Hi guys,
I have a problem trying to integrate a newer version of snort in PF.
Basically I solved several things,
1. apparently 2.9.6 version doesn't support a pipe file for alert_fast:,
and that pipe is created by pf if doesn't exist in
%%install_dir%%/var/alert. When snort start stay in the precise line where
it tries to create the alert file and can not continue. So anyway, I think
this a unexpected behavior more from snort that from pf, and I'm trying to
get an answer from them, because change pf behavior to read a flat file I
don't know which will be the result. If you have some thoughts they are
welcome.
2. I decided to take other strategy and install barnyard2 and left the task
of the alert pipe to it. The problem that I have is that starting snort
from pf returns back with a "0" in the pid of snort, (i.e pfcmd service
snort start > snort|1|0), however snort starts ok, and wrote the pid to
/var/snort_eth2.pid, even packetfence can't obtain the pid with pfcmd
service snort status.
3. From the point before I reviewed the file permissions on snort_eth2.pid
and it had 600 root root, which is wrong since pf is not part of the root
group and pf start snort with the option -u pf, I reviewed my logs and I
discover that snort first writes the pid file and the set the sid and uid
to the daemon, and that is the reason why the permissions are wrong. Again
apparently is a unexpected behavior from snort so I will report this to
know if should be like that or if I have to change the code a little bit.
However when i changed the permissions manually and when i check the status
of snort again it fail to read the pid. My questions here are, how I can
change services.pm or manager.pm in order that pf changes the permissions
of that files?, what are the correct set of permissions and owners pf that
files?
Like an extra point, since snort does not support to write directly to a
database anymore, in order to integrate correctly barnyard2, mysql, snort
and pf, I mean, to have a mysql database with the acid_schema for the
events you need to do a couple of things, first you need to add this line
to the configuration of snort with "output unified2: filename
PATH_TO_FILE/snort.u2", make sure that barnyard2 read that file, and modify
in %%install_dir%%/lib/pf/services/manager/snort.pm the line that contains
"-N -D -l $install_dir/var ...." and rid off the option "-N" since that
means No logging at all, in that way snort could start to write logs in
unified2 format and baryarnd2 can read that file to parse the data to the
database.
If you want I can help you to make this happens with snort 2.9.4.6 version
in this way. actually is working like that in the lab.
Best Regards and thanks for your advance,
--
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
MedelllĂn Colombia
*"Choose a job you love, and you will never have to work a day in your
life"*
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
