Ubuntu Security :: Setup And Configure Snort 2.8.5.2 On A 10.10 System?
Dec 11, 2010
does anyone know of a good tutorial on how to set up and configure snort 2.8.5.2 on a ubuntu 10.10 system.I have been trying to set up snort and have run into alot of problems setting up the config file and the rules. It works in sniff and packet log mode but i cannot seem to set up IDS mode correctly. There is alot of different info on the net but not much help. There seems to be alot of work involved in setting this up which i do not mind provided i can find the proper documentation to configure the set up.
want to set up snort on my F13 home computer.Is there a simple way to do it or do I have to do it the hard way (compiling and stuff) ?I want to use snort for intrusion prevention and detect possible threats from internet.
I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
I am currently running snort as an IDS on the same machine that acts as our gateway. I installed it using sudo apt-get install snort. However, I'd like to make it run as an IPS. Is it possible to convert that currently running snort instance from running as an IDS to an IPS without having to download the snort tar balls and install it? I do not want the tar balls because during updates and upgrades, I'd like the whole OS and installed apps (such as snort) to be upgraded.
I have installed snort + mysql + acid base, I add some rules into /etc/snort/rules/local.rules to test the alert:
alert icmp 192.168.1.20 any -> 192.16.1.21 any (flags:A;ack:0;msg:"NMap icmp ping") alert icmp 192.168.1.20 any -> 192.16.1.21 any (content:"abcdefgh";;msg:"ping de windows") alert icmp 192.168.1.20 any <> 192.16.1.21 any (flags: S; msg: "HOULA SYN Packet!"
After I restart snort and I tied 2 pc by cross cable (192.168.1.20 for windows and the victim is 192.168.1.21 for Linux where the snort is installed), my HOME_NET 192.168.1.21 and the EXTEREL_NET !$HOME_NET. The problem is when I run: snort -dvi eth0 -c /etc/snort/snort.conf
I see the packet transmitted and received (the received conten "abcdefgh" ), when I stopped snort CTRL+C I don't found any alert in the result!!! Run time prior to being shutdown was 218.523030 seconds.
I am running Lucid on this machine, but I have had this problem on every machine with Snort. When I awaken the system from suspend or hibernation, snort pegs out one of the CPUs.
I work in a relatively small organisation of about 30 people (but with a complex network) and we've been looking to move our firewall to Microsoft's Threat Protection Manager on a mostly Windows network. I've been thinking we should have an IDS/IPS inside the firewall and I've been thinking about Snort in NIDS mode but have some basic questions:
1. Can anyone recommend a good web GUI for Snort?
2. Is it advisable to run both on the same machine? (Both from a POV of security and resources.)
I am running karmic koala with a recent install of snort 2.4.8.1(build 3 and i am at a loss for useful commands in solving an internal problem(within the network).All i have is `"sudo snort -v -i wlan0" on my very short list of useful commands regarding ids.It is doing little to no good in resolving my problem with a network snoop besides showing that it is running;i need some more weight (knowledge) in order to rectify the problem?
I was wondering whether or not it is possible/advisable to install and run Snort on a single laptop with a wireless router (firewall enabled)? Does Snort require root privileges and are there any other issues one needs to be aware of when installing and running software like this?
I'm looking to possibly need to make use of snort and its packet filtering/inspection abilities to help cover for PCI. I've searched Amazon, but nothing really stand out, there is a new one (2007 - Snort Intrusion Detection and Prevention Toolkit), or slightly older ones... Managing Security with Snort & IDS Tools - 2004, Snort Cookbook - 2005, Snort for Dummies - 2004.
Now i'm tempted in just going for the latest one, but i'm completely new to snort so perhaps it needs another book like snort for dummies to get started ;-P
I am wondering if there any any key loggers in the repository or on my system that I could setup and view. I would prefer a terminal only application that would require root permissions to get at.
Trying to figure out which Intrusion Detection System would be best for me. I've got a CentOs 5 / Linux / Apache system. If you've got experience with either (or both ) , please let me know your thoughts. I'm looking for the one thats not as technical, And a bit more user friendly I guess.
Is there a way to delete files on the commandline that uses the KDE-Wastebin?It appears that I never ever need the KDE4 Wastebin for files that I deleted through Konqueror or Dolphin. It is only when I delete files on the konsole with rm that I wish I could undelete them. It always happens like that, mostly by being in the wrong directory or using a wildcard when I should not have. (I don't have any erroneous deleted file right now, and I do have plenty of backups, but I just wonder whether there is something better than rm to use generally on the commandline.)
I have tried to install and configure Hudson in centos distro version 5.Installed hudson with tomcat by deploying .war files.after configuration was completed, builded a project.It displayed build was completed successfully.but I was not able to download output of build.
So I rechecked configuration,found that i havent set artifact file pattern to archive. how to set artifact file pattern and how to get build output. how to manage hudson by using configure system and configure options.what is the correct way to configure public hudson?.
I've created a wonderful (until this issue) portable copy of Ubuntu linux that will boot on mostly anything by using a USB enclosure for my laptop's 80GB SATA drive. So far so good, it boots and runs on everything, and on non-nVidia card setups was even detecting the drivers, or letting me install the required drivers for hardware acceleration and compiz. Because you know, the wobble windows are the most awesome thing ever.
Anyway, my desktop machine had an nVidia card, so I'm thinking, sure, I'll just install the nVidia drivers like before and everything will work happily. Not so-- now the desktop and any other nVidia cards work great, but it seems to have completely disabled any other graphics cards. When the kernel module detects that an nVidia card isn't present, it shoots up this nasty little dialog box giving me the option to boot into "low graphics" mode, which doesn't even allow me to use the correct screen resolution, much less see the installed graphics card and try to configure a driver for it.
Is there any way to configure Ubuntu (with the dreaded nVidia kernel module) so that it can use nVidia's drivers when an nVidia card is present, and default to the normal (not low-graphics) setup in other cases, so that it has a fair chance of using what's actually present? I'm not afraid to much with config files, I just don't know the underlying system well enough to feel comfortable diving in without a push in the right direction.
I'm trying to setup puppet to install and configure apache on several servers. Having found: [URL] I thought I was onto something. However I'm a little lost, does anyone know of or can anyone write a small howto on how to get this module working on certain nodes. My current state is puppet is running and connected to the puppetmaster. I can do simple things but the apache install have lost me a little.
I'm trying to setup puppet to install and configure apache on several servers. Having found:
[URL]
I thought I was onto something. However I'm a little lost, does anyone know of or can anyone write a small howto on how to get this module working on certain nodes.My current state is puppet is running and connected to the puppetmaster. I can do simple things but the apache install have lost me a little.
I already have a web server with apache 2, ftp, phpmyadmin, ispconfig2, running on internet. I use dyndns service to have the server on internet. Now I am trying to setup and configure a mail server base on Postfix With SMTP-AUTH And TLS.The host name is dec1.decom.com the domain name decom.com. The internet URL is URL... .So when I am setting up Postfix I need the System mail name: and Other destinations to accept mail for : here is my question which name do I must use on this configuration. Hostname (dec1.deccom.com) or URL.
Okay on /dev/sda sda1 is windows xp sda2 slackware /boot /system files sda3 slackware swap sda5 Centos LVM
Now my question is when I install CentOS grub did not automatically setup the slackware partition and I have to configure it manually. This is my grub.conf file
[root@centos ~]# cat /boot/grub/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,4) # kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol01 # initrd /initrd-version.img # boot=/dev/sda default=0 timeout=5 splashimage=(hd0,4)/grub/splash.xpm.gz hiddenmenu title CentOS (2.6.18-92.el5) root (hd0,4) kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol01 rhgb quiet initrd /initrd-2.6.18-92.el5.img title Slackware root (hd0,1) kernel /vmlinuz-generic-2.6.29.6 title Other rootnoverify (hd0,0) chainloader +1
I need to setup a mail server, purely for relaying mail to a MS exchange server. A previous employee used Postfix on CentOS. I have limited Linux knowledge and no experience with any mail server software other than MS Exchange, so we cannot continue with this solution (unless I can find a way of managing it all from a gui). Does anyone know of an MTA that can be configured completely by GUI? Everyone says sendmail has millions of features and loads of documentation, but I simply do not have the time to learn it. I need something that can be configured with minimal knowledge and via GUI, not command line. The only reason I'm not using Exchange is to try to save money, and hopefully it will be more secure.
I've tried to configure DRBL server to use Clonezilla and that is required me to setup DHCP, TFTP servers.But I've gotten a lot of errors from them - so please look at my attachments from /var/log/messages and dhcpd.conf - help me to find out what are wrong with them.
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
I am using ubuntu 11.04 in my home desktop. Is it necessary that firewall should be active inorder to avoid hack? I heard that we will not be given static ip address, only paid one will get static ip address that can be used for web server implementation. If my system doesnt have static address then can others access my system?
I am running Debian 5 and I'm trying to install and configure SNORT. My first stop is to Snort.org where I check out the directions. They tell me I need Libpcap, PCRE, Libnet and Barnyard. I've looked at the Debian Snort installation guide, and I've noticed that most the documents are really old...
I've actually got libpcap and PCRE installed and now I'm trying to figure out how to get libnet installed. It seems more tricky. I think it's the oldest api I've seen.
I guess my main area of question is if there is a better way of getting Snort up and running... I had a previous version of Linux where I install just Snort and I had network packets streaming across the screen, but that's not very helpful as I need some kind of interface so I know what the hell im looking at.
So should I follow the instructions on Snort.org as well as the "Debian, Snort, Barnyard, BASE, & Oinkmaster Setup Guide"? Or does anyone know a more up-to-date guide for Debian users?
What commands can be used to install software such as "phpMyAdmin" to Fedora? As I am setting up Apache in Fedora. How to install "phpMyAdmin" and setup phpMyAdmin, so that I can use internet explorer to manage the phpMyAdmin to configure the MySQL database remotely.
