Wednesday, August 25, 2010

Intrusion Detection Service in IPCOP

Intrusion Detection was stopped in my IPCoP, version 1.4.1, a while a go, I tried to start them all three through GUI but Got message fail to start.
I loged in in console of Ipcop.
I checked the existing version of snort, which was older than latest.

root@firewall:/etc/snort/rules # snort --version
snort: unrecognized option `--version'

,,_ -*> Snort! <*-
o" )~ Version 2.6.1.5 (Build 59)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.


And when tried to start the snort using this command

root@firewall:~ # snort -c /etc/snort/snort.conf -l /var/log/snort/


I got error that there is error in line # 38 in exploit.rules file located in /etc/snort/rules/ folder.
When I tried to comment the line it gives error on line#39.

Solution
Replace the existing rules folder with working one.
For that I installed the latest snort in my laptop, and check the version.
imran@imran-laptop~ $ sudo apt-get install snort-mysql
imran@imran-laptop~ $ snort --version


,,_ -*> Snort! <*-
o" )~ Version 2.8.5.2 (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05


and copied the rules folder in to IPcop
imran@imran-laptop~ $ scp '-P 22' exploit.rules root@10.10.0.1:/root

Then I make .tar of existing rules folder in IPCoP

root@firewall:/etc/snort/rules # tar -cvf rules.tar .

and replaced the one copied from my laptop and changed the permission to user nobody:nobody

root@firewall:/etc/snort/rules # chown -R nobody:nobody rules


Now IP cop has new rules list, although these rules were from new version of Snort 2.8.6
When I restarted snort again from console with above command, this time no error and it started straight away.
Then I can start and stop from GUI successfully.

1 comment:

prolix said...

Your excellent guidelines will be of great help to many. Nice post. I enjoyed reading it. Thanks! Intrusion Detection