Snort IDS and omnia

noumes · October 20, 2016, 12:16pm

I am trying to run snort.
Found this wiki https://wiki.openwrt.org/doc/howto/snort
But when I try to run snort it ends with:

ERROR: Can’t find pcap DAQ!
Fatal Error, Quitting…

libpcap and libdaq is installed.
Anyone esle try to runt snort on omnia?

achim71 · October 20, 2016, 2:55pm

Comodore125 · December 31, 2016, 12:29am

No progress since? noumes?

noumes · January 8, 2017, 4:45pm

Finaly got snort working!

In config file snort.conf need set up
config daq: pcap
config daq_dir: /usr/lib/daq —because this is set only in init file so when runing snort via cmd ends error without this

Comodore125 · January 8, 2017, 8:56pm

Nice, do you have some results? How good is SNORT?

Privacywonk · January 13, 2017, 3:37am

I have snort up and running on the Omnia with zero output or alerts. Would love to see configs if anyone has this working successfully!

noumes · January 13, 2017, 11:49am

Same problem got zero output from snort.
Sending log to remote syslog didnt work for me
output alert_syslog: host=IP:port, LOG_AUTH LOG_ALERT.

run snort with -l creates file but file is still empty

in syslog there is only statistic when stoping snort nothing else

Privacywonk · January 13, 2017, 1:48pm

I found some output… cat /var/log/messages |grep snort

2017-01-13T13:25:07-05:00 alert snort: [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.XX.XXX:58396 → 192.168…XX.XXX:80

These alerts, oddly, are not available for viewing with a simple “cat /var/log/messages” and nor are they showing up in my graylog2 instance. I only found them with: cat /var/log/messages |grep snort

A note - I also updated the snort rules using pulledpork.pl on a different host and synced them over to the turris box. I also disabled DNP and MOD processors to reduce memory consumption.

Leonardo · January 22, 2017, 8:36pm

I added those 2 lines in the config.
Libdaq is installed, I verified the path.
Did you do other changes?

Leonardo · January 24, 2017, 5:20am

I got it to work, and I added output alert_fast: alert.fast to my snort.conf

It writes alerts in/var/log/snort/alert.fast

It doesn’t work when it runs with -s option, that is the default on /etc/init.d/snort

Bernd_Wechner · August 25, 2017, 7:05am

Awesome to see someone got it working. Be nice if you summarised the experience and how to install it and get it going as a community doc:

https://www.turris.cz/doc/en/public/start