Archives For network monitoring

Changing snort signatures with Oinkmaster

May 10, 2010 — Leave a comment

Unless I’m just not seeing it, there isn’t a way to differentiate alerts from drops with BASE for snort.  They all appear the same, and unless you know the the sid or the .rules file, all the information looks the same.  To help alleviate this, and give users the abillity to see rules that are dropping packets at a glance, I decided to task Oinkmaster.pl with this job.  Adding the phrase “DROPPED” to the end of the “msg:” section of the signature will make it appear that way in BASE and Aanval can now send an email whenever one of these rules are kicked off.
To do so simply add the following to your oinkmaster.conf file:

modifysid sid or rule “(.*msg:\s*”.+?)”(\s*;.+;)” | “${1}, DROPPED”${2}”

In Projects, Snort , ,
permalink

Snort and “–enable-reload”

February 22, 2010 — Leave a comment

One of my biggest peeves about Snort and running it inline is having to restart the Snort process to load new rules.  This had me worried with putting snort into production as it would make it awfully hard to tweak it while live.

Today I was browsing the Snort manual and found two short paragraph’s relating to the “–enable-reload” option.  Wha?  Why didn’t I find this earlier?  After a quick recompile with the “–enable-reload” command.  What a life saver this will be when we go live!

After using that option, you can simply issue a “kill -SIGHUP pid” to have it reload without restarting!

Check out the pg 107 of the Snort manual though, as some changes require a restart, so your not going to get off completely scott free.

In Projects, Snort , ,
permalink

Snort 2.8.5.2 Inline + BASE on Ubuntu

February 12, 2010 — 8 Comments

Boy, when I started down the process of trying to get an IPS system setup, I had no idea what I was getting myself into.  I’m not much of a security guy or a linux guy, but I thought I’d give it a go.  I followed many different guides that all worked great for me, and thank you to those who put the following guides together: http://ubuntuforums.org/showthread.php?t=919472,  http://www.openmaniak.com/inline.php,  http://forum.learnit.vn/showthread.php?p=7007

Continue Reading…

In Projects, Snort , , , ,
permalink

Nagios Notifications via SMS

September 23, 2009 — Leave a comment

Due to the possibility of either our exchange server becoming unavailable, or worse yet, something go wrong in the “core” of our network; it was decided that an alternate method of notifications needed to be setup.  SMS was the best option as it would be independent of the network and email.

I chose a tool called Gnokii and paired it with an older T-Mobile Motorola Razr connected to the Ubuntu server with a USB cable.  The first step was installing Gnokii:

sudo apt-get install gnokii

Continue Reading…

In Projects , ,
permalink