Steve,
You have found a bug in the honeywall. Many thanks. Could I get
you to fill out a ticket at: https://projects.honeynet.org/honeywall/newticket
? You will need to register on the site if you are not already to
add a ticket. This will help us document the issues and ensure it
actually gets fixed.
The issue we have is that once you add rules to the system,
snort's sid-msg.map nor the walleye signature database are being
updated. Therefore, after you add new rules to the system, you need
to do the following:
1. Create a new sid-msg.map. Oinkmaster comes with a perl script
named create-sidmap.pl that is really easy to use. Simply point it at
the snort rules directory and redirect its output to a sid-msg.map.
For example, I added the rule you sent below to my local.rules. I had
to change the sid because snort already has a rule with that sid (I
used 70001). I then ran the perl script:
cp /etc/snort/sid-msg.map /etc/snort/sid-msg.map.bak
/usr/bin/create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map
2. Load the new sid-msg.map to the walleye db. The easiest way to do
this is to simply restart hflowd (/etc/init.d/hflowd) or restart the
honeywall. The hflowd startup script loads the sig-msg on start.
From this point on, you should see your alerts on the walleye UI.
The Snort Rules Management portion of the walleye interface does not
do this and we need to fix it. Also, we need to add something to make
this easier for folks that like to get in there and tweak the snort
rules manually.
Thanks again for bringing this to our attention,
Rob
On Jan 21, 2008, at 7:02 PM, Steve Ng wrote:
Hi Robert,
the snort rules that I made in my local.rules is a simple one to
test out only.
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH attempted";
sid:10001; )
Regards,
Steve
Express yourself and stay connected with the latest Windows Live
Messenger! Windows Live Messenger
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
