Re: PF Snort tutorial
"Wesley M." writes: > Perhaps, this can be helpful ;-) > http://www.procyonlabs.com/guides/openbsd/snort/ It's possible it's quite valid for the Snort parts, but unfortunately this HOWTO shows several of the features typical of docs maintained by people who are not, in fact, terribly familiar with OpenBSD: first off, consider the statement "One thing a lot of people overlook is patching their OpenBSD system(s). This is because it is a major pain in the ass. " Show of hands, how many of people here agree with that statement? Next, the only part of the system he considers important enough to patch is the kernel. (OpenBSD has patches for all parts of the base system, the only patch so far for 4.9 is for bind, not the kernel). He then moves on to rebuild all packages locally from the ports tree, but there are no indications that he builds special flavors that are not already available as downloadable packages. And finally, he then proceeds to download -- to /usr/src of all places -- the source archives for Snort and supporting software (which may or may not be due to some appropriate reason such as the packages (aka ports) lagging behind upstream), builds and installs them. All this while working as root (not a sudo in sight, but this may be one of my grumpier nights). If you find this is a useful document, it would be a very smart move to prod its author to check that the information is still up to date and to make any changes that are necessary for OpenBSD 5.0. It's only been two months, but even busy and forgetful people who take an active interest *should* be able to find the time for keeping their stuff up to date. As others have said here earlier, any document that claims to be about OpenBSD and does not live somewhere on http://www.openbsd.org/ should be treated with caution, one of the things to look out for is some basic familiarity with OpenBSD such as the points (possibly minor) I pointed out earlier. Cheers, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF Snort tutorial
Also, an idea, add scanlogd package, and do a small script to add ip in log to your pf table ;-) Cheers, Wesley MOUEDINE ASSABY http://mouedine.net/ruleset50.aspx On Tue, 3 Jan 2012 17:56:13 -0500, "Bentley, Dain" wrote: > ughthat's what I thought. > I'm reading through some OSSEC docs right now and it seems pretty > promising. > Having trouble finding anything about having it read from pflog. > > From: Andres Genovez [andresgeno...@gmail.com] > Sent: Tuesday, January 03, 2012 3:04 PM > To: Bentley, Dain > Cc: misc@openbsd.org > Subject: Re: PF Snort tutorial > > 2012/1/3 Bentley, Dain mailto:dbent...@nas.edu>> > I've been looking around for a good tutorial on implementing snort with PF > and > everything I see is old, does anyone know of or have implemented a solution > using an IDS/IPS with PF on the same box? If possible I'd like snort of > some > other IDS inspect packets and have pf drop them based on the fact they > match > certain signatures. Thanks in advance. > > > Implimenting that is really a Pain in the hell out..I did it on a 4.9, > i > need to do it from sources, there is no complete tutorial, it works on 4.9, > not implemented with PF tought... > > Greetings... > > > > -- > Atentamente > > Andris Genovez Tobar / Tecnico > Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT > http://www.puntonet.ec
Re: PF Snort tutorial
Hi, Perhaps, this can be helpful ;-) http://www.procyonlabs.com/guides/openbsd/snort/ Cheers, Wesley MOUEDINE ASSABY http://mouedine.net/ruleset50.aspx On Tue, 3 Jan 2012 17:56:13 -0500, "Bentley, Dain" wrote: > ughthat's what I thought. > I'm reading through some OSSEC docs right now and it seems pretty > promising. > Having trouble finding anything about having it read from pflog. > > From: Andres Genovez [andresgeno...@gmail.com] > Sent: Tuesday, January 03, 2012 3:04 PM > To: Bentley, Dain > Cc: misc@openbsd.org > Subject: Re: PF Snort tutorial > > 2012/1/3 Bentley, Dain mailto:dbent...@nas.edu>> > I've been looking around for a good tutorial on implementing snort with PF > and > everything I see is old, does anyone know of or have implemented a solution > using an IDS/IPS with PF on the same box? If possible I'd like snort of > some > other IDS inspect packets and have pf drop them based on the fact they > match > certain signatures. Thanks in advance. > > > Implimenting that is really a Pain in the hell out..I did it on a 4.9, > i > need to do it from sources, there is no complete tutorial, it works on 4.9, > not implemented with PF tought... > > Greetings... > > > > -- > Atentamente > > Andris Genovez Tobar / Tecnico > Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT > http://www.puntonet.ec
Re: PF Snort tutorial
Maybe you should try snort2pf from pkg ? Information for http://ftp.spline.de/pub/OpenBSD/5.0/packages/i386/snort2pf-4.5p0.tgz Comment: block "nasty" hosts with pf(4) based on Snort's rules Description: Snort2Pf is a small Perl daemon which greps Snort's alertfile and blocks the "naughty" hosts for a given amount of time using pfctl. Maintainer: The OpenBSD ports mailing-list WWW: http://sourceforge.net/projects/snort2pf/ --- Thanks, Vadim Agarkov On Tue, 3 Jan 2012 17:56:13 -0500, Bentley, Dain wrote: ughthat's what I thought. I'm reading through some OSSEC docs right now and it seems pretty promising. Having trouble finding anything about having it read from pflog. From: Andres Genovez [andresgeno...@gmail.com] Sent: Tuesday, January 03, 2012 3:04 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: PF Snort tutorial 2012/1/3 Bentley, Dain mailto:dbent...@nas.edu>> I've been looking around for a good tutorial on implementing snort with PF and everything I see is old, does anyone know of or have implemented a solution using an IDS/IPS with PF on the same box? If possible I'd like snort of some other IDS inspect packets and have pf drop them based on the fact they match certain signatures. Thanks in advance. Implimenting that is really a Pain in the hell out..I did it on a 4.9, i need to do it from sources, there is no complete tutorial, it works on 4.9, not implemented with PF tought... Greetings... -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: PF Snort tutorial
ughthat's what I thought. I'm reading through some OSSEC docs right now and it seems pretty promising. Having trouble finding anything about having it read from pflog. From: Andres Genovez [andresgeno...@gmail.com] Sent: Tuesday, January 03, 2012 3:04 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: PF Snort tutorial 2012/1/3 Bentley, Dain mailto:dbent...@nas.edu>> I've been looking around for a good tutorial on implementing snort with PF and everything I see is old, does anyone know of or have implemented a solution using an IDS/IPS with PF on the same box? If possible I'd like snort of some other IDS inspect packets and have pf drop them based on the fact they match certain signatures. Thanks in advance. Implimenting that is really a Pain in the hell out..I did it on a 4.9, i need to do it from sources, there is no complete tutorial, it works on 4.9, not implemented with PF tought... Greetings... -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: PF Snort tutorial
2012/1/3 Bentley, Dain > I've been looking around for a good tutorial on implementing snort with PF > and > everything I see is old, does anyone know of or have implemented a solution > using an IDS/IPS with PF on the same box? If possible I'd like snort of > some > other IDS inspect packets and have pf drop them based on the fact they > match > certain signatures. Thanks in advance. > > Implimenting that is really a Pain in the hell out..I did it on a 4.9, i need to do it from sources, there is no complete tutorial, it works on 4.9, not implemented with PF tought... Greetings... -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: PF Snort tutorial
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Tue, 3 Jan 2012 10:57:16 -0500 schrieb "Bentley, Dain" : > I've been looking around for a good tutorial on implementing snort > with PF and everything I see is old, does anyone know of or have > implemented a solution using an IDS/IPS with PF on the same box? If > possible I'd like snort of some other IDS inspect packets and have pf > drop them based on the fact they match certain signatures. Thanks in > advance. > Hi Dain, have you seen this before: http://www.kernel-panic.it/openbsd/nagios/ It's not SNORT but Nagios, but Daniele Mazzocchio did an awful good job in explaining why and how he set up his system. Though it's still related to OBSD 4.6 the principles are still true. Kind regards, STEFAN iEYEARECAAYFAk8DW0oACgkQdClntJwm8dCOxgCdFUNvhzV57ZA5dwECrKEUEVZa HZEAoJcWQeXwvsPM7bEuUZk0t+VeebqF =S6AJ -END PGP SIGNATURE-