[gentoo-hardened] Snort with Sguil and Prelude support, poll

[gentoo-hardened] Snort with Sguil and Prelude support, poll

[Michael Boman]

[-- Attachment #1: Type: text/plain, Size: 1548 bytes --]

As (hopefully) many of you are aware I am the current
code-monkey/ebuild-hacker for Prelude IDS. But as I am interested in
many (well, more or less all [free]) IDS systems I just want to do a
quick poll.

Those who are following the snort mailing lists (-user in particular)
might be aware that there is a new console called sguil
(pronounced "sgweel") that offers real-time (well, as close to real-time
as possible) and it has a quite nice GUI (for those interested go to
http://sguil.sf.net and check it out).

What I am proposing to do is to modify the net-analyzer/snort ebuild to
support sguil, as well as creating ebuilds for the other needed
components to get this working nicely under Gentoo (it would need a
local +sguil USE flag).

What I am polling about is "should I do it?" ;)

BTW: Snort 2.0.1 is released, and it seems like 2.0.2 is not far away as
a few post-release bugs was found (mainly in win32 port, according to
the CVS logs..)

Final note: I have added some instructions on the Gentoo wiki/Prelude
(http://gentoo.zhware.net/cgi-bin/moin.cgi/PreludeIntrusionDetectionSystem) that explains how to use snort as a prelude sensor. Will soon (in the next few hours) update the bug #19672 (http://bugs.gentoo.org/show_bug.cgi?id=19672) with updated patches to do this. In my lab enviroment the patch has been working fine (well, the alerts could be more descriptive, but it does alert).

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] Snort with Sguil and Prelude support, poll

[Mark Hurst]

> What I am polling about is "should I do it?" ;)

please do, looks great

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Snort with Sguil and Prelude support, poll

[Matthias F. Brandstetter]

---------- quoting Michael Boman ----------
> What I am polling about is "should I do it?" ;)

I would be interested too, sounds like a great idea. Could you 
announce when you're ready with it?

Greetings, Matthias

-- 
Matthias F. Brandstetter [mailto:haimat@lame.at]
now playing "Groove Salad: a nicely chilled plate of ambient beats and 
grooves. [SomaFM]"


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Snort with Sguil and Prelude support, poll

[Michael Boman]

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

Thank you all for your support.


I have two ebuilds done here, one for the client and one for the server.
The server is not finished yet as I haven't written any start/stop
init.d scripts for it, and I think both these ebuilds are very fragile
as sguil depends on very specific versions of tcl & Co.

Anyway, please try them out and let me know how it goes. These ebuilds
are not official in any way, and is mostly useless as the sensor ebuilds
has not been created/patched yet. Having said that I'm sure Bamm (qru,
sguil head developer) would like to have your input. Either stop by at
#snort-gui @ freenode, or edit your sguil client configuration to point
to bamm.dyndns.org as server and use the built-in "chat".

So without any further ado, please proceed to

http://dev.gentoo.org/~mboman/sguil-client.tgz
http://dev.gentoo.org/~mboman/sguil-server.tgz


PS
  These are very rough ebuilds, no changelog etc. If they break you get
to keep all the pieces.

I have no intention to put them on CVS until I've fixed those things
(and solar or method has given the ebuilds their blessings).
DS

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] Snort with Sguil and Prelude support, poll

[Ned Ludd]

mboman, 

Seems we got a broken dep here.

solar@simple sguil-client $ sguil.tk 
-bash: /usr/bin/sguil.tk: /usr/bin/wishx: bad interpreter: No such file
or direc
tory


On Wed, 2003-08-06 at 09:49, Michael Boman wrote:
> Thank you all for your support.
> 
> 
> I have two ebuilds done here, one for the client and one for the server.
> The server is not finished yet as I haven't written any start/stop
> init.d scripts for it, and I think both these ebuilds are very fragile
> as sguil depends on very specific versions of tcl & Co.
> 
> Anyway, please try them out and let me know how it goes. These ebuilds
> are not official in any way, and is mostly useless as the sensor ebuilds
> has not been created/patched yet. Having said that I'm sure Bamm (qru,
> sguil head developer) would like to have your input. Either stop by at
> #snort-gui @ freenode, or edit your sguil client configuration to point
> to bamm.dyndns.org as server and use the built-in "chat".
> 
> So without any further ado, please proceed to
> 
> http://dev.gentoo.org/~mboman/sguil-client.tgz
> http://dev.gentoo.org/~mboman/sguil-server.tgz
> 
> 
> PS
>   These are very rough ebuilds, no changelog etc. If they break you get
> to keep all the pieces.
> 
> I have no intention to put them on CVS until I've fixed those things
> (and solar or method has given the ebuilds their blessings).
> DS
> 
> Best regards
>  Michael Boman
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Snort with Sguil and Prelude support, poll

[Michael Boman]

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

On Thu, 2003-08-07 at 05:00, Ned Ludd wrote:
> mboman, 
> 
> Seems we got a broken dep here.
> 
> solar@simple sguil-client $ sguil.tk 
> -bash: /usr/bin/sguil.tk: /usr/bin/wishx: bad interpreter: No such file
> or directory

# qpkg -nc -v -f /usr/bin/wishx
dev-tcltk/tclx-8.3

DEPEND="
...
    =dev-tcltk/tclx-8.3
...
    "

That doesn't make sense...

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] Snort with Sguil and Prelude support, poll

[Ned Ludd]

mboman, 

Perhaps this might help.
---------------------------------

root@simple gentoo-x86 # emerge -pv tclx

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild    U ] dev-lang/tcl-8.4.3 [8.3.4] 
[ebuild    U ] dev-lang/tk-8.4.3 [8.3.4-r1] 
[ebuild    U ] dev-tcltk/tclx-8.3-r1 [8.3] +X

root@simple gentoo-x86 # which wishx
which: no wishx in (/sbin:/bin:/usr/sbin:/usr/bin)
root@simple gentoo-x86 # emerge -pv sguil-client

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild   R  ] net-analyzer/sguil-client-0.2.5  +ssl 

root@simple gentoo-x86 # epm -q -l tclx | grep wish

On Wed, 2003-08-06 at 17:22, Michael Boman wrote:
> On Thu, 2003-08-07 at 05:00, Ned Ludd wrote:
> > mboman, 
> > 
> > Seems we got a broken dep here.
> > 
> > solar@simple sguil-client $ sguil.tk 
> > -bash: /usr/bin/sguil.tk: /usr/bin/wishx: bad interpreter: No such file
> > or directory
> 
> # qpkg -nc -v -f /usr/bin/wishx
> dev-tcltk/tclx-8.3
> 
> DEPEND="
> ...
>     =dev-tcltk/tclx-8.3
> ...
>     "
> 
> That doesn't make sense...
> 
> Best regards
>  Michael Boman
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)


--
gentoo-hardened@gentoo.org mailing list