39671 – Snort-sensor for Prelude not working

Bug 39671 - Snort-sensor for Prelude not working

Summary: Snort-sensor for Prelude not working

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	x86 All

Importance:	High normal (vote)
Assignee:	Michael Boman (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-01-28 08:50 UTC by Wouter Coppens
Modified:	2011-10-30 22:38 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Output of snort (snort_output.txt,2.44 KB, text/plain) 2004-01-28 08:53 UTC, Wouter Coppens	no flags	Details
Prelude-manager output (prelude-manager_output.txt,708 bytes, text/plain) 2004-01-28 08:55 UTC, Wouter Coppens	no flags	Details
snort.conf (snort.conf,21.38 KB, text/plain) 2004-01-28 08:58 UTC, Wouter Coppens	no flags	Details
emerge info (emerge.info.txt,1.34 KB, text/plain) 2004-01-28 09:02 UTC, Wouter Coppens	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wouter Coppens 2004-01-28 08:50:29 UTC

Emerged prelude as described in the manual.

Added 'prelude' to use-flags and emerged snort. No errors.

Modified snort.conf and added:
output alert_prelude: async, classification_file=/etc/snort/prelude-classification.config
Ran: sensor-adduser -s snort -m 127.0.0.1 -u 0

Prelude is dumping in a mysql database and the results are shown in piwi.

If I use prelude-nids, everything is working fine. I see some alerts in piwi.

If I replace prelude-nids with snort, I can see alerts in /var/log/snort/alert, but nothing in piwi. I ran portscans and other things to generate alerts.

I have not changed anything in /etc/conf.d, so everything is like a fresh install. Snort is running as user snort (with uid 1000).




Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Wouter Coppens 2004-01-28 08:53:38 UTC

Created attachment 24538 [details]
Output of snort

Comment 2 Wouter Coppens 2004-01-28 08:55:10 UTC

Created attachment 24539 [details]
Prelude-manager output

Comment 3 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2004-01-28 08:55:40 UTC

please attach the output of 'emerge info'.

Comment 4 Wouter Coppens 2004-01-28 08:58:45 UTC

Created attachment 24541 [details]
snort.conf

Comment 5 Wouter Coppens 2004-01-28 09:02:32 UTC

Created attachment 24542 [details]
emerge info

Comment 6 Michael Boman (RETIRED) gentoo-dev

2004-01-28 21:02:33 UTC

The prelude plugin for snort does not handle -u/-g flags properly. Either run snort as root or change to prelude-nids.

I will notify the patch author about the issue, and update the ebuild once the issue has been resolved.

If you decide to run snort as root please take a look at GRSecurity, SELinux or systrace to restrict the power of snort. 

You could also run snort in a chroot enviroment: add "-t /var/log/snort" to the command line. You might need to change log directory path to "." if you do this and use any other output format then alert_prelude.