[Snort-users] Problems with Snort, Barnyard2, BASE on SUSE 11

Billy Marshall Billy.Marshall at ...9988...
Thu Apr 29 12:37:46 EDT 2010


Also,
 
You might consider implementing a 'Heartbeat'. I have written a script that invokes via a cron job everyday at 2 different times. This ensures my sensors that are relatively quiet are working and keeps mysql communication open. 
This is to implement the following rule on satellite sensors in the local.rules file. It is invoked by an hping3 script on the main sensor providing a "HeartBeat" of the targeted machine. It uses port 12345 as source and destination and hits the broadcast IP of the sensors network for the alert to trigger. (or any other IP that is not firewalled)
 
0 6 * * * /etc/snort/HeartBeat/HeartBeat.sh >> /var/log/snort/cron.err.log 2>&1
0 14 * * * /etc/snort/HeartBeat/HeartBeat.sh >> /var/log/snort/cron.err.log 2>&1
 
Location:
/etc/snort/HeartBeat/data.txt
/etc/snort/HeartBeat/HeartBeat.sh
 
This uses the following basic rule in the satellite sensors local rules file (/etc/snort/rules/local.rules)
Rule:
                  source IP    src port      dst port                alert message                        contents of packet              duh        duh
                         v            v                  v                            v                                              v                              v          v 
alert tcp xxx.xxx.xxx.xxx 12345 -> any 12345 (msg:"Heart Beat Traffic from <location>"; content:"Heartbeat"; sid:1000000; rev:1;)
 
This allows hping3 to craft a packet that will comply with the above rule.
 
Command in linux script Heartbeat.sh:
hping3 -c 5 -I eth0 -s 12345 -p 12345 -d 9  -E /etc/snort/HeartBeat/data.txt <broadcast of trust>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100429/dbb3941d/attachment.html>


More information about the Snort-users mailing list