[Snort-users] Snort and Proxmox

Josh Bitto jbitto at ...16055...
Mon Jan 28 17:53:48 EST 2013


Ah! I did that already....I have 2 interfaces 1 is re0 the other is re1

I did that on both and I get traffic.....but if what you're saying is true how would I go about checking to see if it is reading it?


-----Original Message-----
From: Jeremy Hoel [mailto:jthoel at ...11827...]
Sent: Monday, January 28, 2013 2:51 PM
To: Josh Bitto
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and Proxmox

tcpdump -i re0

But that doesn't mean all the traffic is going to it.  that's going to be a function of your hypervisor and the vswitch configuration.



On Mon, Jan 28, 2013 at 10:39 PM, Josh Bitto <jbitto at ...16055...> wrote:
>
> I stumbled across the fix for this....There is a "Preprocessors" tab
> for each interface you configure....you have to go in and configure
> the settings in it as well as turn it on. Hehe
>
> Ok so I learned something new!
>
> Now on to my original thing.....I believe the interface that snort is
> listening onto is re0
>
> Since that is a virtual interface how would I do a tcpdump on it?
>
>
>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel at ...11827...]
> Sent: Monday, January 28, 2013 2:29 PM
> To: Josh Bitto
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort and Proxmox
>
> You do see where it looks like something is shutting it down right?
>
> Without any snort crash errors, I can't tell you why it's doing that.
> I don't use pfsense.. maybe try a regular linux distro?
>
> On Mon, Jan 28, 2013 at 10:24 PM, Josh Bitto <jbitto at ...16055...> wrote:
>> I tried restarting the service. No I didn't stop the service at all...
>>
>>
>>
>> -----Original Message-----
>> From: Jeremy Hoel [mailto:jthoel at ...11827...]
>> Sent: Monday, January 28, 2013 2:21 PM
>> To: Josh Bitto
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort and Proxmox
>>
>> See that last part says
>>
>> Jan 28 21:49:22 pfSense php: /status_services.php: The command '/usr/local/etc/r c.d/snort.sh stop' returned exit code '1', the output was ''
>>
>> Did you stop snort, or is there a process on pfSense stopping it?
>>
>>
>> On Mon, Jan 28, 2013 at 10:14 PM, Josh Bitto <jbitto at ...16055...> wrote:
>>> This is the only thing that I have in my log file pertaining to snort.....
>>>
>>> Jan 28 13:49:07 pfSense syslogd: kernel boot file is
>>> /boot/kernel/kernel Jan 28 13:49:18 pfSense SnortStartup[23952]:
>>> Snort STOP For WAN Interface(63566_ re0)...
>>> Jan 28 13:49:19 pfSense snort[6973]: *** Caught Term-Signal Jan 28
>>> 13:49:19 pfSense snort[6973]: *** Caught Term-Signal Jan 28 13:49:19
>>> pfSense kernel: re0: promiscuous mode disabled Jan 28 13:49:20
>>> pfSense
>>> snort[6973]: Could not remove pid file /var/run/snort_re
>>> 063566.pid: No such file or directory Jan 28 13:49:20 pfSense
>>> snort[6973]: Could not remove pid file /var/run/snort_re
>>> 063566.pid: No such file or directory Jan 28 13:49:20 pfSense
>>> SnortStartup[25382]: Snort STOP For LAN Interface(7224_r e1)...
>>> Jan 28 13:49:21 pfSense snort[8538]: *** Caught Term-Signal Jan 28
>>> 13:49:21 pfSense snort[8538]: *** Caught Term-Signal Jan 28 13:49:21
>>> pfSense snort[8538]: Could not remove pid file /var/run/snort_re
>>> 17224.pid: No such file or directory Jan 28 13:49:21 pfSense
>>> snort[8538]: Could not remove pid file /var/run/snort_re
>>> 17224.pid: No such file or directory Jan 28 13:49:21 pfSense kernel:
>>> re1: promiscuous mode disabled Jan 28
>>> 21:49:22 pfSense php: /status_services.php: The command
>>> '/usr/local/etc/r c.d/snort.sh stop' returned exit code '1', the output was ''
>>> Jan 28 13:49:22 pfSense SnortStartup[41673]: Snort STOP For WAN
>>> Interface(63566_ re0)...
>>> system.log: unmodified: line 1
>>> ________________________________________
>>> From: Jeremy Hoel [jthoel at ...11827...]
>>> Sent: Monday, January 28, 2013 1:58 PM
>>> To: Josh Bitto
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Snort and Proxmox
>>>
>>> You never listed what errors you might be having, or when it crashes
>>> what errors it gives (/var/log/messages probably?)  so it's hard to
>>> know what the problem might be.
>>>
>>>
>>> On Mon, Jan 28, 2013 at 9:51 PM, Josh Bitto <jbitto at ...16055...> wrote:
>>>> I don't know if this could be the issue or not. For some reason I am still not able to start the service. The only way to actually show that it's working is to completely uninstall snort and then install it again. I'm beginning to think this program is really buggy on pfsense virtual machine.
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Jeremy Hoel [mailto:jthoel at ...11827...]
>>>> Sent: Monday, January 28, 2013 12:40 PM
>>>> To: Josh Bitto
>>>> Cc: snort-users at lists.sourceforge.net
>>>> Subject: Re: [Snort-users] Snort and Proxmox
>>>>
>>>> So, when snort is running, it listens on an interface (or many).
>>>> that's part of the snort config, telling it what interface to listen on.  Once it's running and listening on the interface, if it seems packets/traffic that matches the rules it alerts/passes/drops/etc..
>>>>
>>>> When you startup snort, near the end of the messages that it spits out it should tell you what interface it's listening on:
>>>>
>>>> "Jan 28 20:38:53 iiaabqst001 snort[23678]: Acquiring network traffic from "eth1"."
>>>>
>>>> Look for that, that's the port snort is listening on to process packets.  Then go back to TCP dump and see if you are seeing all packets for all the traffic, or just certain packets to that address.
>>>>
>>>>
>>>>
>>>> On Mon, Jan 28, 2013 at 8:02 PM, Josh Bitto <jbitto at ...16055...> wrote:
>>>>> Sorry about that...
>>>>>
>>>>> I did the tcpdump on the pfsense machine for the 2 interfaces. I don't really know how to plug snort into that equation to see if snort "see's" traffic or not.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jeremy Hoel [mailto:jthoel at ...11827...]
>>>>> Sent: Monday, January 28, 2013 11:58 AM
>>>>> To: snort-users at lists.sourceforge.net
>>>>> Subject: Re: [Snort-users] Snort and Proxmox
>>>>>
>>>>> Ok, so snort is up, and you say its seeing all packets, but the rules aren't firing?  What is your snort output set as?  Hve you tried using syslog or portfast just so you can see the output vs it going to a binary file?
>>>>>
>>>>> Also, please reply to the list, so that others might be able to chime in or help out.
>>>>>
>>>>> On Mon, Jan 28, 2013 at 7:55 PM, Josh Bitto <jbitto at ...16055...> wrote:
>>>>>> Ok I got that working again....On to my original issue.....Yes I was able to do a tcpdump on both interfaces (WAN and LAN) they both are listening to packets.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jeremy Hoel [mailto:jthoel at ...11827...]
>>>>>> Sent: Monday, January 28, 2013 11:33 AM
>>>>>> To: Josh Bitto
>>>>>> Subject: Re: [Snort-users] Snort and Proxmox
>>>>>>
>>>>>> Check the system logs to see if it gives you an error message.  If it's set to start, but then isn't running after boot, it probably failed for some reason. Snort is pretty good about telling you why it stopped.
>>>>>>
>>>>>> On Mon, Jan 28, 2013 at 7:19 PM, Josh Bitto <jbitto at ...16055...> wrote:
>>>>>>> Well to further my problem......Last week it was working fine. I come in this morning to start working and start up the VM's and I'm showing the service not even running in PFsense. I restart everything even reinstall the snort package. Even on boot up it shows snort service started......but looking at top and also via the web gui it actually isn't running.....Any ideas?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Jeremy Hoel [mailto:jthoel at ...11827...]
>>>>>>> Sent: Monday, January 28, 2013 11:13 AM
>>>>>>> To: Josh Bitto
>>>>>>> Cc: snort-users at lists.sourceforge.net
>>>>>>> Subject: Re: [Snort-users] Snort and Proxmox
>>>>>>>
>>>>>>> You should start with running TCPdump on the listening interface on the snort box to make sure it's seeing the packets you expect it to see.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jan 28, 2013 at 5:12 PM, Josh Bitto <jbitto at ...16055...> wrote:
>>>>>>>> Hello Everyone,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I'm new on using snort and I'm needing to lean on your expertise.
>>>>>>>> We've decided to use snort on our network and in doing so I've
>>>>>>>> setup a small test lab away from the actual network to see how this IDS works.
>>>>>>>> So here's the problem.....I can't get snort to show any logs. I
>>>>>>>> want to be able to see if it's actually working or not.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I set up a stand-alone server with proxmox on it.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Created 2 VM's
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> One is Pfsense
>>>>>>>>
>>>>>>>> The other is just a xp machine.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> In proxmox interface.conf looks like this.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Config looks like this:
>>>>>>>>
>>>>>>>> Auto lo
>>>>>>>>
>>>>>>>> Iface lo inet loopback
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Auto VMbr0
>>>>>>>>
>>>>>>>> Iface vmbr0 inet static
>>>>>>>>
>>>>>>>>                 Address 192.168.3.15
>>>>>>>>
>>>>>>>>                 Netmask  255.255.252.0
>>>>>>>>
>>>>>>>>                 Gateway 192.168.1.1
>>>>>>>>
>>>>>>>>                 Bridge_ports eth0
>>>>>>>>
>>>>>>>>                 Bridge_stp off
>>>>>>>>
>>>>>>>>                 Bridge_fd 0
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Auto vmbr1
>>>>>>>>
>>>>>>>> Iface vmbr1 inet manual
>>>>>>>>
>>>>>>>>                 Bridge_ports eth1
>>>>>>>>
>>>>>>>>                 Bridge_stp off
>>>>>>>>
>>>>>>>>                 Bridge_fd 0
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I did everything to spec in pfsense....its pretty straight forward.
>>>>>>>>
>>>>>>>> 1.       Setup the interface on pfsense to match in proxmox
>>>>>>>>
>>>>>>>> 2.       Downloaded the snort package
>>>>>>>>
>>>>>>>> 3.       Obtained a oinkmaster code
>>>>>>>>
>>>>>>>> 4.       Created the WAN interface in snort.
>>>>>>>>
>>>>>>>> 5.       Checked ALL the rules to activate them.
>>>>>>>>
>>>>>>>> 6.       Even restarted both pfsense and the snort service.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I just for some reason can't get the darn thing to log
>>>>>>>> events....as a test. I activated teamviewer rules and tried to
>>>>>>>> block an event and couldn't get it to do that. So my thinking
>>>>>>>> is....Its somewhere at the interface. I just don't know what I need to do. Any help would be greatful!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Josh
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------
>>>>>>>> -
>>>>>>>> -
>>>>>>>> --
>>>>>>>> -
>>>>>>>> -
>>>>>>>> -
>>>>>>>> -------- Master Visual Studio, SharePoint, SQL, ASP.NET, C#
>>>>>>>> 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more.
>>>>>>>> Keep your skills current with LearnDevNow - 3,200 step-by-step
>>>>>>>> video tutorials by Microsoft MVPs and experts. ON SALE this
>>>>>>>> month only
>>>>>>>> -- learn more
>>>>>>>> at:
>>>>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>>>>> _______________________________________________
>>>>>>>> Snort-users mailing list
>>>>>>>> Snort-users at lists.sourceforge.net Go to this URL to change user
>>>>>>>> options or unsubscribe:
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>> Snort-users list archive:
>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-u
>>>>>>>> s
>>>>>>>> e
>>>>>>>> rs
>>>>>>>>
>>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>>>> latest Snort news!
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> -------- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012,
>>>>> HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at:
>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-user
>>>>> s
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> -------- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012,
>>>>> HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep
>>>>> your skills current with LearnDevNow - 3,200 step-by-step video
>>>>> tutorials by Microsoft MVPs and experts. ON SALE this month only
>>>>> -- learn more
>>>>> at:
>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-user
>>>>> s
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>
>>>> -------------------------------------------------------------------
>>>> -
>>>> -
>>>> --------- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012,
>>>> HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep
>>>> your skills current with LearnDevNow - 3,200 step-by-step video
>>>> tutorials by Microsoft MVPs and experts. ON SALE this month only --
>>>> learn more
>>>> at:
>>>> http://p.sf.net/sfu/learnnow-d2d
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> -------- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012,
>>> HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your
>>> skills current with LearnDevNow - 3,200 step-by-step video tutorials
>>> by Microsoft MVPs and experts. ON SALE this month only -- learn more
>>> at:
>>> http://p.sf.net/sfu/learnnow-d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> ---------------------------------------------------------------------
>> -
>> -------- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012,
>> HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your
>> skills current with LearnDevNow - 3,200 step-by-step video tutorials
>> by Microsoft MVPs and experts. ON SALE this month only -- learn more
>> at:
>> http://p.sf.net/sfu/learnnow-d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ----------------------------------------------------------------------
> -------- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012,
> HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your
> skills current with LearnDevNow - 3,200 step-by-step video tutorials
> by Microsoft MVPs and experts. ON SALE this month only -- learn more
> at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list