total

----------

## hanj

So what's it doing or not doing.. when you say "I can't seem to get it working."?

Not to get you on another tangent.. but you may want to explore another option.... snortsam. Currently, I'm running snort and snortsam. I use the Bleeding-edge rules (which includes the SSH brute force rule) and I edit the rule to include the snortsam plugin. snortsam then handles firewall blocks. It's well written and well maintained.. frank knobbe is great. You can also adjust snortsam to block for x amount of minutes, as well as including anti-dos'ing measures. Since snortsam is working with Snort.. you can tell snortsam to block other rules, etc... so it's really flexible.

snort and snortsam are in portage:

```
net-analyzer/snort-2.3.2

net-analyzer/snortsam-2.30
```

Bleeding rules can be downloaded here.. using oinkmaster or some other rule fetcher:

http://www.bleedingsnort.com/

oinkmaster is in portage as well.. since I mentioned it:

```
net-analyzer/oinkmaster-1.1
```

HTH

hanji

----------

## vaguy02

Interesting Idea. I'm going to try that instead. (It sounds easier  :Wink: ) I will let you know if I have any problems or questions (probably will)

----------

## vaguy02

well, I emerged all the tools and I started the snort dameon(still working out the config stuff) and also spamd. Not really sure how to proceed from here. Sorry, I'm kinda new at all of this.

----------

## hanj

Hello

First off.. you need to go into stages.

I would start with this.. get Snort/MySQL and Base running on the box.

stage 1:

This is a good start.. it's a little old:

https://forums.gentoo.org/viewtopic-t-78718-highlight-snort+acid+howto.html

It mentions ACID.. which is now called BASE. BASE currently is not in portage.. but here is an ebuild for it:

https://forums.gentoo.org/viewtopic-t-309727-highlight-acid+base.html (the version of BASE amy be a little old.. so you might want to adjust the ebuild.. here is their website: http://base.secureideas.net)

BASE is used to manage/view your snort alerts. Make sure you have mysql as a use flag for snort.. if not, you'll need to re-emerge it.

Once you have snort listening on your interfaces.. and logging to mysql.. and you are able to view the alerts in BASE.. move to stage 2.

stage 2:

get your rules pulled in. Emerge oinkmaster. You'll need to create an account at snort.org.. it's free (https://www.snort.org/pub-bin/register.cgi) this will get you the latest greatest rules. After you add your IPs ( i can't remember if they do that still.. for maintaining rules to specific servers) you'll receive a 32 char alphanumeric 'key'.

In /etc/oinkmaster.conf you'll need to add that value to your URL argument..for example:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/9c32c6ce4fa6c269b099aadaeacf701c00015fed/snortrules-snapshot-2.3.tar.gz

Since you want the SSH brute force rules.. you need to copy oinkmaster.conf and name it oinkmaster-bleeding.conf. For the url argument add this:

url = https://www.bleedingsnort.com/bleeding.rules.tar.gz

Now we'll need to make some shell scripts that will be run nightly via cron... cd to /etc/cron.daily/ and create this file (oinkmaster.sh)

```
#!/bin/bash

/usr/bin/oinkmaster.pl -q -o /etc/snort/

/usr/bin/oinkmaster.pl -o /etc/snort/ -q -C /etc/oinkmaster-bleeding.conf
```

Now these will email you the add, mods and removes.. so make sure you go over them before restarting snort. I don't do this auto-magically in case there is a problem with the rules.. or there is something you wanted to exclude, etc. Remember the rules will not 'load' until you restart snort.

You should be able to test this script (make sure you chmod it to 755).. while you're in /etc/cron.daily do this..

```
./oinkmaster.sh
```

It should spit out some rules.. once that is done.. restart snort. Make sure snort didn't die with a 

```
ps aux | grep snort
```

You'll also need to include the bleeding rules to your snort.conf file.. here are the rules I'm currently using:

```
include $RULE_PATH/bleeding.rules

include $RULE_PATH/bleeding-attack_response.rules

include $RULE_PATH/bleeding-dos.rules

include $RULE_PATH/bleeding-exploit.rules

include $RULE_PATH/bleeding-scan.rules

include $RULE_PATH/bleeding-web.rules
```

Now we move to stage 3

stage 3

snortsam. Emerge snortsam. This is pretty simple.. and I'm sure others will have a better way of doing this.. which I'm looking forward to see/hear.

You'll need to edit /etc/snortsam.conf

```
defaultkey yoursecretkeyhere

accept localhost

keyinterval 30 minutes

dontblock xxx.xxx.xxx.xxx           # your dns servers

dontblock xxx.xxx.xxx.xxx           # your dns servers

dontblock xxx.xxx.xxx.xxx # your network.. since you'll always want access

rollbackhosts 50

rollbackthreshold 20 / 30 secs

rollbacksleeptime 1 minute

logfile /var/log/snortsam.log

loglevel 3

daemon

fwsam localhost

nothreads

email mail.yourdomain.com you@youremail.com
```

You can get some good info at the snortsam site (http://www.snortsam.net/) about what these values mean, etc.

As far as I remember.. there are no init scripts for snortsam... so I startup using local.start in /etc/conf.d/local.start

Just add this to the bottom of that file:

```
/usr/bin/snortsam 
```

Now just start up snortsam. At command line.. type snortsam and hit enter. Make sure everything is running..

```
ps aux | grep snort
```

You should see something similar to this depending on your configurations:

```
snort    19588  0.2 11.0  61588 56912 ?        Ss   Jul27  19:02 /usr/bin/snort -D -u snort -i eth0 -N -c /etc/snort/snort.conf

root     17826  0.0  0.1   2132   860 ?        Ss   Jul27   0:04 snortsam
```

stage 4 

Now we need to put it all together. So we'll edit a rule and tell snortsam to do something if that rule is triggered...

Here is the bleeding-rule with the SSH activity you're interested in:

```
bleeding-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; sid: 2001219; rev:10; )
```

Now to include the plugin.. pay attention to the end of the line:

```
bleeding-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; sid: 2001219; rev:10;  fwsam: src, 20 minutes;)
```

So if this happens this IP will be blocked for 20 minutes.. also an email will be sent to you on 'block' and 'unblock'. Now we've modified the rule.. but when oinkmaster.sh runs later tonight.. it'll nuke that rule and replace it with a fresh one. With oinkmaster-bleeding.conf we can fix this with a modifysid rule:

```
modifysid 2001219; "\)" | " fwsam: src, 20 minutes;\)" 
```

This will add our plugin call everytime this rule is introduced every night. I've used snortsam for nmap scans formmail.pl calls,etc.. anything this annoying me at the moment. Everytime a change is made restart snort and snortsam.. and you'll be good to go.

HTH

hanji

----------

## vaguy02

Ran into a slight problem in the beginning in the with the databases. It says to create on using a zip file that is in the contrib folder, but in version 2.3.3 there isn't a folder named that and I can't seem to find the file in any of the other folders. it did disappear or get merged in with another file?

----------

## hanj

It's in a new place...

```
/usr/share/doc/snort-2.3.3-r1/schemas
```

snortdb-extra.gz is no longer there.. I think it's rolled into create_mysql.gz

HTH

hanji

----------

## vaguy02

I'm trying to run the "More updates to database" which does a whole bunch of ALTER TABLE command, I"m guessing that you run mysql first to get into the program before you can run these commands, but I keep getting a message saying ERROR 1045: Access denied for user: 'root@localhost' (Using password: NO). Do I have to do something different or somehow do it in the webpage?

----------

## hanj

You need to enter root password for mysql...

You can get into mysql doing the following:

```
mysql -u root -p
```

At this time you should be prompted for password. After entering the password and authenticating.. you'll be 'in' mysql..

```

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 1 to server version: 4.0.24

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>
```

From here you can enter your sql statements.. delimited by semi-colons.

Another way is executing the sql file directly...

```
mysql -u root -p < somesqlfile.sql
```

After hitting enter here.. you will be prompted for a password.. and the sql will be executed after authentication.

HTH

hanji

----------

## vaguy02

Sorry I keep asking so many questions but I'm very new to all of this. I"m still running into a problem.

```
mysql> \s

--------------

mysql  Ver 12.22 Distrib 4.0.24, for pc-linux-gnu (i686)

Connection id:          19

Current database:       snort

Current user:           snort@localhost

SSL:                    Not in use

Current pager:          /usr/bin/less

Using outfile:          ''

Server version:         4.0.24

Protocol version:       10

Connection:             Localhost via UNIX socket

Client characterset:    latin1

Server characterset:    latin1

UNIX socket:            /var/run/mysqld/mysqld.sock

Uptime:                 18 hours 56 min 45 sec

Threads: 9  Questions: 640  Slow queries: 0  Opens: 52  Flush tables: 1  Open tables: 24  Queries per second avg: 0.009

--------------

mysql> ALTER TABLE data TYPE=InnoDB;

ERROR 1044: Access denied for user: 'snort@localhost' to database 'snort'

mysql>

```

----------

## hanj

I would try this.. it looks like snort@localhost doesn't have alter permissions. I'm not sure why you need to do this (all of my tables are MyISAM not InnoDB), but give this a try.

```
mysql -u root -p

now you're running as root in mysql...

mysql>use snort;

mysql>ALTER TABLE data TYPE=InnoDB; 

mysql>quit;
```

HTH

hanji

----------

## vaguy02

OKay, I finished step 1 of your list of tasks, but when I try to start snort at the end of step one it gives me 2 red exclamation marks, dmesg doesn't really tell me much but this is what it says.

```
Relentless log # dmesg | tail

PROTO=6 127.0.0.1:51472 127.0.0.1:32770 L=52 S=0x00 I=20504 F=0x4000 T=64

ip_local_deliver: bad skb: PRE_ROUTING LOCAL_IN LOCAL_OUT POST_ROUTING

skb: pf=2 (unowned) dev=lo len=52

PROTO=6 127.0.0.1:51472 127.0.0.1:32770 L=52 S=0x00 I=20506 F=0x4000 T=64

ip_local_deliver: bad skb: PRE_ROUTING LOCAL_IN LOCAL_OUT POST_ROUTING

skb: pf=2 (unowned) dev=lo len=52

PROTO=6 127.0.0.1:32770 127.0.0.1:51472 L=52 S=0x00 I=10792 F=0x4000 T=64

ip_local_deliver: bad skb: PRE_ROUTING LOCAL_IN LOCAL_OUT POST_ROUTING

skb: pf=2 (unowned) dev=lo len=52

PROTO=6 127.0.0.1:51472 127.0.0.1:32770 L=52 S=0x00 I=20508 F=0x4000 T=64

Relentless log #

```

Any Ideas or other files you want me to post?

----------

## hanj

Snort is a pain to deal with early on.. what I would like you do is this...

```
/etc/init.d/snort zap

/etc/init.d/snort start

tail -50 /var/log/messages
```

Give me the output from messages

Thanks

hanji

----------

## vaguy02

Here is the info but I use syslog-ng so I don't know if it put the info in a different log.

```
Aug  3 17:20:01 Relentless cron[16611]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:20:01 Relentless cron[16613]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Aug  3 17:25:01 Relentless cron[16630]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:28:09 Relentless syslog-ng[4825]: STATS: dropped 0

Aug  3 17:30:02 Relentless cron[16635]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:30:02 Relentless cron[16637]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Aug  3 17:35:01 Relentless cron[16650]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:38:09 Relentless syslog-ng[4825]: STATS: dropped 0

Aug  3 17:40:01 Relentless cron[16657]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:40:01 Relentless cron[16659]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Aug  3 17:45:01 Relentless cron[16861]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:48:09 Relentless syslog-ng[4825]: STATS: dropped 0

Aug  3 17:50:01 Relentless cron[17181]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:50:01 Relentless cron[17183]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Aug  3 17:55:01 Relentless cron[17196]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 17:58:09 Relentless syslog-ng[4825]: STATS: dropped 0

Aug  3 18:00:01 Relentless cron[17199]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 18:00:01 Relentless cron[17201]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Aug  3 18:00:01 Relentless cron[17203]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

Aug  3 18:05:01 Relentless cron[17216]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 18:08:09 Relentless syslog-ng[4825]: STATS: dropped 0

Aug  3 18:10:01 Relentless cron[17219]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Aug  3 18:10:01 Relentless cron[17221]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Aug  3 18:15:01 Relentless cron[17261]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

```

----------

## hanj

hmm.. not sure what all that apf stuff is all about.. it sure is spamming your logs. I would look into it. Okay.. let's be more specific with messages..

```

cat /var/log/messages | grep snort
```

Can you give me the output of that. If you don't get anything.. try in auth.log. If it's not in there.. grep for snort...

```
grep -r snort /var/log
```

Thanks

hanji

----------

## vaguy02

```
/var/log/syslog:Aug  3 17:44:30 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:     bind: Network is down

/var/log/syslog:Aug  3 17:47:56 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:     bind: Network is down

/var/log/syslog:Aug  3 17:48:01 Relentless rc-scripts: ERROR:  "snort" has not yet been started.

/var/log/syslog:Aug  3 17:48:03 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:     bind: Network is down

/var/log/syslog:Aug  3 18:15:03 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:     bind: Network is down

/var/log/debug:Aug  1 22:34:52 Relentless rc-scripts: /sbin/rc-update: /etc/init.d/snortsam not found; aborting.

/var/log/debug:Aug  1 22:43:48 Relentless rc-scripts: You need an /etc/snort/snort.conf to run snort

/var/log/debug:Aug  1 22:43:48 Relentless rc-scripts: There is an example config in /etc/snort/snort.conf.distrib

/var/log/debug:Aug  1 22:58:10 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:      bind: Network is down

/var/log/debug:Aug  1 23:34:47 Relentless rc-scripts: ERROR:  "snort" has not yet been started.

/var/log/debug:Aug  3 07:33:41 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:      bind: Network is down

/var/log/debug:Aug  3 17:44:26 Relentless rc-scripts: ERROR:  "snort" has not yet been started.

/var/log/debug:Aug  3 17:44:30 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:      bind: Network is down

/var/log/debug:Aug  3 17:47:56 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:      bind: Network is down

/var/log/debug:Aug  3 17:48:01 Relentless rc-scripts: ERROR:  "snort" has not yet been started.

/var/log/debug:Aug  3 17:48:03 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:      bind: Network is down

/var/log/debug:Aug  3 18:15:03 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:      bind: Network is down

/var/log/daemon.log:Aug  1 22:34:52 Relentless rc-scripts: /sbin/rc-update: /etc/init.d/snortsam not found; aborting.

/var/log/daemon.log:Aug  1 22:43:48 Relentless rc-scripts: You need an /etc/snort/snort.conf to run snort

/var/log/daemon.log:Aug  1 22:43:48 Relentless rc-scripts: There is an example config in /etc/snort/snort.conf.distrib

/var/log/daemon.log:Aug  1 22:58:10 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:         bind: Network is down

/var/log/daemon.log:Aug  1 23:34:47 Relentless rc-scripts: ERROR:  "snort" has not yet been started.

/var/log/daemon.log:Aug  3 07:33:41 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:         bind: Network is down

/var/log/daemon.log:Aug  3 17:44:26 Relentless rc-scripts: ERROR:  "snort" has not yet been started.

/var/log/daemon.log:Aug  3 17:44:30 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:         bind: Network is down

/var/log/daemon.log:Aug  3 17:47:56 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:         bind: Network is down

/var/log/daemon.log:Aug  3 17:48:01 Relentless rc-scripts: ERROR:  "snort" has not yet been started.

/var/log/daemon.log:Aug  3 17:48:03 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:         bind: Network is down

/var/log/daemon.log:Aug  3 18:15:03 Relentless snort: FATAL ERROR: OpenPcap() device eth0 open:         bind: Network is down

```

----------

## hanj

Can show me what's in your conf.d/snort file??

```
cat /etc/conf.d/snort
```

thanks

hanjiLast edited by hanj on Wed Aug 03, 2005 10:28 pm; edited 2 times in total

----------

## vaguy02

```
Relentless log # cat /etc/conf.d/snort

# Config file for /etc/init.d/snort

# This tell snort which interface to listen on (any for every interface)

IFACE=eth0

# Make sure this matches your IFACE

PIDFILE=/var/run/snort_$IFACE.pid

# You probably don't want to change this, but in case you do

LOGDIR="/var/log/snort"

# Probably not this either

CONF=/etc/snort/snort.conf

# This pulls in the options above

SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

```

----------

## hanj

Also.. do you have network right now?? Can you get me an output of the following:

```
lsmod

rc-status
```

The error messages seems to point to bad network. You may want to try /etc/init.d/net.eth0 restart.. then restart snort

hanji

----------

## vaguy02

```
Relentless log # lsmod

Module                  Size  Used by

ipt_LOG                 6272  -

ipt_limit               1824  -

iptable_nat            23132  -

iptable_filter          2048  -

iptable_mangle          1984  -

ipt_state               1344  -

ip_tables              20480  -

ip_conntrack_ftp       71696  -

ip_conntrack           49672  -

Relentless log # rc-status

Runlevel: default

 local                                                                                                                                      [ started ]

 netmount                                                                                                                                   [ started ]

 domainname                                                                                                                                 [ started ]

 net.eth1                                                                                                                                   [ started ]

 syslog-ng                                                                                                                                  [ started ]

 vixie-cron                                                                                                                                 [ started ]

 sshd                                                                                                                                       [ started ]

 noip                                                                                                                                       [ started ]

 xinetd                                                                                                                                     [ started ]

 famd                                                                                                                                       [ started ]

 snort                                                                                                                                        [   off ]

 mysql                                                                                                                                      [ started ]

 apache2                                                                                                                                    [ started ]

Relentless log #

```

I have network connectivity and I've been downloading stuff and never had a problem with the network before.

----------

## hanj

well.. it looks like you're using eth1.. not eth0. So you'll need to change /etc/conf.d/snort to use eth1 instead of eth0.

hanji

----------

## hanj

Also.. your mysql in a stopped state.

```

/etc/init.d/mysql start
```

hanji

----------

## vaguy02

Damn I feel really dumb. Sorry  :Sad:  now I'm probably going to feel really dumb again but I registered for snort.org site, but I have yet to see anything about the 35 bit key your were mentioning.

----------

## hanj

Once you log in to Snort.org.. look at the bottom of the page. There is an area called "Oink Code" with a button 'Generate Code'. Once you click that.. it will create a 32char alphanumeric string.. that is the 'key'.

HTH

hanji

----------

## vaguy02

Okay, I think I"m at stage 4, at least I hope so. Anyways, I've read the code bit you placed there about ssh rules but I don't know where to put that or how to enter it. Could you give me some more information about this step please

----------

## hanj

So I just want to make sure we're really at this point.

1. Can you confirm that snort is running?

2. Can you confirm that snort is logging into the database (view BASE)?

3. You've executed oinkmaster.sh and received the latest rules from snort AND bleeding-snort

4. You've restarted snort after bringing in the new rules.

5. You've included the bleeding rules in your /etc/snort.conf

6. You've modified your snort rules to include snortsam

7. You've configured snortsam and it is running

8. You've added modifysid value in oinkmaster-bleeding.conf so your rules won't get overwritten when oinkmaster runs again.

Let me know if all of this is done and you can confirm it.

hanji

----------

## vaguy02

I'm going to run a few different things and post the results, let me know if they sound right and if you want to see any other thing run.

rc-status

```

Runlevel: default

 local                                                               [ started ]

 netmount                                                            [ started ]

 domainname                                                          [ started ]

 net.eth1                                                            [ started ]

 syslog-ng                                                           [ started ]

 vixie-cron                                                          [ started ]

 sshd                                                                [ started ]

 noip                                                                [ started ]

 xinetd                                                              [ started ]

 famd                                                                [ started ]

 snort                                                               [ started ]

 mysql                                                               [ started ]

 apache2                                                             [started ]

```

I can hit the ip address with a webbrowser and I get the base_main.php page to open and it says BASE and has so you can sort all kinds of different IP stuff.

I believe that I have executed oinkmaster, I ran the update and it updated and then said a whole bunch of stuff, took a bit, then dropped back to the command prompt saying it was watching for things sent by snort. Then snort was actually fozen, I couldn't shutdown the process so I rebooted and everything seems to be working. I believe snortsam is running. Is there any way to check all of this or do I just have to take it on a leap of faith?

----------

## hanj

You don't have to reboot if snort is hung... If it dies.. rc still thinks it's running.. so you can do a zap

```
/etc/init.d/snort zap

```

This will return snort to a 'stopped' state.. so you can restart. Sometimes it is real stubborn.. and you'll have to 'kill' it. To do this.. grep the ps list.. and get the pid number. .. then kill it..

```
ps aux | grep snort

kill -9 xxx
```

xxx is the pid that you see when you did ps aux | grep snort. Did you add the lines in snort.conf...

```

include $RULE_PATH/bleeding.rules

include $RULE_PATH/bleeding-attack_response.rules

include $RULE_PATH/bleeding-dos.rules

include $RULE_PATH/bleeding-exploit.rules

include $RULE_PATH/bleeding-scan.rules

include $RULE_PATH/bleeding-web.rules
```

Can you give me the output of ps aux | grep snort?

Also.. did you add the plugin piece to SSH rule? So it looks like this:

```
bleeding-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; sid: 2001219; rev:10;  fwsam: src, 20 minutes;)
```

hanji

----------

## vaguy02

ps aux | grep snort :

```

Relentless ~ # ps aux | grep snort

root      5546  0.0  0.1   2144   784 ?        Ss   21:13   0:00 /usr/bin/snortsam

root      5718  0.0  0.0    252    64 pts/0    R+   21:38   0:00 grep snort

```

snort.conf : 

```
# The following rulesets are disabled by default:

#

#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,

#   chat, multimedia, and p2p

#

# These rules are either site policy specific or require tuning in order to not

# generate false positive alerts in most enviornments.

#

# Please read the specific include file for more information and

# README.alert_order for how rule ordering affects how alerts are triggered.

#=========================================

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

# include $RULE_PATH/web-attacks.rules

# include $RULE_PATH/backdoor.rules

# include $RULE_PATH/shellcode.rules

# include $RULE_PATH/policy.rules

# include $RULE_PATH/porn.rules

# include $RULE_PATH/info.rules

# include $RULE_PATH/icmp-info.rules

 include $RULE_PATH/virus.rules

# include $RULE_PATH/chat.rules

# include $RULE_PATH/multimedia.rules

# include $RULE_PATH/p2p.rules

include $RULE_PATH/experimental.rules

include $RULE_PATH/bleeding.rules

include $RULE_PATH/bleeding-attack_response.rules

include $RULE_PATH/bleeding-dos.rules

include $RULE_PATH/bleeding-exploit.rules

include $RULE_PATH/bleeding-scan.rules

include $RULE_PATH/bleeding-web.rules

# Include any thresholding or suppression commands. See threshold.conf in the

# <snort src>/etc directory for details. Commands don't necessarily need to be

# contained in this conf, but a separate conf makes it easier to maintain them.

# Note for Windows users:  You are advised to make this an absolute path,

# such as:  c:\snort\etc\threshold.conf

# Uncomment if needed.

# include threshold.conf

```

This would probably be easier to check if I just gave you access for the box for about an hour or two, but whatever, anything else?

----------

## hanj

Looking at your ps output... snort is NOT running.

```
/etc/init.d/snort zap

/etc/init.d/snort start
```

then do the ps aux | grep snort again. If it looks the same.. grep the logs for snort again.. and see what it is complaining about. We're getting close

hanji

----------

## vaguy02

```
Relentless ~ # /etc/init.d/snort zap

 * Manually resetting snort to stopped state.

Relentless ~ # /etc/init.d/snort start

 * Starting snort ...                                                                                   [ ok ]

Relentless ~ # ps aux | grep snort

root      5546  0.0  0.1   2144   784 ?        Ss   21:13   0:00 /usr/bin/snortsam

root      5823  0.0  0.0   1564   472 pts/0    R+   21:45   0:00 grep snort

```

Okay, looking at the logs....

```
/var/log/daemon.log:Aug  3 21:13:55 Relentless snort:     Sensitivity Level: Low

/var/log/daemon.log:Aug  3 21:13:55 Relentless snort:     Memcap (in bytes): 10000000

/var/log/daemon.log:Aug  3 21:13:55 Relentless snort:     Number of Nodes:   36900

/var/log/daemon.log:Aug  3 21:13:55 Relentless snort:

/var/log/daemon.log:Aug  3 21:13:55 Relentless snort: FATAL ERROR: Undefined variable name: (/etc/snort/exploit.rules:35): SMTP_SERVERS

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: Initializing daemon mode

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: PID path stat checked out ok, PID path set to /var/run/

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: Writing PID "5821" to file "/var/run//snort_eth1.pid"

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: Parsing Rules file /etc/snort/snort.conf

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: ,-----------[Flow Config]----------------------

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: | Stats Interval:  0

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: | Hash Method:     2

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: | Memcap:          10485760

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: | Rows  :          4099

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: | Overhead Bytes:  16400(%0.16)

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: `----------------------------------------------

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: HttpInspect Config:

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     GLOBAL CONFIG

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Max Pipeline Requests:    0

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Inspection Type:          STATELESS

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Detect Proxy Usage:       NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       IIS Unicode Map Filename: /etc/snort/unicode.map

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       IIS Unicode Map Codepage: 1252

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     DEFAULT SERVER CONFIG:

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Ports: 80 8080 8180

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Flow Depth: 300

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Max Chunk Length: 500000

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Inspect Pipeline Requests: YES

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       URI Discovery Strict Mode: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Allow Proxy Usage: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Disable Alerting: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Oversize Dir Length: 500

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Only inspect URI: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Ascii: YES alert: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Double Decoding: YES alert: YES

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       %U Encoding: YES alert: YES

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Bare Byte: YES alert: YES

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Base36: OFF

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       UTF 8: OFF

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       IIS Unicode: YES alert: YES

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Multiple Slash: YES alert: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       IIS Backslash: YES alert: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Directory Traversal: YES alert: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Web Root Traversal: YES alert: YES

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Apache WhiteSpace: YES alert: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       IIS Delimiter: YES alert: NO

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:       Non-RFC Compliant Characters: NONE

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: rpc_decode arguments:

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     Ports to decode RPC on: 111 32771

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     alert_fragments: INACTIVE

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     alert_large_fragments: ACTIVE

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     alert_incomplete: ACTIVE

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     alert_multiple_requests: ACTIVE

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: telnet_decode arguments:

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     Ports to decode telnet on: 21 23 25 119

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: Portscan Detection Config:

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     Detect Protocols:  TCP UDP ICMP IP

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     Sensitivity Level: Low

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     Memcap (in bytes): 10000000

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:     Number of Nodes:   36900

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort:

/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: FATAL ERROR: Undefined variable name: (/etc/snort/exploit.rules:35): SMTP_SERVERS

/var/log/auth.log:Aug  2 22:29:16 Relentless usermod[29407]: change user `snort' GID from `407' to `407'

/var/log/auth.log:Aug  2 22:29:17 Relentless usermod[29408]: change user `snort' shell from `/bin/false' to `/bin/false'

/var/log/snortsam.log:2005/08/03, 20:44:00, -, 3, snortsam, Error: [/etc/snortsam.conf: 14] Unknown parameter 'notthreads' in config file ignored.

/var/log/snortsam.log:2005/08/03, 20:44:04, -, 1, email, Error: [/etc/snortsam.conf: 15] Invalid EMAIL server 'smtp.aldelpha.com' ignored.

/var/log/snortsam.log:2005/08/03, 20:44:04, -, 1, snortsam, Starting to listen for Snort alerts.

/var/log/snortsam.log:2005/08/03, 21:13:56, -, 3, snortsam, Error: [/etc/snortsam.conf: 14] Unknown parameter 'notthreads' in config file ignored.

/var/log/snortsam.log:2005/08/03, 21:13:56, -, 1, email, Error: [/etc/snortsam.conf: 15] Invalid EMAIL server 'smtp.aldelpha.com' ignored.

/var/log/snortsam.log:2005/08/03, 21:13:56, -, 1, snortsam, Starting to listen for Snort alerts.

```

I think I just fixed the email server one oops  :Wink: 

----------

## hanj

Hello

Logs are your best friend... looks like 3 errors going on.. 1 in snort 2 in snortsam

This is why snort is dying:

```
/var/log/daemon.log:Aug  3 21:45:26 Relentless snort: FATAL ERROR: Undefined variable name: (/etc/snort/exploit.rules:35): SMTP_SERVERS
```

Looks like you don't have this variable defined in /etc/snort/snort.conf. I would add.. or look for it commented out:

```
var SMTP_SERVERS $HOME_NET
```

snortsam configuration errors look like syntax:

```
/var/log/snortsam.log:2005/08/03, 21:13:56, -, 3, snortsam, Error: [/etc/snortsam.conf: 14] Unknown parameter 'notthreads' in config file ignored.
```

It shouldn't be notthreads.. but nothreads

```
/var/log/snortsam.log:2005/08/03, 21:13:56, -, 1, email, Error: [/etc/snortsam.conf: 15] Invalid EMAIL server 'smtp.aldelpha.com' ignored.
```

I'm guessing that smtp.aldelpha.com is wrong.. I get unknown host. should it be aldelphia.com??

Make sure you restart snortsam as well.. I think you have to find the pid and kill it.. same example I showed earlier.. just pick the other pid (5546)

hanji

----------

## vaguy02

okay....

```
Relentless ~ # nano /etc/snort/snort.conf

Relentless ~ # nano /etc/snortsam.conf

Relentless ~ # /etc/init.d/snort stop

 * Stopping snort ...

start-stop-daemon: warning: failed to kill 6044: No such process                                        [ !! ]

Relentless ~ # /etc/init.d/snort zap

 * Manually resetting snort to stopped state.

Relentless ~ # kill -9 6044

-bash: kill: (6044) - No such process

Relentless ~ # ps aux | grep snort

root      6116  0.0  0.0   1564   472 pts/0    R+   21:59   0:00 grep snort

Relentless ~ # /etc/init.d/snort start

 * Starting snort ...                                                                                   [ ok ]

Relentless ~ # snortsam

SnortSam, v 2.30.

Copyright (c) 2001-2004 Frank Knobbe <frank@knobbe.us>. All rights reserved.

Plugin 'fwsam': v 2.2, by Frank Knobbe

Plugin 'fwexec': v 2.3, by Frank Knobbe

Plugin 'pix': v 2.7, by Frank Knobbe

Plugin 'ciscoacl': v 2.8, by Ali Basel <alib@sabanciuniv.edu>

Plugin 'cisconullroute': v 2.1, by Frank Knobbe

Plugin 'netscreen': v 2.7, by Frank Knobbe

Plugin 'ipchains': v 2.7, by Hector A. Paterno <apaterno@dsnsecurity.com>

Plugin 'iptables': v 2.6, by Fabrizio Tivano <fabrizio@sad.it>

Plugin 'ebtables': v 2.2, by Bruno Scatolin <ipsystems@uol.com.br>

Plugin 'watchguard': v 2.3, by Thomas Maier <thomas.maier@arcos.de>

Plugin 'email': v 2.7, by Frank Knobbe

Parsing config file /etc/snortsam.conf...

Linking plugin 'fwsam'...

fwsam: Adding firewall module: 127.0.0.1

Linking plugin 'email'...

Checking for existing state file: /var/db/snortsam.state not found, trying /var/log/snortsam.state. Not present.

Starting to listen for Snort alerts.

```

Something is weird about the log file though, because the log file still has all the old data in it for the snortsam. It's like it's not over writting that data

----------

## hanj

Can you give me an output of ps aux | grep snort again.

hanji

----------

## vaguy02

```

Relentless ~ # ps aux | grep snort

root      6171  0.0  0.1   2148   780 ?        Ss   21:59   0:00 snortsam

root      6192  0.0  0.0   1568   476 pts/0    R+   22:04   0:00 grep snort

```

----------

## hanj

blast.. snort is still not running.. hit me with the log from snort again.. I'm sure there is another Fatal in there.

hanji

----------

## vaguy02

```
/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Initializing daemon mode

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: PID path stat checked out ok, PID path set to /var/run/

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Writing PID "6363" to file "/var/run//snort_eth1.pid"

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Parsing Rules file /etc/snort/snort.conf

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: ,-----------[Flow Config]----------------------

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | Stats Interval:  0

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | Hash Method:     2

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | Memcap:          10485760

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | Rows  :          4099

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | Overhead Bytes:  16400(%0.16)

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: `----------------------------------------------

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: HttpInspect Config:

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     GLOBAL CONFIG

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Max Pipeline Requests:    0

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Inspection Type:          STATELESS

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Detect Proxy Usage:       NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       IIS Unicode Map Filename: /etc/snort/unicode.map

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       IIS Unicode Map Codepage: 1252

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     DEFAULT SERVER CONFIG:

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Ports: 80 8080 8180

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Flow Depth: 300

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Max Chunk Length: 500000

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Inspect Pipeline Requests: YES

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       URI Discovery Strict Mode: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Allow Proxy Usage: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Disable Alerting: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Oversize Dir Length: 500

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Only inspect URI: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Ascii: YES alert: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Double Decoding: YES alert: YES

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       %U Encoding: YES alert: YES

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Bare Byte: YES alert: YES

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Base36: OFF

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       UTF 8: OFF

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       IIS Unicode: YES alert: YES

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Multiple Slash: YES alert: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       IIS Backslash: YES alert: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Directory Traversal: YES alert: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Web Root Traversal: YES alert: YES

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Apache WhiteSpace: YES alert: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       IIS Delimiter: YES alert: NO

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:       Non-RFC Compliant Characters: NONE

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: rpc_decode arguments:

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     Ports to decode RPC on: 111 32771

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     alert_fragments: INACTIVE

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     alert_large_fragments: ACTIVE

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     alert_incomplete: ACTIVE

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     alert_multiple_requests: ACTIVE

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: telnet_decode arguments:

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     Ports to decode telnet on: 21 23 25 119

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Portscan Detection Config:

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     Detect Protocols:  TCP UDP ICMP IP

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     Sensitivity Level: Low

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     Memcap (in bytes): 10000000

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:     Number of Nodes:   36900

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Warning: flowbits key 'ssh.brute.attempt' is set but not ever checked.

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort:

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: +-----------------------[thresholding-config]----------------------------------

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | memory-cap : 1048576 bytes

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: +-----------------------[thresholding-global]----------------------------------

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | none

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: +-----------------------[thresholding-local]-----------------------------------

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2000049    type=Limit     tracking=dst count=1   seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001553    type=Threshold tracking=src count=100 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001569    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2000005    type=Limit     tracking=src count=1   seconds=120

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001795    type=Limit     tracking=src count=300 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001846    type=Threshold tracking=dst count=30  seconds=300

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001219    type=Threshold tracking=src count=5   seconds=120

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2000048    type=Limit     tracking=dst count=1   seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001873    type=Limit     tracking=src count=1   seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001904    type=Both      tracking=src count=30  seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001906    type=Both      tracking=src count=5   seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001583    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001579    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001582    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001581    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001580    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2001972    type=Both      tracking=src count=30  seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2000031    type=Limit     tracking=dst count=1   seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: +-----------------------[suppression]------------------------------------------

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: | none

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: +------------------------------------------------------------------------------

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Rule application order: ->activation->dynamic->alert->pass->log

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: Log directory = /var/log/snort

/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied

/var/log/auth.log:Aug  2 22:29:16 Relentless usermod[29407]: change user `snort' GID from `407' to `407'

/var/log/auth.log:Aug  2 22:29:17 Relentless usermod[29408]: change user `snort' shell from `/bin/false' to `/bin/false'

/var/log/snortsam.log:2005/08/03, 22:06:21, -, 1, snortsam, Starting to listen for Snort alerts.

```

----------

## hanj

```
/var/log/daemon.log:Aug  3 22:06:17 Relentless snort: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied 
```

Can you do:

```
ls -al /var/log | grep snort
```

Thanks

hanji

----------

## vaguy02

```
Relentless ~ # ls -al /var/log | grep snort

drwxrwx---   2 root    root      4096 Aug  1 22:21 snort

-rw-r--r--   1 root    root      1232 Aug  3 22:06 snortsam.log

```

----------

## hanj

Okay.. permissions aren't correct there...

```
chown snort:snort /var/log/snort -R

/etc/init.d/snort zap

/etc/init.d/snort restart

```

show me the output of ps aux | grep snort

thanks

hanji

----------

## vaguy02

```
Relentless ~ # chown snort:snort /var/log/snort -R

Relentless ~ # /etc/init.d/snort zap

 * Manually resetting snort to stopped state.

Relentless ~ # ps aux | grep snort

root      6365  0.0  0.1   2144   776 ?        Ss   22:06   0:00 snortsam

root      6417  0.0  0.0   1564   472 pts/0    R+   22:12   0:00 grep snort

Relentless ~ # kill -9 6365

Relentless ~ # /etc/init.d/snort start

 * Starting snort ...                                                                                                                   [ ok ]

Relentless ~ # snortsam

SnortSam, v 2.30.

Copyright (c) 2001-2004 Frank Knobbe <frank@knobbe.us>. All rights reserved.

Plugin 'fwsam': v 2.2, by Frank Knobbe

Plugin 'fwexec': v 2.3, by Frank Knobbe

Plugin 'pix': v 2.7, by Frank Knobbe

Plugin 'ciscoacl': v 2.8, by Ali Basel <alib@sabanciuniv.edu>

Plugin 'cisconullroute': v 2.1, by Frank Knobbe

Plugin 'netscreen': v 2.7, by Frank Knobbe

Plugin 'ipchains': v 2.7, by Hector A. Paterno <apaterno@dsnsecurity.com>

Plugin 'iptables': v 2.6, by Fabrizio Tivano <fabrizio@sad.it>

Plugin 'ebtables': v 2.2, by Bruno Scatolin <ipsystems@uol.com.br>

Plugin 'watchguard': v 2.3, by Thomas Maier <thomas.maier@arcos.de>

Plugin 'email': v 2.7, by Frank Knobbe

Parsing config file /etc/snortsam.conf...

Linking plugin 'fwsam'...

fwsam: Adding firewall module: 127.0.0.1

Linking plugin 'email'...

Checking for existing state file: Present. Reading state.

Starting to listen for Snort alerts.

Relentless ~ # ps aux | grep snort

snort     6470  5.2  5.9  50252 45220 ?        Ss   22:13   0:00 /usr/bin/snort -D -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf

root      6472  0.0  0.1   2148   780 ?        Ss   22:13   0:00 snortsam

root      6474  0.0  0.0   1564   472 pts/0    R+   22:13   0:00 grep snort

```

----------

## hanj

Now we're cookin' with gas... snort AND snortsam are running.

awesome

hanji

----------

## vaguy02

I didn't know where to put the ssh rule you gave me though.

----------

## hanj

Edit the following rule: /etc/snort/bleeding-scan.rules

find this line:

```
bleeding-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, 

track by_src, count 5, seconds 120; classtype: suspicious-login; sid: 2001219; rev:10; )
```

change it to:

```
bleeding-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; sid: 2001219; rev:10;  fwsam: src, 20 minutes;)
```

so you're adding fwsam: src. 20 minutes;) at the end

bleeding-scan.rules should be included in /etc/snort/snort.conf. Once you make that change.. restart snort.. make sure you check the ps to verify it's running.

hanjiLast edited by hanj on Thu Aug 04, 2005 2:20 am; edited 1 time in total

----------

## vaguy02

Do I have to restart snortsam too or just snort?

----------

## hanj

just snort

----------

## hanj

Now you need to add this 'modification' to oinkmaster.. so it knows to change this rule when you get the new rules tonight..

edit 

```
/etc/oinkmaster-bleeding.conf
```

add this line.. towards the bottom.. there should be some modifysid examples commented out:

```
modifysid 2001219; "\)" | " fwsam: src, 20 minutes;\)"
```

----------

## vaguy02

Hold on, I added the rule, and now I get a !! when I start it. ::curses at computer:: 

I don't see anything in the log file either.

```
/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Initializing daemon mode

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: PID path stat checked out ok, PID path set to /var/run/

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Writing PID "6470" to file "/var/run//snort_eth1.pid"

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Parsing Rules file /etc/snort/snort.conf

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: ,-----------[Flow Config]----------------------

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | Stats Interval:  0

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | Hash Method:     2

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | Memcap:          10485760

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | Rows  :          4099

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | Overhead Bytes:  16400(%0.16)

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: `----------------------------------------------

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: HttpInspect Config:

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     GLOBAL CONFIG

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Max Pipeline Requests:    0

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Inspection Type:          STATELESS

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Detect Proxy Usage:       NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       IIS Unicode Map Filename: /etc/snort/unicode.map

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       IIS Unicode Map Codepage: 1252

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     DEFAULT SERVER CONFIG:

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Ports: 80 8080 8180

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Flow Depth: 300

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Max Chunk Length: 500000

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Inspect Pipeline Requests: YES

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       URI Discovery Strict Mode: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Allow Proxy Usage: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Disable Alerting: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Oversize Dir Length: 500

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Only inspect URI: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Ascii: YES alert: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Double Decoding: YES alert: YES

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       %U Encoding: YES alert: YES

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Bare Byte: YES alert: YES

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Base36: OFF

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       UTF 8: OFF

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       IIS Unicode: YES alert: YES

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Multiple Slash: YES alert: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       IIS Backslash: YES alert: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Directory Traversal: YES alert: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Web Root Traversal: YES alert: YES

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Apache WhiteSpace: YES alert: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       IIS Delimiter: YES alert: NO

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:       Non-RFC Compliant Characters: NONE

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: rpc_decode arguments:

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     Ports to decode RPC on: 111 32771

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     alert_fragments: INACTIVE

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     alert_large_fragments: ACTIVE

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     alert_incomplete: ACTIVE

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     alert_multiple_requests: ACTIVE

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: telnet_decode arguments:

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     Ports to decode telnet on: 21 23 25 119

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Portscan Detection Config:

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     Detect Protocols:  TCP UDP ICMP IP

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     Sensitivity Level: Low

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     Memcap (in bytes): 10000000

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:     Number of Nodes:   36900

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Warning: flowbits key 'ssh.brute.attempt' is set but not ever checked.

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort:

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: +-----------------------[thresholding-config]----------------------------------

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | memory-cap : 1048576 bytes

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: +-----------------------[thresholding-global]----------------------------------

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | none

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: +-----------------------[thresholding-local]-----------------------------------

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001846    type=Threshold tracking=dst count=30  seconds=300

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001219    type=Threshold tracking=src count=5   seconds=120

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001579    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2000049    type=Limit     tracking=dst count=1   seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001582    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001906    type=Both      tracking=src count=5   seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001873    type=Limit     tracking=src count=1   seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001581    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001569    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2000005    type=Limit     tracking=src count=1   seconds=120

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001553    type=Threshold tracking=src count=100 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001904    type=Both      tracking=src count=30  seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001972    type=Both      tracking=src count=30  seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001795    type=Limit     tracking=src count=300 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001583    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2000048    type=Limit     tracking=dst count=1   seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2001580    type=Both      tracking=src count=200 seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | gen-id=1      sig-id=2000031    type=Limit     tracking=dst count=1   seconds=60

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: +-----------------------[suppression]------------------------------------------

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: | none

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: +------------------------------------------------------------------------------

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Rule application order: ->activation->dynamic->alert->pass->log

/var/log/daemon.log:Aug  3 22:13:17 Relentless snort: Log directory = /var/log/snort

/var/log/daemon.log:Aug  3 22:13:18 Relentless snort: Snort initialization completed successfully (pid=6470)

/var/log/auth.log:Aug  2 22:29:16 Relentless usermod[29407]: change user `snort' GID from `407' to `407'

/var/log/auth.log:Aug  2 22:29:17 Relentless usermod[29408]: change user `snort' shell from `/bin/false' to `/bin/false'

/var/log/snortsam.log:2005/08/03, 22:13:21, -, 1, snortsam, Starting to listen for Snort alerts.

```

----------

## hanj

the process may not have died when you restarted it.

Just do the zap.. then start.. then ps. I also private message'd you.

hanji

----------

## vaguy02

```
Relentless snort # /etc/init.d/snort zap

Relentless snort # /etc/init.d/snort start

 * Starting snort ...                                                                                                                   [ !! ]

```

 :Crying or Very sad: 

```
Relentless snort # ps aux | grep snort

snort     6470  0.1  5.9  50252 45220 ?        Ss   22:13   0:01 /usr/bin/snort -D -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf

root      6472  0.0  0.1   2148   780 ?        Ss   22:13   0:00 snortsam

root      6684  0.0  0.0   1432   316 pts/0    R+   22:34   0:00 grep snort

```

----------

## hanj

hmm.. we're just not killing it right..

do this...

```
/etc/init.d/snort stop

ps aux | grep snort
```

do this untill you see snort go away. If you don't do this..

```
/etc/init.d/snort zap

ps aux | grep snort
```

If you still see snort.. and rc-status shows snort 'stopped', then kill it with a -9 (use the actual snort pid)

```
kill -9 snortpid

ps aux | grep snort
```

make sure you don't see it running.. then

```
/etc/init.d/snort start
```

Like I said.. snort can be a pain for this.. normally, you won't have to go through this. But we're starting and stopping all over the place.

hanji

----------

## vaguy02

OKay, I acutally had to manually kill both processes before they would go away, but they finally went away. and I restarted and I'm good to go. Hit me  :Wink: 

----------

## hanj

Five tries later.. I'm getting connection refused. Looks like you're a snort/snortsam badass now. Now you'll need to tweak the rules.. so they're doing what you want. I would recommend joining the mailing lists.. especially for bleeding. Bleeding means UNSTABLE.. so it can mess your snort up.. so it's good to stay on top of what's going on.

http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs/

Also snortsam is worth joing as well:

http://www.snortsam.net/maillist.html

hanji

----------

## vaguy02

I didn't get an email and I didn't see anything in the web base interface. Nothing was written to the alert file either.... I mean it's not a big deal for me as long as it works, but I would kinda like those tools to keep track of what's going on. Any ideas? Sorry to be a bother.

----------

## hanj

You should defintely be seeing stuff in /var/log/snortsam.log like this...

```
2005/08/03, 18:09:16, -, 3, iptables, Info: Command /sbin/iptables -D FORWARD -i eth0  -s xxx.xxx.xx.xx -j DROP Executed Successfully

2005/08/03, 18:09:16, -, 3, iptables, Info: Command2 /sbin/iptables -D INPUT -i eth0  -s xxx.xx.xxx.xx -j DROP Executed Successfully
```

You won't see anything in /var/log/messages.. (ie: iptables ) since there is not a -j LOG piece in the plugin.. it just jumps straight to DROP.

I'm able to connect again.. did you restart snort/snortsam? Is it running now?

I'll take a look at snortsam configuration.

hanji

----------

## hanj

Can you show me whats in your /etc/snortsam.conf? You may want to leave out your email addy.

Thanks

hanji

----------

## vaguy02

```
Relentless snort # cat /etc/snortsam.conf

defaultkey 'key'

accept localhost

keyinterval 30 minutes

dontblock 192.168.0.200

dontblock 192.168.0.1

dontblock 192.168.0.108

rollbackhosts 50

rollbackthreshold 20 / 30 secs

rollbacksleeptime 1 minute

logfile /var/log/snortsam.log

loglevel 3

daemon

fwsam localhost

nothreads

email 'email stuff'

```

Last edited by vaguy02 on Thu Aug 04, 2005 3:01 am; edited 1 time in total

----------

## hanj

what version of snortsam are you running?

----------

## vaguy02

Snortsam v. 2.30

----------

## hanj

Can you show me your ps output again. Snortsam.conf looks good.

hanji

----------

## vaguy02

do you mean ps aux output?

```

Relentless etc # ps aux | grep snort

root      6804  0.0  0.1   2148   780 ?        Ss   22:39   0:00 snortsam

root      7012  0.0  0.0   1568   476 pts/0    R+   23:09   0:00 grep snort

```

Okay, I didn't kill it. ::holds hands up like didn't do it::

----------

## hanj

Man.. snort died again. Can you see if there are any logs on the problem.. then kill both processes again. Then we'll test again. No wonder I'm able to connect again.

hanji

----------

## vaguy02

```
/var/log/daemon.log:Aug  3 23:11:56 Relentless snort: FATAL ERROR: Warning: /etc/snort/bleeding-scan.rules(72) => Unknown keyword '  fwsam' in  rule!

```

That's our problem I think.

(hehe, I'm going to get you to level 4 by the time this is done. Sorry)

----------

## hanj

Okay... I forgot one crucial step... add this to your /etc/snort/snort.conf

Add it below your output database piece:

```
output alert_fwsam: localhost:898/yourkey
```

Obviously, replace 'yourkey' with your real default key in snortsam.conf. Then kill the processes and restart.

hanji

----------

## vaguy02

Okay, I added that, but I still don't think we are done with that issue. 

```
/var/log/daemon.log:Aug  3 23:19:03 Relentless snort: FATAL ERROR: unknown output plugin: 'alert_fwsam'

```

----------

## hanj

Bummer!!!! You need to build snort with snortsam...

Add this to /etc/portage/package.use

```
net-analyzer/snort mysql snortsam ssl
```

Now you'll need to re-emerge it.. sorry.

```
emerge -vp snort
```

it should have your USE flags now:

```
[ebuild   R   ] net-analyzer/snort-2.3.2  -flexresp -inline +mysql -odbc -postgres -prelude (-selinux) -sguil +snortsam +ssl
```

hanji

----------

## vaguy02

Do I have to redo all the settings from the beginning again?  :Crying or Very sad: 

```
Relentless etc # emerge -vp snort

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild     UD] net-analyzer/snort-2.3.2 [2.3.3-r1] -flexresp -inline +mysql -odbc -postgres -prelude (-selinux) -sguil +snortsam* +ssl 28 kB

Total size of downloads: 28 kB

```

----------

## hanj

No.. just make sure you don't clobber your /etc/snort/snort.conf.. you might want to run oinkmaster.sh after you re-emerge snort. Everything else is the same.. you just need to re-compile snort.

hanji

----------

## vaguy02

How do I make sure I don't clobber it, I'm just very scared to emerge it again and loose everything.

----------

## vaguy02

Okay back in business now

```
Relentless etc # ps aux | grep snort

root     12900  0.0  0.0   1568   476 pts/0    R+   23:46   0:00 grep snort

Relentless etc # /etc/init.d/snort start

 * Caching service dependencies ...                                                                                                                    [ ok ]

 * Starting snort ...                                                                                                                                  [ ok ]

Relentless etc # snortsam

SnortSam, v 2.30.

Copyright (c) 2001-2004 Frank Knobbe <frank@knobbe.us>. All rights reserved.

Plugin 'fwsam': v 2.2, by Frank Knobbe

Plugin 'fwexec': v 2.3, by Frank Knobbe

Plugin 'pix': v 2.7, by Frank Knobbe

Plugin 'ciscoacl': v 2.8, by Ali Basel <alib@sabanciuniv.edu>

Plugin 'cisconullroute': v 2.1, by Frank Knobbe

Plugin 'netscreen': v 2.7, by Frank Knobbe

Plugin 'ipchains': v 2.7, by Hector A. Paterno <apaterno@dsnsecurity.com>

Plugin 'iptables': v 2.6, by Fabrizio Tivano <fabrizio@sad.it>

Plugin 'ebtables': v 2.2, by Bruno Scatolin <ipsystems@uol.com.br>

Plugin 'watchguard': v 2.3, by Thomas Maier <thomas.maier@arcos.de>

Plugin 'email': v 2.7, by Frank Knobbe

Parsing config file /etc/snortsam.conf...

Linking plugin 'fwsam'...

fwsam: Adding firewall module: 127.0.0.1

Linking plugin 'email'...

Checking for existing state file: Present. Reading state.

Starting to listen for Snort alerts.

Relentless etc # ps aux | grep snort

snort    13012  4.7  5.9  50004 45384 ?        Ss   23:46   0:00 /usr/bin/snort -D -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf

root     13015  0.0  0.1   2144   780 ?        Ss   23:46   0:00 snortsam

root     13017  0.0  0.0   1568   476 pts/0    R+   23:46   0:00 grep snort

Relentless etc #

```

I didn't even have to run the oinkmaster.sh, unless you think I should run it anyways. Although, I can't seem to lock myself out, hum...maybe I'm just doing it wrong. After tonight I feel like I know nothing about anything.

----------

## hanj

Sounds good... You need to make sure your rule still has the plugin call in it.. I was still able to connect to your server. If so.. make sure that modifysid line is in oinkmaster-bleeding.conf.. and run oinkmaster.sh again

hanji

----------

## vaguy02

Here is what I added to oinkmaster.conf

```
modifysid 2001219 "\)" | " fwsam: src, 20 minutes;\)"

```

Here is the rule in bleeding-scan.rules

```
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; sid: 2001219; rev:10;  fwsam: src, 20 minutes;|)

```

That is really weird that you can still connect maybe I have to restart it all again. Any ideas? I have a feeling it might be the | at the end but I can't seem to get rid of it meaning that whenever I run oinkmaster.sh, it puts it back but it's not in the modifysid so I don't know where it comes from.

Robert

----------

## hanj

It totally is the '|', in fact.. snort should die with that 'bad' rule in there. You have that pipe in oinkmaster-bleeding.conf somewhere. Are you modifying the rule twice in there possibly?

I don't use that rule.. so I added it to oinkmaster-bleeding.conf.. and ran oinkmaster.sh and it added to my rule correctly.

Can you show me the output of:

```
cat /etc/oinkmaster-bleeding.conf  | grep fwsam
```

thanks

hanji

----------

## vaguy02

OKay, I think it's fixed. Would you mind hitting the box again and letting me know what happens?

----------

## hanj

Hello

It's not working.. you need to confirm that:

A. Snort is running

B. SnortSam is running

C. bleeding-scans.rules is included

Can you see my attempts in BASE?

hanji

----------

## vaguy02

This is my log file it shows that it is trying to block you and trying to block me but for some reason we can still connect.

```
/var/log/snortsam.log:2005/08/04, 12:24:12, -, 1, snortsam, Starting to listen for Snort alerts.

/var/log/snortsam.log:2005/08/04, 12:35:40, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.

/var/log/snortsam.log:2005/08/04, 12:35:40, 127.0.0.1, 3, snortsam, Adding sensor 127.0.0.1 to list.

/var/log/snortsam.log:2005/08/04, 12:35:40, 127.0.0.1, 1, snortsam, Error: Packet out of sequence from 127.0.0.1, trying to re-sync.

/var/log/snortsam.log:2005/08/04, 12:36:53, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.

/var/log/snortsam.log:2005/08/04, 12:36:53, 127.0.0.1, 3, snortsam, Had to use initial key!

/var/log/snortsam.log:2005/08/04, 12:36:53, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync.

/var/log/snortsam.log:2005/08/04, 12:36:53, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.

/var/log/snortsam.log:2005/08/04, 12:36:53, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.

/var/log/snortsam.log:2005/08/04, 12:36:53, 127.0.0.1, 2, snortsam, Blocking host 'your ip' completely for 1200 seconds (Sig_ID: 2001219).

/var/log/snortsam.log:2005/08/04, 12:37:24, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.

/var/log/snortsam.log:2005/08/04, 12:37:24, 127.0.0.1, 2, snortsam, Blocking host 'my ip' completely for 1200 seconds (Sig_ID: 2001219).

```

```

Relentless log # ps aux | grep snort

snort    15245  0.1  5.9  50000 45460 ?        Ss   12:24   0:01 /usr/bin/snort -D -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf

root     15248  0.0  0.1   2144   812 ?        Ss   12:24   0:00 snortsam

root     15428  0.0  0.0   1568   476 pts/0    R+   12:39   0:00 grep snort

```

----------

## chevelle

 *vaguy02 wrote:*   

> This is my log file it shows that it is trying to block you and trying to block me but for some reason we can still connect.
> 
> ```
> /var/log/snortsam.log:2005/08/04, 12:24:12, -, 1, snortsam, Starting to listen for Snort alerts.
> 
> ...

 

First hanj,on belhalf of vaguy02 thanks for your efforts!  damn good walk through as well. Now

I'm at the point he is here I get this packet out of sequence error and no blocks? I see the thread is labled solved so what did it take?

thanks!

----------

