Snort/ACID {now $100} Contribute!

xibalba

Hi,
I love the new snort package and think it's a great addition. However the console to view the Snort output can be a little painful on the eyes. I'm willing to put $50 to the project or someone who can create an add-on package for Snort with ACID (Analysis Console for Intrusion Databases (http://acidlab.sourceforge.net/)). I'm hoping others will add on to this contribution to get the ball rolling. It could be an awesome addition to pfSense for any sized network.
Thanks

billm

@xibalba:

Hi,
I love the new snort package and think it's a great addition. However the console to view the Snort output can be a little painful on the eyes. I'm willing to put $50 to the project or someone who can create an add-on package for Snort with ACID (Analysis Console for Intrusion Databases (http://acidlab.sourceforge.net/)). I'm hoping others will add on to this contribution to get the ball rolling. It could be an awesome addition to pfSense for any sized network.
Thanks

I might be willing to spend some time working on something along this lines (probably not ACID though).  I do have some questions, in the case of using ACID, where would you expect the MySQL database to run?  And why would you want ACID to run on the pfSense box itself?  Would it be acceptable to allow Snort to be configured such that it pointed at a MySQL database host of your choosing allowing you to run ACID whereever you wanted?

–Bill

xibalba

Having Snort be able to redirect it's output to another MySQL/ACID (or other app) server would be a great idea. However, given that you're able to install pfSense on alot beefier hardware than it's m0n0wall embedded equivlent I would think many would benefit from having ACID/MySQL on the pfSense machine itself. For example, I recently turned one of my friends who works for a huge clothing retailed in the states onto pfSense. He's excited about the Snort package and CARP and is using pfSense on p4 2ghz with 100gb hard drives. In this situation it would be much better for him to be able to run everything on the one pfSense box rather than have to convince his boss to install another box. What do you think Bill? Also aside from ACID there is another app by the name of Sguil (http://sguil.sourceforge.net/) which might also be a good addition to pfSense.

I'm really hoping more people can contribute additional money to this package and/or the project to get the ball running on this.. What you guys have done with this project is amazing! As soon as my company (IT Consultant) starts to generate some money, I'm definetly throwing it in the direction of pfSense.
Thanks guys.

billm

@xibalba:

Having Snort be able to redirect it's output to another MySQL/ACID (or other app) server would be a great idea. However, given that you're able to install pfSense on alot beefier hardware than it's m0n0wall embedded equivlent I would think many would benefit from having ACID/MySQL on the pfSense machine itself. For example, I recently turned one of my friends who works for a huge clothing retailed in the states onto pfSense. He's excited about the Snort package and CARP and is using pfSense on p4 2ghz with 100gb hard drives. In this situation it would be much better for him to be able to run everything on the one pfSense box rather than have to convince his boss to install another box. What do you think Bill? Also aside from ACID there is another app by the name of Sguil (http://sguil.sourceforge.net/) which might also be a good addition to pfSense.

I'm really hoping more people can contribute additional money to this package and/or the project to get the ball running on this.. What you guys have done with this project is amazing! As soon as my company (IT Consultant) starts to generate some money, I'm definetly throwing it in the direction of pfSense.
Thanks guys.

Still not terribly comfortable with installing MySQL in pfSense.  Anyone know if there's a sqlite plugin for snort?  A quick Google search didn't turn up anything obvious (other than people asking the same thing), but maybe someone has run into something.

–Bill

DanielSHaischt

What do you think about SAM?

-> http://freesoftware.lookandfeel.com/sam/faq.html
-> http://freesoftware.lookandfeel.com/sam/screenshots.html (scroll down the page)

althornin

Let's not use ACID - it hasn't been updated in ages.
BASE - Basic Analysis and Security Engine - is the continuation of the ACID project.
http://secureideas.sourceforge.net/

billm

Yeah, BASE would be more appropriate than ACID for exactly the reasons mentioned.  Both seem easier to integrate than sguil due to the use of PHP.  Either way though, this would be a HUGE package and I'm thinking it's a fair amount of work.  Anyone willing to pitch in some $$$ to make this a reality?

–Bill

xibalba

I can definetly throw $50 towards it. If alot of people throw $50 towards it we could get a sizable bounty going.

fridaynoon

The SNORT/Base combination convinced me. I can add my 50$ contribution.
Hoping some others can join the bounty.

Fridaynoon

AkumaKuruma

I am very willing to attempt to get this working as I want to see it working too. going to need to setup a test system to work with. I'm still trying to find info on how to work with the packages system.

bigboi

i think BASE is the standard for this sort of thing, but i guess everyone is agreed to that already.  one other thing to conisder is that if you are sending the data from pfsense to a MySQL/BASE box inside the network you may want to use stunnel or something to encrypt that connetion.  also, you certainly don't want the mySQL/BASE installation on your firewall, but that doesn't mean you can't include those packages for pfsense and simpy set up a pfsesne box on the inside for this.

in any case, i'm just a slackjawed gawker.  i just saw the request for ACID and came inside to ensure the request was for BASE instead as others have already pointed out.

imoex2

I can put it $25 for this bounty

Snailer

It is slightly off topic, as a comment on what bigboi wrote:
what if you use max. 2 boxes (master and slave aka mirrored), and put all nifty things into a several virtual servers?
(Don't know if this has the same meaning of Jailing in bsd-jargon).
As example pfsense at (virtual) server#1, sql/base at the virtual server#2, and so on…
:)
Would this be still count as a safe security practice?
And therefore feasible?  :-\

jamesdean

**Fixed…..**snort.ini too output to anything
I got pfsense snort.inc configured running snort with mysql…...
.
**Fixed….**dynamicengine..someone did not compile with this right…
I got pfsense configured running snort with dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
.....
I can get ACID to work on pfsense in a weekend. But ACID adds to much to pfsense for my taste. I suggest for us to use "Honeynet Security Console" by http://www.activeworx.org/. Its great. This is what Im using with pfsense and snort.
.
.
I can get pfsense to use "sguil" http://sguil.sourceforge.net/index.html it will be harder, you people will have to gave me some feed back first. Out standing who ever came up with snort.inc to rewrite snort.conf on boot up and work with PF.
Much props….......
.
Post reponse to get details
.
This config should get you running snort with (mysql) ACID, sguil….etc.
This config is after you added snort database to mysql on another system (mysql should not run on pfsense).

1. Install pfSense-1.0.1-LiveCD-Installer.iso
2. Let pfsense update the /usr/ports so there up to date.
3. Install snort pkg....
4. SSH to pfsense
5. As root TYPE: pkg_delete snort (this will uninstall the snort binaries not pfsense webgui package)
6. As root TYPE: cd /usr/ports/security/snort then TYPE: make config (choose your options Mysql, ect….
7. After 'make config' command CHOOSE: 'mysql' and 'dynamic' (wait for it to compile)
    After make config TYPE: make install
8. As root find snort.inc TYPE: cd /usr/local/pkg
9. EDIT snort.inc TYPE: ee snort.inc
10. In snort.inc find (this will help start snort with all most commands for output taken from snort.conf)
$start .= ";snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort {$ifaces_final} -A full -D";
replace with
$start .= ";snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort {$ifaces_final} -Dq";
11. In snort.inc add right below #output (now you are able to output to anything not just mysql)
output database: log, mysql, user=xxxx password=xxxxx dbname=xxxxx host=xxxxxx
Also add this so pfsense WebUI will show snort alerts
output alert_full
12. Important: there must be files in the /usr/local/etc/snort/rules Or snort will not start
13. Start snort Goto the pfsense webUI: 'Services: Snort : settings' CKICK save (you dont have to chang anything
.
If all went well pfsense system log should show Snort logging into the mysql database.

bellera

Hello!

I wrote a shell script to integrate a snort box with a pfSense box.

Yo can find it at: http://www.bellera.cat/josep/snort2pfsense

It is another way to solve "the snort problem" …

;)

Regards,

Josep Pujadas

sanjay_arora

Hello All

Great idea. I'd contribute another 50$ for a snort reporting interface, Base or sguill…both seem good. Will leave the decision as to which one to the experts out there. However, the database should be on the pfsense machine itself. I'd like it to be postgreSQL so, i will add another bounty of 50$ for postgresql support or database independence layer.

After using pfsense for almost a year now, I've decided to stick to the project and offer some bounties for the features I want since I can't contribute code myself.

With best regards.
Sanjay.