$WGET $WGET_PARAMS $MD5_URL1    "$ECHO" "Readout the checksum..."    # MD5-Summe auslesen    if [ -f /etc/snort/snortrules-stable.tar.gz.md5 ]    then             MD5SUM1=`grep MD5 \                      /etc/snort/snortrules-stable.tar.gz.md5|awk     '{print $4}'`    else             "$ECHO" "Error! No MD5-file found"             exit 1    fi    "$ECHO" "Generating our own checksum..."    # MD5-Summe bilden    if [ -f /etc/snort/snortrules-stable.tar.gz ]    then        MD5SUM2=`md5sum /etc/snort/snortrules-stable.tar.gz|awk '{print $1}'`    else             "$ECHO" "Error! No rules file found"             exit 1    fi    if [ "$MD5SUM1" = "$MD5SUM2" ]    then             "$ECHO" "The MD5-Checksum fits!"             "$ECHO" "$MD5SUM1"             "$ECHO" "$MD5SUM2"             "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log             "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log             "$ECHO" "Proceeding..."    #        /bin/sleep 1    else             "$ECHO" "Error! Wrong checksum! Aborting!"             "$ECHO" "Install rules manually!"             "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log             "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log             exit 1    fi    # Extract the new rules    if [ -f "/etc/snort/snortrules-stable.tar.gz" ]    then             "$ECHO" "Extracting Snort rules..."             "$TAR" -xzvf /etc/snort/snortrules-stable.tar.gz -C /etc/snort    else             "$ECHO" "Lost the file! Something is wrong!"             "$ECHO" "Aborting!!"             exit 1    fi    # Deleting old rules    # Existiert das Verzeichnis ueberhaupt?    if [ -d "$RULESPATH" ]    then    #        /bin/rm "$RULESPATH"/*.rules             /bin/mv -f /etc/snort/rules/*.rules "$RULESPATH"             /bin/cp -f /etc/snort/rules/classification.config "$SNORTCFGPATH"    else             "$ECHO" "Missing rules-directory!"             "$ECHO" "Aborting!"             exit 1    fi         # Cleaning up...    /bin/rm -rf /etc/snort/rules    # Give everything to root    /bin/chown root:root ${RULESPATH}/*    }    ###########################################################################    ####    #                                   M A I N                                          #    ###########################################################################    ####    # Error handling first    FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" -P /etc/snort 2>&1)    ERR_MSG=$("$ECHO" "$FCHK" | egrep -oi "failed error")    # Log the error message explicitly    "$ECHO" "$FCHK" >> /etc/snort/snort.log    # If there is a word "failed" or "error" we break..    if [ "$("$ECHO" "$FCHK"| grep -i "failed")" ] || \       [ "$("$ECHO" "$FCHK"| grep -i "error")" ]    then             "$ECHO" "Error getting the files. The server seems to be not available."             "$ECHO" "Error message:"             "$ECHO" "$FCHK"             "$ECHO" "Aborting!"             exit 0    fi         "$ECHO" "Checking/getting files..."    # First extract the wget message    FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" \                                  -P /etc/snort 2>&1 | grep "not retrieving")    /bin/date >> /etc/snort/snort.log    "$ECHO" "Wget-output:"    "$ECHO" $FCHK    # Logging what we've done and when    "$ECHO" "$FCHK" >> /etc/snort/snort.log    if [ -z "$FCHK"  ]    then             "$ECHO" "The files on the server seem to be newer."             "$ECHO" "We will get them now..."             getrules             # Reload rules             "$SERVICE" snort reload    #        restartsnort    else    #            "$ECHO" "The signature files on the server are older or not newer."             "$ECHO" "Doing nothing for now..."             "$ECHO" "Checking if Snort is running...."             checksnort             exit 0    fi    # Send Email    "$ECHO" -e "`ls -lA "$RULESPATH"`\n\nSnort running with PID $("$PIDOF"\                "$SNORT")" | mail -s "Reloaded Snort signatures on $MACHINE"\                "$MAILTO"    ###########################################################################    ####    ###########################################################################    ####    exit 0    #EOF\end{verbatim}\subsection{How do you get the latest Snort via cvs?} \label{cvs}Snort can be checked out through anonymous (pserver) CVS with thefollowing instruction set. The module you wish to check out must bespecified as the modulename. When prompted for a password for anonymous,simply press the Enter key.\begin{verbatim}    cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot login    cvs -z3 -d:pserver:anonymous@cvs.snort.org:/cvsroot co snort\end{verbatim}Updates from within the module's directory do not need the -d parameter. You will need to issue the command ``sh ./autojunk.sh'' before starting./configure.\subsection{How do I use a remote syslog machine?}Add the syslog switch, -s, and put this statement syslog.conf:\begin{verbatim}    auth.alert         @managmentserverIP\end{verbatim}Look at your snort.conf file for more info on the facility and Prioritysettings.Make sure you have syslogd on the management server configured to allow syslog overUDP. Under RedHat, you can do this by editing /etc/sysconfig/syslog and addingthe following line:\begin{verbatim}    SYSLOGD_OPTIONS="-r -m 0"\end{verbatim}This will start syslogd with the mark interval set to 0 (turning it off) andset it to receive network connections.Then restart syslog. ``man syslogd'' for more info. You might also want toinvestigate syslog-ng\linebreak (\htmladdnormallink{http://www.balabit.hu/en/downloads/syslog-ng/}{http://www.balabit.hu/en/downloads/syslog-ng/}).Example invocation of snort:\begin{verbatim}    /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s 192.168.0.2:514    -i rl0\end{verbatim}Note for Win32 users:Frank Knobbe wrote a patch for Snort to allow you to use `-s $<$host$>$' on thecommand line under Windows without nullifying the snort.conf. In other words,Snort still uses all settings from snort.conf but in addition uses the hostfrom `-s' to send syslog alerts to. You can find the patch at:    \htmladdnormallink{http://www.snort.org/dl/contrib/patches/win32syslog/}{http://www.snort.org/dl/contrib/patches/win32syslog/}\subsection{How do I get Snort and ACID working?}Acid has been unmaintained for quite some time. Use BASE instead (see below).\subsection{How do I build this BASE thing?}Read carefully through all the docs for each package. Getting BASE to work is alot of work, since it depends on many packages. You need a working Apache, aworking PHP, a working GD (and the many libraries GD depends on) and the ADODBpackage. This is a lot of stuff to configure.A typical sequence to get this all working on Solaris 8: Use some binarypackages from a trusted Sun freeware site (sunfreeware.com). The most problemswere with PHP and the GD library. GD itself needs a bunch of packages andlibraries to work also. It needs the libpng stuff, the libjpeg stuff (if youwant jpeg), etc, etc. Read through the readme for GD. So you either need to getthese and compile them also, or get some binary packages. PHP is the mostdifficult thing to get compiled correctly. The PHP package needs to be compiledwith lots of ``-with'' flags for GD to work properly, otherwise it gets lots ofrun-time unresolved reference errors. Just using a ``with'' for GD isn'tsufficient. You also need to "with" each library which GD uses also, or PHPcan't find the functions it needs. Here's the ``configure'' line you can use toget PHP working:\begin{verbatim}    ./configure --with-mysql --with-apxs=/usr/apache/bin/apxs --with-gd    --enable-sockets --with-jpeg-dir=/usr/local/lib --with-png-dir=/usr/local/    lib --with-zlib-dir=/usr/local/lib --with-xpm-dir=/usr/local/lib\end{verbatim} These `with' statements basically have the effect of the Makefile including -Land -R statements for each library so that both the compile and run timelinkers can find all the functions needed to find in the Apache moduleenvironment. Apache doesn't seem to consult the LD\_LIBRARY\_PATH when running amodule (or PHP doesn't, or there's some config item in the Apache conf files,but you can just use the ``withs'').Basically, you need to work from the bottom up. So you need to obtain/compileany libraries that GD needs and install them, and any libraries/packages thosepackages need. Then once you get GD compiled properly and installed, compilePHP. Then make a PHP script that calls phpinfo() and carefully examine the pageproduced. Once satisfied PHP is working, then the 'foundation' is ready for theother stuff. If they succeed, then install ADODB and BASE, tweak the configfiles, and it should all work. (heh, heh)BASE website: \htmladdnormallink{http://base.secureideas.net/}{http://base.secureideas.net/}\section{Rules and Alerts}\subsection{Errors loading rules files}Some common ones:\begin{itemize}\item \begin{verbatim}ERROR telnet.rules:YYY => Port value missing in rule!\end{verbatim}\item \begin{verbatim}ERROR telnet.rules:YYY => Bad port number: "(msg:"blah"\end{verbatim}\item \begin{verbatim}ERROR telnet.rules:YYY => Couldn't resolve hostname blah\end{verbatim}\end{itemize}What's going on?``telnet.rules'' is the file where the syntax error occurred, and ``YYY'' is the line number it occurred on.  There are a couple of possibilities:\begin{enumerate}\item The rule is missing a port value, has an invalid port number, or a bad hostname - in which case the ruleset author/maintainer should be notified.\item More often, the rule is just fine, but a variable in it was not declared.  Open the rules file, look at the rule on the line number provided, and confirm that the variables it uses have been declared.  You can read more about variables at \htmladdnormallink{http://www.snort.org/docs/writing\_rules/chap2.html\#tth\_sEc2.1.2}{http://www.snort.org/docs/writing\_rules/chap2.html\#tth\_sEc2.1.2}\end{enumerate}\subsection{Snort says ``Rule IP addr (``1.1.1.1'') didn't x-late, WTF?''}Get rid of the quotes around the IP address and try again.\subsection{Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...}Your firewall rules will also block traffic to the Snort processes.Note: This does not apply if Snort is installed {\bf on} the firewall box.\subsection{Does snort see packets filtered by IPTables/IPChains/IPF/PF?}Snort operates using libpcap. In general it sees everything the network adapterdriver sees before the network stack munges it. Linux IPTables, Linux IPChains,BSD PF and IPF and other packet filters do not prevent snort from seeing apacket that is present on the network wire. Even if an inbound packet is deniedby the packet filter Snort will still see and analyze the packet if it islistening to that interface. Snort/pcap sees whatever comes out of or goes intothe network adapter.Note however that Snort is affected to the extent that the stream of data onthe network wire is affected. Thus Snort will not see outbound packets whichwere denied while being sent since they will never reach the network adapter.Under OpenBSD you can snort just the PF rejects by using the /dev/pflogNinterface.\subsection{I'm getting large amounts of $<$some alerts type$>$. What should I do?  Where can I go to find out more about it? }Some rules are more prone to producing false positives than others.     This often varies between networks.  You first need to determine if itis indeed a false positive.  Some rules are referenced with ID numbers.The following are some common identification systems, and where to goto find more information about a particular alert.\begin{tabular}{|l|l|l|}\hline{\bf System} & {\bf Example} & {\bf URL} \\\hline\hlineIDS & IDS182 & \htmladdnormallink{http://www.whitehats.com/IDS/182}{http://www.whitehats.com/IDS/182} \\\hlineCVE & CVE-2000-0138 & \htmladdnormallink{http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138}{http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138} \\\hlineBugtraq & BugtraqID 1 & \htmladdnormallink{http://www.securityfocus.com/vdb/bottom.html?vid=1}{http://www.securityfocus.com/vdb/bottom.html?vid=1} \\\hlineMcAfee & Mcafee 10225 & \htmladdnormallink{http://vil.nai.com/vil/dispVirus.asp?virus\_k=10225}{http://vil.nai.com/vil/dispVirus.asp?virus\_k=10225} \\\hlineNessus & Nessus 11073 & \htmladdnormallink{http://cgi.nessus.org/plugins/dump.php3?id=11073}{http://cgi.nessus.org/plugins/dump.php3?id=11073}\\\hline\end{tabular}It may be necessary to examine the packet payload to determine if thealert is a false positive.  The packet payload is logged using the -doption.  If you determine the alerts are false positives, you may wantto write pass rules for machines that are producing a large number of them.If the rule is producing an unmanageable amount of false positives froma number of different machines, you could pass on the rule for all traffic.This should be used as a last resort.\subsection{What about all these false alarms? }Most think that a pile of false positives is infinitely preferable. Thenpeople can turn off what they don't want. The reverse, having a small ruleset, can lure people into complacency thinking that Snort is doing ``itsthing'' and there is nothing to worry about. \subsection{What are all these ICMP files in subdirectories under /var/log/snort? }Most of them are likely destination unreachable and port unreachables thatwere detected by snort when a communications session attempt fails.\subsection{Why does the program generate alerts on packets that have pass rules?  }The default order that the rules are applied in is alerts first, then passrules, then log rules. This ordering ensures that yo