Forums

Resolved
0 votes
Dear's

I'm requesting some help, regarding snort system on my home server (CO5.2).
Snort wos working good a long time, but last fue day I noticed that Intrision Detection is not working.
In the web console when I try to restart it it is present inscription "Folder does not exist - - /etc/snort".
I inspected the system directories and is really missing, but I don't now haw it is gone, because nobady delited.

please provide information/solution haw to restore complite folder with files in it.

I now that is the eassy way to reinstall compeate system but for the moment it is not the option.

THX:)
Attachments:
Monday, July 20 2015, 07:13 PM
Share this post:
Responses (9)
  • Accepted Answer

    Monday, July 20 2015, 08:52 PM - #Permalink
    Resolved
    0 votes
    Have you run out of disk space? What is the output of "df -h"?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 21 2015, 04:07 PM - #Permalink
    Resolved
    0 votes
    As you can see I'm not run out of HDD space.

    [root@server ~]# df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/mapper/root_group-root
    35G 5.3G 28G 17% /
    /dev/hda1 99M 12M 82M 13% /boot
    /dev/mapper/raid_group-home
    917G 733G 138G 85% /home
    tmpfs 442M 0 442M 0% /dev/shm

    The point is that I don't know when and why folder and files gone.
    I try to find them on the system HDD but they are not present.

    Need to ask, it is possible to resolve the problem, to install CO5.2 on VM machine and after copy folder and files from there!

    Please I really need a solution.

    THX
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 21 2015, 05:30 PM - #Permalink
    Resolved
    0 votes
    the output of command snot is:


    WARNING => [Alert_FWsam](FWsamCheckIn) Could not connect to host . Will try later.
    ERROR: Unable to open rules file: /etc/snort/classification.config or /etc//etc/snort/classification.config
    Fatal Error, Quitting..

    if it is help to resolve the problem.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 21 2015, 08:31 PM - #Permalink
    Resolved
    0 votes
    Can you do a "locate classification.config" to find the exact location then have a look at the contents. Mine (on 6.x but it probably does not matter) is like:
    # $Id$
    # The following includes information for prioritizing rules
    #
    # Each classification includes a shortname, a description, and a default
    # priority for that classification.
    #
    # This allows alerts to be classified and prioritized. You can specify
    # what priority each classification has. Any rule can override the default
    # priority for that rule.
    #
    # Here are a few example rules:
    #
    # alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
    # dsize: > 128; classtype:attempted-admin; priority:10;
    #
    # alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
    # content:"expn root"; nocase; classtype:attempted-recon;)
    #
    # The first rule will set its type to "attempted-admin" and override
    # the default priority for that type to 10.
    #
    # The second rule set its type to "attempted-recon" and set its
    # priority to the default for that type.
    #

    #
    # config classification:shortname,short description,priority
    #

    config classification: not-suspicious,Not Suspicious Traffic,3
    config classification: unknown,Unknown Traffic,3
    config classification: bad-unknown,Potentially Bad Traffic, 2
    config classification: attempted-recon,Attempted Information Leak,2
    config classification: successful-recon-limited,Information Leak,2
    config classification: successful-recon-largescale,Large Scale Information Leak,2
    config classification: attempted-dos,Attempted Denial of Service,2
    config classification: successful-dos,Denial of Service,2
    config classification: attempted-user,Attempted User Privilege Gain,1
    config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
    config classification: successful-user,Successful User Privilege Gain,1
    config classification: attempted-admin,Attempted Administrator Privilege Gain,1
    config classification: successful-admin,Successful Administrator Privilege Gain,1


    # NEW CLASSIFICATIONS
    config classification: rpc-portmap-decode,Decode of an RPC Query,2
    config classification: shellcode-detect,Executable Code was Detected,1
    config classification: string-detect,A Suspicious String was Detected,3
    config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
    config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
    config classification: system-call-detect,A System Call was Detected,2
    config classification: tcp-connection,A TCP Connection was Detected,4
    config classification: trojan-activity,A Network Trojan was Detected, 1
    config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
    config classification: network-scan,Detection of a Network Scan,3
    config classification: denial-of-service,Detection of a Denial of Service Attack,2
    config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
    config classification: protocol-command-decode,Generic Protocol Command Decode,3
    config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
    config classification: web-application-attack,Web Application Attack,1
    config classification: misc-activity,Misc activity,3
    config classification: misc-attack,Misc Attack,2
    config classification: icmp-event,Generic ICMP event,3
    config classification: inappropriate-content,Inappropriate Content was Detected,1
    config classification: policy-violation,Potential Corporate Privacy Violation,1
    config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
    config classification: sdf,Sensitive Data was Transmitted Across the Network,2
    config classification: file-format,Known malicious file or file based exploit,1
    config classification: malware-cnc,Known malware command and control traffic,1
    config classification: client-side-exploit,Known client side exploit attempt,1

    If it is OK, have a look at /etc/snort.conf and check the "include" line pointing to the file is correct.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 22 2015, 09:26 AM - #Permalink
    Resolved
    0 votes
    You need to understand why the files dis-appeared - but you might be able to brute force it back working by :-

    # rpm -e clearsdn-intrusion-protection snort app-snort app-snortsam

    # yum install clearsdn-intrusion-protection snort app-snort app-snortsam

    # chkconfig snort on

    # chkconfig snortsam on

    # service snort start

    # service snortsam start

    then to check

    # service snort status

    # service snortsam status
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 23 2015, 05:03 AM - #Permalink
    Resolved
    0 votes
    Tony,

    I follow your instructions and seems to uninstall "snort and snortsam".

    Log below:
    # rpm -e clearsdn-intrusion-protection snort app-snort app-snort sam
    warning: /etc/snortsam.conf saved as /etc/snortsam.conf.rpmsave
    warning: /etc/snort.conf saved as /etc/snort.conf.rpmsave
    error reading information on service snort: No such file or directory
    [root@server ~]# yum install clearsdn-intrusion-protection snort app-snort app- snortsam
    Loading "kmod" plugin
    Loading "protect-packages" plugin
    base-supplements | 951 B 00:00
    base-kernels | 951 B 00:00
    base-updates | 951 B 00:00
    base-console | 951 B 00:00
    clearcentos-os | 951 B 00:00
    http://plex.r.worldssl.net/PlexMediaServer/fedora-repo/release/i386/repodata/rep omd.xml: [Errno 14] HTTP Error 404: Not Found
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: plex. Pl ease verify its path and try again
    [root@server ~]# chkconfig snort on
    error reading information on service snort: No such file or directory
    [root@server ~]# chkconfig snortsam on
    error reading information on service snortsam: No such file or directory
    [root@server ~]# service snort start
    snort: unrecognized service
    [root@server ~]# service snortsam start
    snortsam: unrecognized service
    [root@server ~]# snort status
    -bash: snort: command not found
    [root@server ~]# snort
    -bash: snort: command not found
    [root@server ~]# snortsam
    -bash: snortsam: command not found
    [root@server ~]#

    But now I cant install it back, due to Link of installation files not existing.

    Please can you help, maybe provide dome instruction where can I find CC5.2 intrusion- protection installation files.

    BR
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 23 2015, 05:52 AM - #Permalink
    Resolved
    0 votes
    By having none ClearOS repositories enabled by default you are risking "rpm hell". Big no no :(

    Immediately go to your /etc/yum.repos.d/ directory and ensure that every None ClearOS repository
    (.repo file) has the the line "enabled = 0" for each repo.

    That should get rid of the error message - you are pointing to a repository not available which caused
    the command to bomb. The rpms you need are in the standard ClearOS 5.2 repository and the
    command I gave works for a correctly setup ClearOS 5.2 install...


    [root@madeleine ~]# cat /etc/release
    ClearOS Enterprise Edition release 5.2
    [root@madeleine ~]# yum list clearsdn-intrusion-protection snort app-snort app-snortsam
    Loading "protect-packages" plugin
    Loading "kmod" plugin
    Available Packages
    app-snort.i386 5.2-10 base-os
    app-snortsam.i386 5.2-10 base-os
    clearsdn-intrusion-protection.noarch 5.1-20100628.2325 base-os
    snort.i386 2.8.4.1-3.2.v5 base-os
    [root@madeleine ~]# yum install clearsdn-intrusion-protection snort app-snort app-snortsam
    Loading "protect-packages" plugin
    Loading "kmod" plugin
    Setting up Install Process
    Parsing package install arguments
    Resolving Dependencies
    --> Running transaction check
    ---> Package app-snort.i386 0:5.2-10 set to be updated
    ---> Package clearsdn-intrusion-protection.noarch 0:5.1-20100628.2325 set to be updated
    ---> Package app-snortsam.i386 0:5.2-10 set to be updated
    ---> Package snort.i386 0:2.8.4.1-3.2.v5 set to be updated
    --> Finished Dependency Resolution

    Dependencies Resolved

    =============================================================================
    Package Arch Version Repository Size
    =============================================================================
    Installing for dependencies:
    app-snort i386 5.2-10 base-os 55 k
    app-snortsam i386 5.2-10 base-os 37 k
    clearsdn-intrusion-protection noarch 5.1-20100628.2325 base-os 440 k
    snort i386 2.8.4.1-3.2.v5 base-os 821 k

    Transaction Summary
    =============================================================================
    Install 4 Package(s)
    Update 0 Package(s)
    Remove 0 Package(s)

    Total download size: 1.3 M
    Is this ok [y/N]:
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 23 2015, 11:49 AM - #Permalink
    Resolved
    0 votes
    Odd. There is no base-os listed as a result Bostjan's yum command. What is the result of "yum repolist"?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 23 2015, 02:51 PM - #Permalink
    Resolved
    0 votes
    Tony, Nick

    BIG thx for halp!

    I manage to reinstall snort system to my server.

    maybe just one question, on the end of command "snort status" I gat stage respose from server, bellow is log:

    [root@server ~]# snort status
    Snort BPF option: status
    Running in IDS mode with inferred config file: /etc/snort.conf

    --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file /etc/snort.conf
    PortVar 'HTTP_PORTS' defined : [ 80 ]
    PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
    PortVar 'ORACLE_PORTS' defined : [ 1521 ]
    Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
    Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl: 1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 1
    Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
    Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl: 1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
    Static Flushpoint Sizes: YES
    Reassembly Ports:
    21 client (Footprint)
    23 client (Footprint)
    25 client (Footprint)
    42 client (Footprint)
    53 client (Footprint)
    80 client (Footprint)
    110 client (Footprint)
    111 client (Footprint)
    135 client (Footprint)
    136 client (Footprint)
    137 client (Footprint)
    139 client (Footprint)
    143 client (Footprint)
    445 client (Footprint)
    513 client (Footprint)
    514 client (Footprint)
    1433 client (Footprint)
    1521 client (Footprint)
    2401 client (Footprint)
    3306 client (Footprint)
    HttpInspect Config:
    GLOBAL CONFIG
    Max Pipeline Requests: 0
    Inspection Type: STATELESS
    Detect Proxy Usage: NO
    IIS Unicode Map Filename: /etc/unicode.map
    IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
    Server profile: All
    Ports: 80 8080 8180
    Server Flow Depth: 300
    Client Flow Depth: 300
    Max Chunk Length: 500000
    Max Header Field Length: 0
    Max Number Header Fields: 0
    Inspect Pipeline Requests: YES
    URI Discovery Strict Mode: NO
    Allow Proxy Usage: NO
    Disable Alerting: NO
    Oversize Dir Length: 500
    Only inspect URI: NO
    Normalize HTTP Headers: NO
    Normalize HTTP Cookies: NO
    Ascii: YES alert: NO
    Double Decoding: YES alert: YES
    %U Encoding: YES alert: YES
    Bare Byte: YES alert: YES
    Base36: OFF
    UTF 8: OFF
    IIS Unicode: YES alert: YES
    Multiple Slash: YES alert: NO
    IIS Backslash: YES alert: NO
    Directory Traversal: YES alert: NO
    Web Root Traversal: YES alert: YES
    Apache WhiteSpace: YES alert: NO
    IIS Delimiter: YES alert: NO
    IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
    Non-RFC Compliant Characters: NONE
    Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
    Portscan Detection Config:
    Detect Protocols: TCP UDP ICMP IP
    Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes: 36900

    INFO => [Alert_FWsam](FWsamCheckIn) Connected to host .
    Tagged Packet Limit: 256
    Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
    Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor...
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
    Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor
    FTPTelnet Config:
    GLOBAL CONFIG
    Inspection Type: stateful
    Check for Encrypted Traffic: YES alert: YES
    Continue to check encrypted data: NO
    TELNET CONFIG:
    Ports: 23
    Are You There Threshold: 200
    Normalize: YES
    Detect Anomalies: NO
    FTP CONFIG:
    FTP Server: default
    Ports: 21
    Check for Telnet Cmds: YES alert: YES
    Identify open data channels: YES
    FTP Client: default
    Check for Bounce Attacks: YES alert: YES
    Check for Telnet Cmds: YES alert: YES
    Max Response Length: 256
    SMTP Config:
    Ports: 25 587 691
    Inspection Type: Stateful
    Normalize: EXPN RCPT VRFY
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
    ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
    RCPT:300 VRFY:255
    Max Header Line Length: Unlimited
    Max Response Line Length: Unlimited
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    DCE/RPC Decoder config:
    Autodetect ports ENABLED
    SMB fragmentation ENABLED
    DCE/RPC fragmentation ENABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED
    Reassembly increment: DISABLED
    DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
    SSLPP config:
    Encrypted packets: not inspected
    Ports:
    443 465 563 636 989
    992 993 994 995
    Server side data is trusted

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    2740 Snort rules read
    2740 detection rules
    0 decoder rules
    0 preprocessor rules
    2740 Option Chains linked into 243 Chain Headers
    0 Dynamic rules
    +++++++++++++++++++++++++++++++++++++++++++++++++++

    +-------------------[Rule Port Counts]---------------------------------------
    | tcp udp icmp ip
    | src 102 11 0 0
    | dst 2324 117 0 0
    | any 117 46 46 19
    | nc 47 10 10 12
    | s+d 8 5 0 0
    +----------------------------------------------------------------------------

    +-----------------------[thresholding-config]----------------------------------
    | memory-cap : 1048576 bytes
    +-----------------------[thresholding-global]----------------------------------
    | none
    +-----------------------[thresholding-local]-----------------------------------
    | gen-id=1 sig-id=2000536 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=100000162 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=2001583 type=Both tracking=src count=40 seconds=60
    | gen-id=1 sig-id=2010642 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2010643 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2000544 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2010494 type=Threshold tracking=src count=5 seconds=120
    | gen-id=1 sig-id=2008577 type=Threshold tracking=dst count=5 seconds=15
    | gen-id=1 sig-id=2000537 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2000546 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2001580 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=2000545 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2009584 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2001581 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=3000001 type=Threshold tracking=src count=6 seconds=30
    | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
    | gen-id=1 sig-id=2008454 type=Threshold tracking=src count=30 seconds=30
    | gen-id=1 sig-id=2008230 type=Both tracking=src count=30 seconds=60
    | gen-id=1 sig-id=2002911 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2002664 type=Limit tracking=src count=1 seconds=60
    | gen-id=1 sig-id=2001904 type=Both tracking=src count=30 seconds=60
    | gen-id=1 sig-id=100000158 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=2002842 type=Both tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2002994 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=2002992 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=2001972 type=Both tracking=src count=20 seconds=360
    | gen-id=1 sig-id=2002993 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=2001569 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=100000163 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=2000543 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2009582 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2001579 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=2008453 type=Threshold tracking=src count=30 seconds=30
    | gen-id=1 sig-id=2001582 type=Both tracking=src count=40 seconds=60
    | gen-id=1 sig-id=2009583 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2008455 type=Threshold tracking=src count=30 seconds=30
    | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
    | gen-id=1 sig-id=3000002 type=Threshold tracking=src count=20 seconds=60
    | gen-id=1 sig-id=100000208 type=Threshold tracking=src count=50 seconds=60
    | gen-id=1 sig-id=100000877 type=Limit tracking=src count=1 seconds=300
    | gen-id=1 sig-id=2002383 type=Threshold tracking=dst count=5 seconds=300
    | gen-id=1 sig-id=2002910 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
    | gen-id=1 sig-id=2001906 type=Both tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2002995 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=100000923 type=Threshold tracking=dst count=200 seconds=60
    | gen-id=1 sig-id=100000159 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=100000161 type=Both tracking=dst count=100 seconds=60
    +-----------------------[suppression]------------------------------------------
    | none
    -------------------------------------------------------------------------------
    Rule application order: activation->dynamic->pass->drop->alert->log
    Log directory = /var/log/snort
    Verifying Preprocessor Configurations!
    Warning: flowbits key 'sslv2.server_hello.request' is checked but not ever set.
    17 out of 512 flowbits in use.
    ***
    *** interface device lookup found: eth0
    ***

    Initializing Network Interface eth0
    ERROR: OpenPcap() FSM compilation failed:
    syntax error
    PCAP command: status
    Fatal Error, Quitting..

    Please if you can help to resolve the problem.

    thx
    The reply is currently minimized Show
Your Reply