From thomas.creutz at gmx.de Tue Mar 16 09:20:43 2010 From: thomas.creutz at gmx.de (Thomas Creutz) Date: Tue, 16 Mar 2010 15:20:43 +0100 Subject: [Snortsam-discussion] Makefile for snortsam Message-ID: <4B9F93BB.5030405@gmx.de> Hi, I try to create a package for Debian Systems from snortsam... my problem is the missing Makefile! Please add an Makefile to your project :-) Regards, Thomas Creutz From ohauer at gmx.de Tue Mar 16 09:55:44 2010 From: ohauer at gmx.de (olli hauer) Date: Tue, 16 Mar 2010 15:55:44 +0100 Subject: [Snortsam-discussion] Makefile for snortsam In-Reply-To: <4B9F93BB.5030405@gmx.de> References: <4B9F93BB.5030405@gmx.de> Message-ID: <4B9F9BF0.7080001@gmx.de> Thomas Creutz wrote: > Hi, > > I try to create a package for Debian Systems from snortsam... > > my problem is the missing Makefile! Please add an Makefile to your project :-) Hi Thomas, there is a Makefile in the src directory. snortsam/src/Makefile @Frank Last month I had to build snortsam on a CentOS machine and noticed the following lines in the Makefile do not work here since the condition starts with '.if' .if defined(DEBUG) DEBUG = -DFWSAMDEBUG .endif This lines are from one of my last patches. Linux expects the condition without the '.' before 'if' and 'else'. Regards, olli hauer From thomas.creutz at gmx.de Tue Mar 16 16:23:47 2010 From: thomas.creutz at gmx.de (Thomas Creutz) Date: Tue, 16 Mar 2010 22:23:47 +0100 Subject: [Snortsam-discussion] Makefile for snortsam In-Reply-To: <4B9F9BF0.7080001@gmx.de> References: <4B9F93BB.5030405@gmx.de> <4B9F9BF0.7080001@gmx.de> Message-ID: <4B9FF6E3.3040703@gmx.de> olli hauer schrieb: > Thomas Creutz wrote: >> my problem is the missing Makefile! Please add an Makefile to your project :-) > > there is a Makefile in the src directory. > > snortsam/src/Makefile yes, sorry.. I found it now > @Frank > Last month I had to build snortsam on a CentOS machine and noticed the following > lines in the Makefile do not work here since the condition starts with '.if' > > .if defined(DEBUG) > DEBUG = -DFWSAMDEBUG > .endif > rigtht is ifdef. I made an patch for it: --- snortsam-2.69.orig/src/Makefile +++ snortsam-2.69/src/Makefile @@ -20,9 +20,9 @@ # To build the old pf plugin uncomment PFPLUGIN #PFPLUGIN = -DUSE_SSP_PF -.if defined(DEBUG) +ifdef DEBUG DEBUG = -DFWSAMDEBUG -.endif +endif # generic plugins for all builds SSP_GENERIC = ssp_fwexec.o ssp_ciscoacl.o ssp_cisco_nullroute.o ssp_email.o \ From ohauer at gmx.de Tue Mar 16 17:17:01 2010 From: ohauer at gmx.de (olli hauer) Date: Tue, 16 Mar 2010 23:17:01 +0100 Subject: [Snortsam-discussion] Makefile for snortsam In-Reply-To: <4B9FF6E3.3040703@gmx.de> References: <4B9F93BB.5030405@gmx.de> <4B9F9BF0.7080001@gmx.de> <4B9FF6E3.3040703@gmx.de> Message-ID: <4BA0035D.5020508@gmx.de> Thomas Creutz wrote: > olli hauer schrieb: >> Thomas Creutz wrote: >>> my problem is the missing Makefile! Please add an Makefile to your project :-) >> there is a Makefile in the src directory. >> >> snortsam/src/Makefile > > yes, sorry.. I found it now > >> @Frank >> Last month I had to build snortsam on a CentOS machine and noticed the following >> lines in the Makefile do not work here since the condition starts with '.if' >> >> .if defined(DEBUG) >> DEBUG = -DFWSAMDEBUG >> .endif >> > > rigtht is ifdef. I made an patch for it: > > --- snortsam-2.69.orig/src/Makefile > +++ snortsam-2.69/src/Makefile > @@ -20,9 +20,9 @@ > # To build the old pf plugin uncomment PFPLUGIN > #PFPLUGIN = -DUSE_SSP_PF > > -.if defined(DEBUG) > +ifdef DEBUG > DEBUG = -DFWSAMDEBUG > -.endif > +endif perhaps it is better to remove the expression (slipped in during rewrite the FreeBSD port) Regards, olli From =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= Mon Mar 22 04:44:18 2010 From: =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= (=?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?=) Date: Mon, 22 Mar 2010 10:44:18 +0100 Subject: [Snortsam-discussion] Problems in snortsam.log Message-ID: <4BA73BF2.2010001@gensys.es> Hi, Run snortsam and works well, blocks according to the alerts that come from Snort. When you have a time block, it stops working. /var/log/snortsam.log appears as follows 2010/03/22, 10:31:25, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:31:33, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:31:33, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. The configuration I have is the following: ---> /etc/snort/snort.conf ... output alert_fwsam: 127.0.0.1:8610/snortpass ... ---> /etc/snortsam.conf defaultkey snortpass port 8610 accept 127.0.0.1/32 daemon loglevel 3 logfile /var/log/snortsam.log cisconullroute ************************ I tried different passwords, settings and ports and always gives the same warning messages and snortsam stops working (freeze). Would greatly appreciate your help. Sorry for my English. Greetings. From ohauer at gmx.de Mon Mar 22 05:21:39 2010 From: ohauer at gmx.de (olli hauer) Date: Mon, 22 Mar 2010 11:21:39 +0100 Subject: [Snortsam-discussion] Problems in snortsam.log In-Reply-To: <4BA73BF2.2010001@gensys.es> References: <4BA73BF2.2010001@gensys.es> Message-ID: <4BA744B3.8020806@gmx.de> Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: > Hi, > > Run snortsam and works well, blocks according to the alerts that come > from Snort. > > When you have a time block, it stops working. > > /var/log/snortsam.log appears as follows ... > 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! > 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 > using wrong password, trying to re-sync. > > The configuration I have is the following: > > ---> /etc/snort/snort.conf > > ... > output alert_fwsam: 127.0.0.1:8610/snortpass > ... > > ---> /etc/snortsam.conf > > defaultkey snortpass > port 8610 > accept 127.0.0.1/32 > daemon > loglevel 3 > logfile /var/log/snortsam.log > cisconullroute ************************ > > I tried different passwords, settings and ports and always gives the > same warning messages and snortsam stops working (freeze). > please retry with the following line accept 127.0.0.1/32, snortpass From =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= Mon Mar 22 05:29:12 2010 From: =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= (=?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?=) Date: Mon, 22 Mar 2010 11:29:12 +0100 Subject: [Snortsam-discussion] Problems in snortsam.log In-Reply-To: <4BA744B3.8020806@gmx.de> References: <4BA73BF2.2010001@gensys.es> <4BA744B3.8020806@gmx.de> Message-ID: <4BA74678.9070308@gensys.es> olli hauer escribi?: > Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: > >> Hi, >> >> Run snortsam and works well, blocks according to the alerts that come >> from Snort. >> >> When you have a time block, it stops working. >> >> /var/log/snortsam.log appears as follows >> > ... > >> 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! >> 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 >> using wrong password, trying to re-sync. >> >> The configuration I have is the following: >> >> ---> /etc/snort/snort.conf >> >> ... >> output alert_fwsam: 127.0.0.1:8610/snortpass >> ... >> >> ---> /etc/snortsam.conf >> >> defaultkey snortpass >> port 8610 >> accept 127.0.0.1/32 >> daemon >> loglevel 3 >> logfile /var/log/snortsam.log >> cisconullroute ************************ >> >> I tried different passwords, settings and ports and always gives the >> same warning messages and snortsam stops working (freeze). >> >> > > please retry with the following line > accept 127.0.0.1/32, snortpass > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > Thanks for answering I changed the line that you say, Reset barnyard2, snort and snortsam The result is the same: 2010/03/22, 11:25:33, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. 2010/03/22, 11:25:33, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 11:25:33, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 11:25:33, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 11:25:33, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 11:25:33, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 11:25:33, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. 2010/03/22, 11:25:33, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2010/03/22, 11:25:33, 127.0.0.1, 3, snortsam, Had to use initial key! 2010/03/22, 11:25:33, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. From ohauer at gmx.de Mon Mar 22 05:44:11 2010 From: ohauer at gmx.de (olli hauer) Date: Mon, 22 Mar 2010 11:44:11 +0100 Subject: [Snortsam-discussion] Problems in snortsam.log In-Reply-To: <4BA74678.9070308@gensys.es> References: <4BA73BF2.2010001@gensys.es> <4BA744B3.8020806@gmx.de> <4BA74678.9070308@gensys.es> Message-ID: <4BA749FB.1060806@gmx.de> Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: > olli hauer escribi?: >> Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: >> >>> Hi, >>> >>> Run snortsam and works well, blocks according to the alerts that come >>> from Snort. >>> >>> When you have a time block, it stops working. >>> >>> /var/log/snortsam.log appears as follows >>> >> ... >> >>> 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! >>> 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 >>> using wrong password, trying to re-sync. >>> >>> The configuration I have is the following: >>> >>> ---> /etc/snort/snort.conf >>> >>> ... >>> output alert_fwsam: 127.0.0.1:8610/snortpass >>> ... >>> >>> ---> /etc/snortsam.conf >>> >>> defaultkey snortpass >>> port 8610 >>> accept 127.0.0.1/32 >>> daemon >>> loglevel 3 >>> logfile /var/log/snortsam.log >>> cisconullroute ************************ >>> >>> I tried different passwords, settings and ports and always gives the >>> same warning messages and snortsam stops working (freeze). >>> >>> >> please retry with the following line >> accept 127.0.0.1/32, snortpass >> >> _______________________________________________ >> Snortsam-discussion mailing list >> Snortsam-discussion at snortsam.net >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion >> >> > Thanks for answering > > I changed the line that you say, > > Reset barnyard2, snort and snortsam > > The result is the same: Seems something mess up the FWsamPacket. can you give a view more details. OS (32/64 Bit), snortsam version, snort version, self build of snorts/snortsam. From =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= Mon Mar 22 06:02:02 2010 From: =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= (=?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?=) Date: Mon, 22 Mar 2010 12:02:02 +0100 Subject: [Snortsam-discussion] Problems in snortsam.log In-Reply-To: <4BA749FB.1060806@gmx.de> References: <4BA73BF2.2010001@gensys.es> <4BA744B3.8020806@gmx.de> <4BA74678.9070308@gensys.es> <4BA749FB.1060806@gmx.de> Message-ID: <4BA74E2A.7020600@gensys.es> olli hauer escribi?: > Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: > >> olli hauer escribi?: >> >>> Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: >>> >>> >>>> Hi, >>>> >>>> Run snortsam and works well, blocks according to the alerts that come >>>> from Snort. >>>> >>>> When you have a time block, it stops working. >>>> >>>> /var/log/snortsam.log appears as follows >>>> >>>> >>> ... >>> >>> >>>> 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! >>>> 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 >>>> using wrong password, trying to re-sync. >>>> >>>> The configuration I have is the following: >>>> >>>> ---> /etc/snort/snort.conf >>>> >>>> ... >>>> output alert_fwsam: 127.0.0.1:8610/snortpass >>>> ... >>>> >>>> ---> /etc/snortsam.conf >>>> >>>> defaultkey snortpass >>>> port 8610 >>>> accept 127.0.0.1/32 >>>> daemon >>>> loglevel 3 >>>> logfile /var/log/snortsam.log >>>> cisconullroute ************************ >>>> >>>> I tried different passwords, settings and ports and always gives the >>>> same warning messages and snortsam stops working (freeze). >>>> >>>> >>>> >>> please retry with the following line >>> accept 127.0.0.1/32, snortpass >>> >>> _______________________________________________ >>> Snortsam-discussion mailing list >>> Snortsam-discussion at snortsam.net >>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion >>> >>> >>> >> Thanks for answering >> >> I changed the line that you say, >> >> Reset barnyard2, snort and snortsam >> >> The result is the same: >> > > > Seems something mess up the FWsamPacket. > > can you give a view more details. > OS (32/64 Bit), snortsam version, snort version, > self build of snorts/snortsam. > > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > The snort version: ,,_ -*> Snort! <*- o" )~ Version 2.8.4.1 (Build 38) x86_64-linux '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 Version OS: uname -a Debian Linux server 2.6.26-2-amd64 #1 SMP Thu Nov 5 02:23:12 UTC 2009 x86_64 GNU/Linux Apply patchs: http://www.snortsam.net/files/snort-plugin/snortsam-2.8.4.1.diff.gz Snortsam version: http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz Also I have a working Barnyard2, pulledpork and oinkmaster. From frank at snortsam.net Mon Mar 22 10:04:56 2010 From: frank at snortsam.net (Frank Knobbe) Date: Mon, 22 Mar 2010 10:04:56 -0500 Subject: [Snortsam-discussion] Problems in snortsam.log In-Reply-To: <4BA73BF2.2010001@gensys.es> References: <4BA73BF2.2010001@gensys.es> Message-ID: <1269270296.60232.3.camel@localhost> On Mon, 2010-03-22 at 10:44 +0100, Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: > /var/log/snortsam.log appears as follows > > 2010/03/22, 10:31:25, 127.0.0.1, 3, snortsam, Accepted connection from > 127.0.0.1. > 2010/03/22, 10:31:33, 127.0.0.1, 3, snortsam, Accepted connection from > 127.0.0.1. > 2010/03/22, 10:31:33, 127.0.0.1, 3, snortsam, Had to use initial key! > 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Accepted connection from > 127.0.0.1. > 2010/03/22, 10:32:05, 127.0.0.1, 3, snortsam, Had to use initial key! > 2010/03/22, 10:32:05, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 > using wrong password, trying to re-sync. > ---> /etc/snort/snort.conf > output alert_fwsam: 127.0.0.1:8610/snortpass > > ---> /etc/snortsam.conf > > defaultkey snortpass > port 8610 > accept 127.0.0.1/32 > daemon > loglevel 3 > logfile /var/log/snortsam.log > cisconullroute ************************ Alberto, This is a known issue. If Snort sends alerts to Snortsam via "localhost", packet appear to be arriving out of order for some reason. The way to fix this is to add "disableseqnocheck" to snortsam.conf. That will ignore proper sequencing and accept any requests. Regards, Frank From frank at snortsam.net Tue Mar 23 17:01:25 2010 From: frank at snortsam.net (Frank Knobbe) Date: Tue, 23 Mar 2010 17:01:25 -0500 Subject: [Snortsam-discussion] Makefile for snortsam In-Reply-To: <4BA0035D.5020508@gmx.de> References: <4B9F93BB.5030405@gmx.de> <4B9F9BF0.7080001@gmx.de> <4B9FF6E3.3040703@gmx.de> <4BA0035D.5020508@gmx.de> Message-ID: <1269381685.33656.52.camel@localhost> On Tue, 2010-03-16 at 23:17 +0100, olli hauer wrote: > >> .if defined(DEBUG) > >> DEBUG = -DFWSAMDEBUG > >> .endif > >> > perhaps it is better to remove the expression (slipped in during rewrite the > FreeBSD port) Yeah, I think that can be removed from the makefile. If someone needs a debug version, then can use the makesnortsam script to compile snortsam-debug. Thoughts? Cheers, Frank From ohauer at gmx.de Wed Mar 24 06:53:10 2010 From: ohauer at gmx.de (olli hauer) Date: Wed, 24 Mar 2010 12:53:10 +0100 Subject: [Snortsam-discussion] Makefile for snortsam In-Reply-To: <1269381685.33656.52.camel@localhost> References: <4B9F93BB.5030405@gmx.de> <4B9F9BF0.7080001@gmx.de> <4B9FF6E3.3040703@gmx.de> <4BA0035D.5020508@gmx.de> <1269381685.33656.52.camel@localhost> Message-ID: <4BA9FD26.6@gmx.de> Frank Knobbe wrote: > On Tue, 2010-03-16 at 23:17 +0100, olli hauer wrote: >>>> .if defined(DEBUG) >>>> DEBUG = -DFWSAMDEBUG >>>> .endif >>>> >> perhaps it is better to remove the expression (slipped in during rewrite the >> FreeBSD port) > > Yeah, I think that can be removed from the makefile. If someone needs a > debug version, then can use the makesnortsam script to compile > snortsam-debug. > > Thoughts? > Hi Frank, yes please remove this section to keep the Makefile platform independent. (Sorry for a cappy patch) PS: do you think it is possible to include the lost diff for snort.conf again with the next release/snortsam-2.x.x-diff. (Lost between snortsam-2.8.4.1.diff.gz and snortsam-2.8.5.diff.gz). diff -uNr etc/snort.conf snort-2.8.4.1-patch/etc/snort.conf --- etc/snort.conf 1970-01-01 03:30:00.000000000 +0330 +++ snort-2.8.4.1-patch/etc/snort.conf 2009-07-09 17:35:09.000000000 -0300 @@ -883,6 +883,31 @@ # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ # (msg:"Someone is being LEET"; flags:A+;) +# In order to cause Snort to send a blocking request to the SnortSam agent, +# that agent has to be listed, including the port it listens on, +# and the encryption key it is using. The statement for that is: +# +# output alert_fwsam: {SnortSam Station}:{port}/{password} +# +# {SnortSam Station}: IP address or host name of the host where SnortSam is running. +# {port}: The port the remote SnortSam agent listens on. +# {password}: The password, or key, used for encryption of the +# communication to the remote agent. +# +# At the very least, the IP address or host name of the host running SnortSam +# needs to be specified. If the port is omitted, it defaults to TCP port 898. +# If the password is omitted, it defaults to a preset password. +# (In which case it needs to be omitted on the SnortSam agent as well) +# +# More than one host can be specified, but has to be done on the same line. +# Just separate them with one or more spaces. +# +# Examples: +# +# output alert_fwsam: firewall/idspassword +# output alert_fwsam: fw1.domain.tld:898/mykey +# output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw + # # Include classification & priority settings # Note for Windows users: You are advised to make this an absolute path, Regards, olli