tarballed
July 7th, 2004, 19:30
Hey everyone. Thought i'd drop by and ask some questions about my upcoming snort rollout.
Just wanted to get some ideas and thoughts for design ideas for snort. I've been reading through the Syngress Snort 2.0 book, and read the section on NIDS, DIDS and HIDS and I see they each have a benefit. Looking at it from my standpoint, I am thinking of going the NIDS route.
Here is what I have:
On my DMZ, we just have our mail gateway server.
Internall, besides our workstations, we have our internal mail server, a Microsoft SQL server (don't ask) as well as a few other servers, such as samba and web.
I was thinking of putting up one NIDS box on the DMZ network to monitor the Mail gateway, and a second box on the trusted network to monitor everything else.
Any bad things about that config? Good things?
I currently have one single HIDS up that I am using for testing. It includes:
OpenBSD 3.5
Snort-2.1.3
A.C.I.D-0.9.3
MySQL-4.0.20
Been able to get it up and running pretty easily, but now im trying to trip some of the rules. NMAP the tool of choice to test this out?
I appreciate the feedback and suggestions.
Tarballed
bsdjunkie
July 7th, 2004, 20:46
Looks good so far, if you have another box you may want to place a sensor outside of the firewall as well. Then you will be able to see attacks on all points, external/dmz/internal.
tarballed
July 8th, 2004, 15:03
Looks good so far, if you have another box you may want to place a sensor outside of the firewall as well. Then you will be able to see attacks on all points, external/dmz/internal.
Good point. I may come back for suggestions on how to set that up properly. My brain is not thinking correctly right now.
Also, doing some basic testing with Snort on a test box at work. Running the setup I listed above. It is logging to a MySQL database. I can startup snort fine using the command as follows:
snort -c snort.conf -i xl0 -D
Starts up fine.
However, I am having a hard time trying to trip some of the rules. I left the default rules selected in snort.conf, but can't seem to trip anything on the box.
Anyone have any recommendations on how to test this? I would like to see the results in the A.C.I.D. interface, but no dice so far.
one last thing: I have the Snort 2.0 book and I see there is a Snort 2.1 book. Is there a big difference between the two?
Thanks
Tarballed
tarballed
July 8th, 2004, 19:18
Never mind. I figured it out.
But check out some of the messages I see in /var/log/messages:
Jul 8 16:13:29 oxygen /kernel: Limiting closed port RST response from 336 to 200 packets per second
Jul 8 16:13:29 oxygen snort: database: mysql_error: Duplicate entry '1-1' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '1', '1', '2004-07-08 16:13:29.127+000')
Jul 8 16:13:30 oxygen /kernel: Limiting closed port RST response from 334 to 200 packets per second
Jul 8 16:13:30 oxygen snort: database: mysql_error: Duplicate entry '1-2' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '2', '2', '2004-07-08 16:13:30.207+000')
Jul 8 16:13:30 oxygen snort: database: mysql_error: Duplicate entry '1-3' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '3', '3', '2004-07-08 16:13:30.207+000')
Jul 8 16:13:31 oxygen snort: database: mysql_error: Duplicate entry '1-4' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '4', '3', '2004-07-08 16:13:30.671+000')
Jul 8 16:13:31 oxygen snort: database: mysql_error: Duplicate entry '1-5' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '5', '3', '2004-07-08 16:13:31.074+000')
Jul 8 16:13:31 oxygen /kernel: Limiting closed port RST response from 323 to 200 packets per second
Jul 8 16:13:31 oxygen snort: database: mysql_error: Duplicate entry '1-6' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '6', '4', '2004-07-08 16:13:31.582+000')
Jul 8 16:13:32 oxygen /kernel: Limiting closed port RST response from 327 to 200 packets per second
Jul 8 16:13:32 oxygen snort: database: mysql_error: Duplicate entry '1-7' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '7', '5', '2004-07-08 16:13:32.609+000')
Jul 8 16:13:33 oxygen /kernel: Limiting closed port RST response from 329 to 200 packets per second
Jul 8 16:13:34 oxygen /kernel: Limiting closed port RST response from 285 to 200 packets per second
Jul 8 16:13:34 oxygen snort: database: mysql_error: Duplicate entry '1-8' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '8', '6', '2004-07-08 16:13:34.922+000')
Jul 8 16:13:36 oxygen /kernel: Limiting closed port RST response from 324 to 200 packets per second
Jul 8 16:13:36 oxygen snort: database: mysql_error: Duplicate entry '1-9' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '9', '3', '2004-07-08 16:13:35.970+000')
Jul 8 16:13:36 oxygen snort: database: mysql_error: Duplicate entry '1-10' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '10', '7', '2004-07-08 16:13:35.976+000')
Jul 8 16:13:38 oxygen /kernel: Limiting closed port RST response from 202 to 200 packets per second
Jul 8 16:13:38 oxygen snort: database: mysql_error: Duplicate entry '1-11' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '11', '7', '2004-07-08 16:13:38.053+000')
Jul 8 16:13:44 oxygen snort: database: mysql_error: Duplicate entry '1-12' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '12', '7', '2004-07-08 16:13:44.280+000')
Jul 8 16:13:51 oxygen snort: database: mysql_error: Duplicate entry '1-13' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('1', '13', '7', '2004-07-08 16:13:51.041+000')
What is up with the mysql_errors? Or is that normal.
Tarballed
bsdjunkie
July 9th, 2004, 08:20
Looks like a few people have seen the same:
http://www.mcabee.org/lists/snort-users/Jan-04/msg00621.html
http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=snort%3A+database%3A+mysql_error%3A+Duplicate+en try+&btnG=Search