Hi Alex,
There is no such documentation in our guides, the only case we cover is
a local SNORT.
I built a basic howto (from our internal wiki), so I hope it will be
sufficient.
1 - Install the packages
yum install snort snort-mysql packetfence-remote-snort-sensor
2 - Modify /etc/snort/snort.conf
var INTERNAL_IPS [ ## PUT YOUR INTERNAL/LOCAL IPS HERE ## ]
var HOME_NET [ ## PUT YOUR PRODUCTION SUBNETS HERE ## ]
var EXTERNAL_NET !$HOME_NET
var GATEWAYS [ ## PUT YOUR GW ADDRESS ## ]
var DHCP_SERVERS [## PUT YOUR DHCP ADDRESS ##]
var DNS_SERVERS [## PUT YOUR DNS ADDRESS ##]
var HTTP_PORTS 80
var SSH_PORTS 22
var ORACLE_PORTS 1521
var SHELLCODE_PORTS any
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var VALIDDHCP [$DHCP_SERVERS,$GATEWAYS,$INTERNAL_IPS]
var RULE_PATH /usr/local/pf/conf/snort
output alert_fast: /usr/local/pf/var/alert
# updated several preprocessor for snort 2.8.5 (values taken from
/etc/snort/snort.conf)
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map /etc/snort/unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
#preprocessor conversation: timeout 120, max_conversations 65335
#preprocessor portscan2: scanners_max 10000, targets_max 10000,
target_limit 400, port_limit 400, timeout 60, log
/dev/null
#preprocessor portscan2-ignorehosts: $EXTERNAL_NET
preprocessor perfmonitor: time 600 flow max file
/usr/local/pf/logs/snortstat pktcnt 90000
output alert_syslog: LOG_AUTH LOG_ALERT
config flowbits_size: 256
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-p2p.rules
include $RULE_PATH/emerging-scan.rules
include $RULE_PATH/emerging-shellcode.rules
include $RULE_PATH/emerging-trojan.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-worm.rules
3 - Put the proper interfaces in /etc/sysconfig/snort
INTERFACES=eth0.1 eth0.2
4 - Configure pfdetectd /usr/local/pf/conf/pfdetect_remote.conf
[server]
user = remotesnort
password = apassword
host = localhost:1443
5 - Start SNORT and pfdetectd
service snort start
service pfdetectd start
Of course, you might need some tweaks here and there, but it should help
you a lot.
On 12-02-20 1:56 PM, Alex Kisakye wrote:
> On 2/20/2012 8:16 PM, Francois Gaudreault wrote:
>> If you want to use SNORT on two interfaces, I would suggest that you
>> manage SNORT manually, not in PF (so no monitor interface). That way it
>> will act as a "remote" sensor, but locally on the PF server.
> Can you kindly point me to documentation that will show me how to
> "detach" snort control from pf?
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Packetfence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
