Hi,

I've got the same kind of problem. When I try to upload a policy to my snort sensor, when I hit "start", I get the status "Sensor needs to be updated", and the "progress" bar becomes "log" bar in a flash, the log contains: "Error Uploading to Sensor : Input string was not in a correct format."

IDSPM 2.2.0.20 (stand alone) is installed on a classic winXP box, Snort 2.8.1 is on a fedora core 8 box.

I don't know linux well yet, so I was wondering if there was something I missed. The Upload protocol is File copy, to the directory where snort is installed on fedora, the authentication is by password, using a classic user access.

I was wondering another thing, not really related to this matter. Where does IDSPM get the rules ? Is it taking them from where snort is installed ?

Thanks in advance, and if you need some more information, I'll answer fast enough ^^

I've tried that as well, with the snort user and with the root and my own account as well but to no avail -_-

Does snort need to be off for this to work ?

Fenrir wrote Local file: d:\Documents and Settings\\Application Data\Activeworx\IDS Policy Manager SA\tmp\PID16\382 Error Creating to Directory : /etc/snort/rules - Directory Could already be made Setting Remote Path: /etc/snort/rules Set Remote Path: /etc/snort/rules RemoteFile: bad-traffic.rules Error Uploading File: d:\\Documents and Settings\\\\Application Data\\Activeworx\\IDS Policy Manager SA\\tmp\\PID16\\382 - Server error (3): Permission denied Error Uploading to Sensor : Error Uploading File: Server error (3): Permission denied

What this is saying is that IDSPM is trying to upload a file to /etc/snort/rules and the snort sensor that you are uploading to is not allowing it because of a permissions issue. You need to check permissions on this Snort sensor to make sure the user that you are using to connect to the box is allowed to copy a file to this directory.

Cheers,

Jeff

I've tried to connect with the root account, but this time I had another error :

Local file: d:\Documents and Settings\\Application Data\Activeworx\IDS Policy Manager SA\tmp\PID19\544 Error Creating to Directory : /etc/rules/ - Directory Could already be made Setting Remote Path: /etc/rules/ Error Setting Remote Path : /etc/rules/ RemoteFile: bad-traffic.rules Error Uploading File: d:\\Documents and Settings\\\\Application Data\\Activeworx\\IDS Policy Manager SA\\tmp\\PID19\\544 - Server error (2): No such file Error Uploading to Sensor : Error Uploading File: Server error (2): No such file

It seems to try to upload in the folder /etc/rules, but the upload directory is set to /etc/snort

I even tried to delete and add again the sensor, but with no change. I don't have any idea of why it's doing this (At least I was suspecting something for the last one ^^).

Curiously, I tried to use file copy instead of sftp, IDSPM says it went fine, but the snort.conf and the threshold.conf did not change a bit (I've modified variables to be sure to see something). They should have been overwritten by the upload, am I right ?

ok, that was dumb of me, forgot to change the var after setting the policy anew ^^'

well, anyway I'm back to error (3), and I don't think it's coming from the snort machine itself as I've put permissions 777 to the directory, and logging (in IDSPM sensor) as root.

I've yet to try running IDSPM with admin rights from my windows machine, however (gotta find the password first, though).

Oh, and I've news about that file copy I was speaking of earlier. Seems like it's copying in /etc/snort on the windows machine running IDSPM (randomly chosing c: or d:) instead of copying it to the snort machine. I can't say if this is normal behavior or not, but I find it odd enough to mention it while we're on this kind of subjects.

Some other things I've come accross:

I'd like to know if portvar gestion will be added in future versions.

I'm also wondering what is done about the preproc_rules.

Then, I'm interested in understanding how creating and upgrading policies works. I've understood thanks to ray that to create the policy, the snort.conf and rules must be in the same directory. However, as upgrading can take the tarball directly form the web, I'm wondering if upgrading works the same as creating. Does upgrading reload the snort.conf or does it just take the new rules files and add the include in the database?

I'll keep you informed, and thanks for the time you take to answers my noobish questions ^^

Sylvain

Admin rights shouldn't have anything to do with uploading. policies are copied from the db to the user profile directory. So it shouldn't be an issue. I would try to break our an scp tool and make sure you can manually copy a file via SCP.

you were right, I missed some rights to tweak on my snort box. seems to be working fine now. I'll think about making me harakiri for such noobiness ^^'

Fenrir wrote Oh, and I've news about that file copy I was speaking of earlier. Seems like it's copying in /etc/snort on the windows machine running IDSPM (randomly chosing c: or d:) instead of copying it to the snort machine. I can't say if this is normal behavior or not, but I find it odd enough to mention it while we're on this kind of subjects.   Nothing should be random. it always does something for a reason. can you post some of the log data. each uploaded file is logged on where the file is uploaded to.

I used the term random because I do not know the reason. I'm sure there's one ;)

I've just tried again, a new etc\snort directory with snort files inside have been created in my D: drive, and the log is:

Policy Log ---------- Gathering Information: Started Gathering Information: Complete Build Policy from Database: Started Build Policy from Database: Complete Upload Log ---------- Connect to Sensor: Started Uploading to Sensor Test using fc. Done Uploading to Sensor Test. Restart Log

the first time I noticed this, it was in the C: drive.

I am not sure what you mean by gestion.

my bad, a slip from my native language(^^'). I meant management. basically, there are now portvars in the snort.conf, but we can not modify them with IDSPM yet.

well, I think I'm done with bothering you with my questions, thanks for your patience and help :)

Sylvain

 edit: well, maybe not, I still have policies and update policies issues, but I'll keep that for another day and another thread ;)

I tried to upload in file copy mode with "fast" unchecked. I found  \etc\snort on the c: drive this time and no change on the snort side ^^'

Jeff Dell wrote IDSPM does support portvars. if you have a problem with them, let me us know.

It's not that I have problem, it's juste that I don't see where I can set the portvars. I do see the "variables" section, but "portvar HTTP_PORTS 80"(for example) is nowhere to be seen. But they are still uploaded in the snort.conf so that's not a big issue yet ^^