OpenBSD Journal

Snort Configurations

Contributed by jose on from the sniffing dept.

Snort seems to be everyone's favorite network based IDS. It's free, fast, and has a wide base of community support. A couple of recent pieces on using snort on BSD are worth reading.

The first one is an introduction to snort on BSD from SysAmin Magazine . While some of the options discussed aren't OpenBSD specific, overall it covers how to et up a homebrew IDS system with many pieces.

The second piece covers setting up Snort on BSD with ACID and MySQL . This is pretty much a recipe, good for people assembling a lot of pieces together.

This kind of documentation benefits everyone, as it helps share knowledge. If you are looking for a way to help the community, documentation is always appreciated.

(Comments are closed)


Comments
  1. By James Wilkus () tflat@astrocreep.net on http://astrocreep.net

    Anyone who is interested in an rc script to start snort on multiple nic's, I have made my script available at
    rc.snort . You can also install oinkmaster and run this script through cron to update your rulesets using the 'update' option, if you are brave. I wanted to be able to keep independant rule sets on each interface.

  2. By Anonymous Coward () on

    There is a little documentation in setting up Snort on an OpenBSD bridge that sits in front of a honeypot at http://blow.packetfu.org:1337/hnd.html. It is not to difficult to install Snort on *bsd compared to linux btw. The biggest caveat is that you can run one instance of Snort on multiple interfaces on linux, in *bsd you have to run one instance of Snort on each interface.

  3. By extremis () on

    I would really like to see snort and openbsd get along. For some reason the good stuff made it into linux. Where is my ability to put my wi0 into monitor mode and sniff with snort? Where are the libpcap speed improvements for OpenBSD. What about SMP? I still use OpenBSD for my sensors, but...

    Comments
    1. By Anonymous Coward () on

      I know at least one of the developers for snort is a huge OpenBSD advocate. (he is the rules maintainer, and maintains the snort and nmap ports for openbsd). I know that Sourcefire, the company that develops snort and basically contains the majority of snort developers (including it's creator) sells an IDS device that runs a hardened version of OpenBSD (I know because my company is looking into purchasing one). So I can tell you that OpenBSD is probably the primary platform that snort is developed on. There is probably a pretty good reason for any features that exist in Linux and not in OpenBSD. I trust these guys to integrate whatever features they deem safe and stable.

  4. By sleepy () sleepy at maximumunix.org on mailto:sleepy at maximumunix.org

    I agree that snort is everyone's favourite IDS.I am not even sure if there are alternatives.One nice thing about snort is the variety of logs format it can spit.
    I was going to write a snort/OpenBSD doc myself, will have to check out this article and see if there are more to be said.right now I am examinning the performance of the various logs format supported on my openBSD 3.2 machine. I have written a viewer for Snort XML logs called ACID-XML and is currently available from http://www.maximumunix.org . the available version is win32 but the unix version is coming soon.
    ACID is definately a powerful too, but personally I feel that HTML bites so I am starting a series of tools to parse and analyze snort data from a stand alone app.once the XML viewer is ported, I will start playing with snort binary logs. binary output is definately the fastest. checkout barnyard from http://www.snort.org/dl/ .
    I appreciate all comments and wishes from those interested in IDS , that will be valuable input.

    Comments
    1. By Darren () darren@dazdaz.NOSPAM.org on mailto:darren@dazdaz.NOSPAM.org

      I don't know about XML logs, but I do know that i've been unable to get output in CSV working with snort 1.9.

      output CSV: /var/log/alert.csv default

      I was told that the above in the docs was wrong and the correct syntax was,

      output alert_CSV: /var/log/alert.csv default

      Neither work on OpenBSD 3.2-stable for me.

      $ ls -l /var/log/alert.csv
      -rw-r--r-- 1 snort snort 0 Dec 9 15:14 /var/log/alert.csv

      So far no one has provided a working solution.

      I look forward to your doc.

      Regards,

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]