You Are Here : Forums Sunday, July 06, 2008
     
Activeworx.org Forums
 
  Forum  IDS Policy Mana...  IDS Policy Mana...  Using IDSPM with Snort on a remote Windows server?
Previous Previous
 
Next Next
New Post 12/18/2007 6:21 PM
  Ray
53 posts
6th Level Poster


Using IDSPM with Snort on a remote Windows server? 
I'm trying to set up IDSPM, ASC version, v2.2.0.22 to manage a Windows Snort 2.8.0.1 sensor. I want to try using Snort on Server 2003 as a HIDS.

1. If I set the Upload Settings to File Copy,  \\servername\d$\snort\etc , snort.conf, and try to upload the policy, the log shows it worked but there are no rules files. The snort.conf file does get uploaded correctly. I did create a new "rules" folder under D:\snort\etc and set the RULES_PATH variable to "rules" just as I do for Linux. Even if I set the explicit path of D:\Snort\Etc\Rules, it doesn't work. I get a "device not ready" log message.

FWIW, the Security event log shows it's doing the file copy under my domain credentials, not what I have set in the Authentication window, which is OK by me. If this is the way a File Copy is supposed to work, maybe the Authentication tab can be disabled?

2. When I try to set the Authentication to the local administrator account in the form of server\administrator I run into a 16-character limit on the field.

3. The Restart Settings don't save. I'm setting it to a batch file on the Snort server using UNC syntax. Restart After Upload un-checks itself and it goes back to Script via SSH instead of Local DOS Script. It does retain what I typed for Restart Script: \\servername\d$\SnortRestart.bat

4. How do I set the Sensor ID to the new sensor? The only ones that show up are the ones that are already present.

Thanks,

Ray
 
New Post 12/18/2007 6:59 PM
  Ray
53 posts
6th Level Poster


Re: Using IDSPM with Snort on a remote Windows server? 
 
3. The Restart Settings don't save. I'm setting it to a batch file on the Snort server using UNC syntax. Restart After Upload un-checks itself and it goes back to Script via SSH instead of Local DOS Script. It does retain what I typed for Restart Script: \\servername\d$\Snort\SnortRestart.bat


I just discovered that if I browse to the UNC share of \\servername\d$\Snort and click on SnortRestart.bat the behavior is different. Even though the settings do not appear to save yet, when I upload a policy I now get a DOS windows momentarily on my computer and the sensor service does restart. It appears to be a cosmetic problem partially. It still shows a dimmed "Script via SSH" but it's definitely executing the remote batch file now.

I'm not sure why it would not work when I just typed it in and does work now when I browsed to it, though. I'm sure I didn't typo it when I typed it because I executed it manually from a command prompt on my computer to make sure it worked before I copied it in.

FWIW,

Ray
 
New Post 12/18/2007 8:07 PM
  Jeff Dell
219 posts
www.activeworx.com
1st Level Poster


Re: Using IDSPM with Snort on a remote Windows server? 

 rpesek wrote
1. If I set the Upload Settings to File Copy,  \\servername\d$\snort\etc , snort.conf, and try to upload the policy, the log shows it worked but there are no rules files. The snort.conf file does get uploaded correctly. I did create a new "rules" folder under D:\snort\etc and set the RULES_PATH variable to "rules" just as I do for Linux. Even if I set the explicit path of D:\Snort\Etc\Rules, it doesn't work. I get a "device not ready" log message.

FWIW, the Security event log shows it's doing the file copy under my domain credentials, not what I have set in the Authentication window, which is OK by me. If this is the way a File Copy is supposed to work, maybe the Authentication tab can be disabled?

 

It uploads based on the directory you put in the policy. If you have "D:\Snort\Etc\Rules" for a directory, it will try to copy it to that directory. What you need to do is put "..\rules" and it should work.

 

 rpesek wrote

2. When I try to set the Authentication to the local administrator account in the form of server\administrator I run into a 16-character limit on the field.

 

This has been fixed in 2.2.0.23.

 

 rpesek wrote

3. The Restart Settings don't save. I'm setting it to a batch file on the Snort server using UNC syntax. Restart After Upload un-checks itself and it goes back to Script via SSH instead of Local DOS Script. It does retain what I typed for Restart Script: \\servername\d$\SnortRestart.bat

 

Just so you know this script will run on the local machine and not on the remote machine. To restart a service on a remote machine use the "sc.exe" command. I will look into why this isn't working. I looked at it with IDSPM Stand Alone and it worked fine. I will let you know.

 

 rpesek wrote

4. How do I set the Sensor ID to the new sensor? The only ones that show up are the ones that are already present.

 

Snort is kind of finiky about how it creates sensor id's. Because of this you have to wait until one is created by snort. The only thing that you will not have is the link between the events and policy. once the first event is created you can set this. but... now that we don't use sensor ID's and we use the sensor name, we might be able to get around this without much difficulty. I will look into this.

 

Cheers,

Jeff
 
New Post 12/18/2007 8:53 PM
  Ray
53 posts
6th Level Poster


Re: Using IDSPM with Snort on a remote Windows server? 
 It uploads based on the directory you put in the policy. If you have "D:\Snort\Etc\Rules" for a directory, it will try to copy it to that directory. What you need to do is put "..\rules" and it should work.


Worked perfectly. That had to be the only permutation I didn't try, of course. :-)


 Just so you know this script will run on the local machine and not on the remote machine. To restart a service on a remote machine use the "sc.exe" command. I will look into why this isn't working. I looked at it with IDSPM Stand Alone and it worked fine. I will let you know.


I wanted a standard batch file I could use with minimal modification. It goes on each Snort sensor and has this syntax:


START /w sc \\ipaddress stop SnortSvc

sc \\ipaddress start SnortSvc


It is located on the remote machine (so I don't have to have them all on my computer) and does execute on my computer and works OK.

[/QUOTE]


 

resek wrote

4. How do I set the Sensor ID to the new sensor? The only ones that show up are the ones that are already present.

 

Snort is kind of finiky about how it creates sensor id's. Because of this you have to wait until one is created by snort. The only thing that you will not have is the link between the events and policy. once the first event is created you can set this. but... now that we don't use sensor ID's and we use the sensor name, we might be able to get around this without much difficulty. I will look into this.


So, as soon as Snort picks something up and writes to the MySQL database, it will appear (what I entered in the database output plugin)? That'll work.


Thanks for the quick responses,


Ray
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  IDS Policy Mana...  IDS Policy Mana...  Using IDSPM with Snort on a remote Windows server?
 
 
Copyright 2000-2007 by Activeworx, Inc.
All trademarks and copyrights on this page are owned by their respective owners.