On Sun, 2002-07-28 at 09:21, Russell Hires wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> These instructions are great! But I'm a debian fan, so that means apt-get. I
> already have postgresql set up, I'm good there, too.
Except that snort hasn't been updated in debian for many releases. I'm
not sure why even in the absolutely bleeding-edge debian snort package,
it's about 18 months old last time I checked.
> > Edit the snort.conf and set:
> Now, the fun part...
> >
> > var HOME_NET $eth0_ADDRESS
> >
> > for whichever interface is the external interface on your firewall, or:
> >
> > var HOME_NET [192.168.1.0/24]
> >
> > where the CIDR is the address range of the network that you consider
> > "yours".
>
> I'm confused by these instructions. For me, my home network is eth1 (ip =
> 192.168.1.2), and the rest of the internet is on ppp0 (aka external
> interface), which is what I get assigned because of my dsl connection (ip =
> 4.62.115.xx). So here I want to set the eth1 address, or the ppp0 address?
You want the ppp0 address. This is basically the "traffic coming to
this address is what I want to notice" address.
> > $HOME_NET is frequently used as a "target" address for snort rules, so
> > make sure that you set it to whatever range of addresses you'd like to
> > get snort alerts on. i.e. if you just have one external address on RR,
> > just use the $eth0_ADDRESS option - <snip> (And of course $eth1_ADDRESS is
> > just as valid or $ppp_ADDRESS - whatever your external interface.)
>
> So my HOME_NET _is_ my external address? I've got ppp0 as the external, and
> eth1 as internal. I want to detect what's coming from the outside, which is
> ppp0, right?
yep.
> > Then set
> >
> > var EXTERNAL_NET !$HOME_NET
> >
> > $EXTERNAL_NET is used as the "source" for a lot of rules to match, so
> > this should be anything NOT your $HOME_NET.
> >
> > A lot of rules wind up looking something like:
> >
> > "where source is $EXTERNAL_NET and dest is $HOME_NET ...."
> >
> > so those are two of the most important settings to tweak <snip>
>
> > Then set
> >
> > var RULE_PATH /usr/local/etc/snort/rules
>
> I've got debian (didn't I say that? :-) so I'm not sure how this applies. I
> guess I'll check the docs for debian on this.
it'll all be in /etc/snort, but see above re: my debian snort package
complaints. which is why _I_ build from source...
> <snip>
> >
> > The hardest part of getting any useful information out of snort is
> > getting any information at all out of snort. Logging to a database and
> > using ACID is the probably the most user-friendly and useful way, so
> > you'll need to scan down the config file for output plugins and find the
> > database methods. Configure it as appropriate for the database you've
> > set up by the examples given.
>
> <snip>
> I'll play with this, too. Sounds like fun!
ACID is the best I've seen, even if it does have some quirks and
drawbacks.
Otherwise you get to use "grep" and logfiles. Whee! ;)
> >
> > Once you've got that all set up, start snort:
> >
> > /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -i eth0 -l
> > /var/log/snort -u snort -D
> >
> <snip>
> - ---debian again. When I installed snort through apt-get, I am asked a few
> questions, such as what is my home network...
double-check the initscript as I don't recall if the default debian
initscript really does all the options it should.
> <snip>
> > Do a "ps" and see if snort is running. If not, tail your
> > /var/log/daemon.log and see if it spit out an error message. Generally
> > the error messages are pretty self-explanatory, so you should be able to
> > figure out what the problem was and fix it.
>
> Good advice! I wouldn't have known where to look otherwise.
yeah, snort puts things in odd places sometimes. :)
> > Depending on how you have logging set up, you may start to see things
> > appear in your database, in /var/log/auth.log and/or in files located in
> > /var/log/snort/. I generally have a CRON job that runs nightly that
> > just does a "stop/start" on the SNORT process (you can find the PID in
> > /var/run/snort_$iface.pid) so the logs in /var/log/snort will roll
> > over, otherwise they can get pretty big if you get a lot of traffic.
>
> I have nothing in my logs yet. I've only been running for 24 hours or so.
You can always hit it from another server if you have access and do some
sneaky things to see if it picks them up. It's a *very* good idea to
get someone you know and trust to poke at your Snort setup a few times
to make sure it's actually working.
** Worse than needing one and not having an IDS is needing one and
having an IDS that isn't working correctly but you don't know it.
> <major snip>
> >
> > I will give you a hint though - the WORST thing you can see in your
> > snort logs is an alert that says "Successful exploit."
>
> This is the best tutorial I've seen :-) Thanks!
No problem.
Maybe Paul would want to stick the original permanently on the SLUG
website somewhere if it might useful to others? (And add my comment
about Debian's packages...)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
| extract_mpeg2 | mpeg2dec -
http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
http://www.eff.org/ http://www.anti-dmca.org/
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 14:49:06 EDT