Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

snort doesn't send alerts to prelude-manager
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mrfree
Veteran
Veteran


Joined: 15 Mar 2003
Posts: 1303
Location: Europe.Italy.Sulmona
PostPosted: Sat Sep 03, 2005 6:30 pm    Post subject: snort doesn't send alerts to prelude-manager Reply with quote
I'm using
Code:
app-admin/prelude-manager-0.9.0_rc8 *
app-admin/prelude-lml-0.9.0_rc5 *
dev-libs/libpreludedb-0.9.0_rc13 *
dev-libs/libprelude-0.9.0_rc14 *
net-analyzer/snort-2.3.3-r1


I've configured the system using gentoo-wiki howto, prelude-manager, prelude-lml and prewikka seems to works well... if I login using ssh the IDS log this and I can view it using prewikka
The problem is snort :(

I've registered the sensor without any apparent problem and snort starts without any errors, this is the config file (part of interest):
Code:
# prelude: log to the Prelude system
#
# output prelude: profile=snort config=/etc/snort-prelude.conf
# profile = Name of the Prelude profile to use (default is snort).
# config  = Name of a prelude configuration file to use.
output alert_prelude


I've tryed to add this testing rule to my /etc/snort/rules/local.rule (this is a snort faq):
Code:
# false positive! (testing rule)
alert tcp any any -> any any (msg:"TCP traffic";)


the file /var/log/snort/alers contains a lot of alerts but using prewikka seem that prelude-manager doesn't receive any kind of alert... the agents/heartbeat sections reports that snort sensor is correctly online!!!

Any ideas???
_________________
Please EU, pimp my country!

ICE: /etc/init.d/iptables panic
Back to top
View user's profile Send private message
coldfire
n00b
n00b


Joined: 27 Jan 2004
Posts: 53
Location: Edmonton, AB
PostPosted: Mon Sep 05, 2005 4:26 pm    Post subject: Reply with quote
I am also having this problem too. I have tried adding the false positive rule as well, and I am not able to view any alerts with prewikka. Snort does show up as online in prewikka, but no events are being logged. Any suggestions are greatly appreciated!

coldfire
Back to top
View user's profile Send private message
tecknojunky
Veteran
Veteran


Joined: 19 Oct 2002
Posts: 1937
Location: Montréal
PostPosted: Mon Oct 17, 2005 5:03 am    Post subject: Reply with quote
It's strange. According the the docs and comments found in the config files, you'd expect that in /etc/prelude/default/client.conf if you put
Code:
server-addr = 192.168.1.11 || 127.0.0.1
, it would first try to bind to the first address, and to the second only if the first fails, as is explained in the comment...
Code:
# Try to connect on a Manager listening on 127.0.0.1.
#
# server-addr = x.x.x.x:port || y.y.y.y && z.z.z.z
#
# This mean the emission should occur on x.x.x.x:port or, if it fail,
# on y.y.y.y and z.z.z.z (if one of the two host in the AND fail,
# the emission will be considered as failed involving saving the
# message locally).


Yet, when snort start, you see it eventualy connects to the first, but then tries also the second.
Code:
Rule application order: ->activation->dynamic->drop->alert->pass->log
Log directory = /var/log/snort/manitou
- Connecting to 192.168.1.11:4690 prelude Manager server.
- TLS certificate: server certificate is trusted.
- TLS authentication succeed with Prelude Manager.
- Connecting to 127.0.0.1:4690 prelude Manager server.
prelude-connection: connection error with 127.0.0.1:4690: Connection refused. Failover enabled.

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.1 (Build 24)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
 NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.

- Connecting to 127.0.0.1:4690 prelude Manager server.
prelude-connection: could not connect to 127.0.0.1:4690: Connection refused.
- Connecting to 127.0.0.1:4690 prelude Manager server.
prelude-connection: could not connect to 127.0.0.1:4690: Connection refused.
Any of you guys can give me a pointer?

[edit]
Ok, it would seem that the prelude-manager bind to only one address. So, you can't make it listen to both the loopback and the outgoing nic. This mean that if the nic goes down, the logging stops.

For now, I have removed the || 127.0.0.1 part, and kept the network address instead, until I master a little bit more of that. Now, my head is quite full of prelude mumbojumbo :?
[/edit]
_________________
(7 of 9) Installing star-trek/species-8.4.7.2::talax.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy