Snort/ACID {now $100} Contribute!
-
Let's not use ACID - it hasn't been updated in ages.
BASE - Basic Analysis and Security Engine - is the continuation of the ACID project.
http://secureideas.sourceforge.net/ -
Yeah, BASE would be more appropriate than ACID for exactly the reasons mentioned. Both seem easier to integrate than sguil due to the use of PHP. Either way though, this would be a HUGE package and I'm thinking it's a fair amount of work. Anyone willing to pitch in some $$$ to make this a reality?
–Bill
-
I can definetly throw $50 towards it. If alot of people throw $50 towards it we could get a sizable bounty going.
-
The SNORT/Base combination convinced me. I can add my 50$ contribution.
Hoping some others can join the bounty.Fridaynoon
-
I am very willing to attempt to get this working as I want to see it working too. going to need to setup a test system to work with. I'm still trying to find info on how to work with the packages system.
-
i think BASE is the standard for this sort of thing, but i guess everyone is agreed to that already. one other thing to conisder is that if you are sending the data from pfsense to a MySQL/BASE box inside the network you may want to use stunnel or something to encrypt that connetion. also, you certainly don't want the mySQL/BASE installation on your firewall, but that doesn't mean you can't include those packages for pfsense and simpy set up a pfsesne box on the inside for this.
in any case, i'm just a slackjawed gawker. i just saw the request for ACID and came inside to ensure the request was for BASE instead as others have already pointed out.
-
I can put it $25 for this bounty
-
It is slightly off topic, as a comment on what bigboi wrote:
what if you use max. 2 boxes (master and slave aka mirrored), and put all nifty things into a several virtual servers?
(Don't know if this has the same meaning of Jailing in bsd-jargon).
As example pfsense at (virtual) server#1, sql/base at the virtual server#2, and so on…
:)
Would this be still count as a safe security practice?
And therefore feasible? :-\ -
**Fixed…..**snort.ini too output to anything
I got pfsense snort.inc configured running snort with mysql…...
.
**Fixed….**dynamicengine..someone did not compile with this right…
I got pfsense configured running snort with dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
.....
I can get ACID to work on pfsense in a weekend. But ACID adds to much to pfsense for my taste. I suggest for us to use "Honeynet Security Console" by http://www.activeworx.org/. Its great. This is what Im using with pfsense and snort.
.
.
I can get pfsense to use "sguil" http://sguil.sourceforge.net/index.html it will be harder, you people will have to gave me some feed back first. Out standing who ever came up with snort.inc to rewrite snort.conf on boot up and work with PF.
Much props….......
.
Post reponse to get details
.
This config should get you running snort with (mysql) ACID, sguil….etc.
This config is after you added snort database to mysql on another system (mysql should not run on pfsense).1. Install pfSense-1.0.1-LiveCD-Installer.iso
2. Let pfsense update the /usr/ports so there up to date.
3. Install snort pkg....
4. SSH to pfsense
5. As root TYPE: pkg_delete snort (this will uninstall the snort binaries not pfsense webgui package)
6. As root TYPE: cd /usr/ports/security/snort then TYPE: make config (choose your options Mysql, ect….
7. After 'make config' command CHOOSE: 'mysql' and 'dynamic' (wait for it to compile)
After make config TYPE: make install
8. As root find snort.inc TYPE: cd /usr/local/pkg
9. EDIT snort.inc TYPE: ee snort.inc
10. In snort.inc find (this will help start snort with all most commands for output taken from snort.conf)
$start .= ";snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort {$ifaces_final} -A full -D";
replace with
$start .= ";snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort {$ifaces_final} -Dq";
11. In snort.inc add right below #output (now you are able to output to anything not just mysql)
output database: log, mysql, user=xxxx password=xxxxx dbname=xxxxx host=xxxxxx
Also add this so pfsense WebUI will show snort alerts
output alert_full
12. Important: there must be files in the /usr/local/etc/snort/rules Or snort will not start
13. Start snort Goto the pfsense webUI: 'Services: Snort : settings' CKICK save (you dont have to chang anything
.
If all went well pfsense system log should show Snort logging into the mysql database. -
Hello!
I wrote a shell script to integrate a snort box with a pfSense box.
Yo can find it at: http://www.bellera.cat/josep/snort2pfsense
It is another way to solve "the snort problem" …
;)
Regards,
Josep Pujadas
-
Hello All
Great idea. I'd contribute another 50$ for a snort reporting interface, Base or sguill…both seem good. Will leave the decision as to which one to the experts out there. However, the database should be on the pfsense machine itself. I'd like it to be postgreSQL so, i will add another bounty of 50$ for postgresql support or database independence layer.
After using pfsense for almost a year now, I've decided to stick to the project and offer some bounties for the features I want since I can't contribute code myself.
With best regards.
Sanjay.