<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d14658917\x26blogName\x3dWhat+Would+You+Say+It+Is+You+Do+Here?\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.vitriol.net/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://blog.vitriol.net/\x26vt\x3d-1706885970164302789', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Wednesday, April 08, 2009

Upgrade to Snort 2.8.4

Sourcefire has changed the dcerpc preprocessor in Snort, so you have to upgrade to 2.8.4 if you want netbios rules to continue to work. This is the procedure I followed to upgrade my snort boxes.

Get Snort 2.8.4
# wget http://www.snort.org/dl/snort-2.8.4.tar.gz

Build and install snort

# tar zxvf snort-2.8.4.tar.gz
# cd snort-2.8.4
# ./configure --with-mysql --enable-dynamicplugin
# make
# service snort stop
# make install

Replace old netbios rules

# wget http://www.snort.org/vrt/tools/dcerpc2-snort-2.8.4-RC-1.rules
# cp /etc/snort/rules/netbios.rules /etc/snort/rules/netbios.rules.old
# cp dcerpc2-snort-2.8.4-RC-1.rules /etc/snort/rules/netbios.rules

Disable old dcerpc processor:

In snort.conf:

#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000

Enable new dcerpc processor

In snort.conf:

preprocessor dcerpc2
preprocessor dcerpc2_server: default

Sunday, April 05, 2009

Adding a snort_archive Database to an Existing Snort/BASE Installation

1. Create snort_archive database and assign permissions to snort user

$ mysql -u root -p
mysql> create database snort_archive;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort_archive.* to snort@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort_archive.* to snort;
mysql> exit

2. Set up tables using schema from snort

$ cd $SNORT_SOURCE_DIRECTORY/schemas
$ mysql -u root -p < create_mysql snort_archive

3. Export existing snort database

$ mysqldump -p snort > snort-backup.sql

4. Import snort database into snort_archive

$ mysql -p snort_archive < snort-backup.sql

5. Modify base_conf.php to enable archive database

archive_exists = 1; # Set this to 1 if you have an archive DB
$archive_dbname = 'snort_archive';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = '$PASSWORD';

6. At BASE home page, select link "Use archive database"
7. Select Total alerts link (the number of total alerts)
8. Select Delete alerts for entire query