I got bored with snort and intrusion detection a few years ago.
The last thing I did with snort was try to code a netfilter detector/packet killer for one of Luigi’s UT99 hacks.
It was an epic FAIL.
I even read the docs!
But back in the day I ran snort & ACID (now BASE – how clever) on a number of boxes, both at work and at home. I got very tired of seeing all those false positives, every day, day after day after day. And then reading in the snort online docs that a particular rule I was unfamiliar with had “no known” false positives or negatives.
Riiiiight.
And then snort went commercial. Well, good riddance.
So it’s been at least three years since I touched it.
Suddenly, out of nowhere, my boss the Security Thought Leader decides snort has to be deployed throughout our organization on every-fucking-thing that can run it. And since I was stupid enough at one time to open my mouth and let the word “snort” fall out of it, it’s my problem.
Lo and behold we’re now up to snort v2.8.6.1. And it turns out to be a bad time to be implementing snort.
As of June 2010 (Hey! That’s like… now!) a lot of the old freeware utilities for managing snort are obsolete. Not that they were any good, but their very existence was helpful in avoiding reinventing the wheel.
And the more things change the more they stay the same.
Like depending on Libnet v1.0.2a. They still give you a link to a dead Web site in the docs so you can download this ancient piece of code required to build snort. Luckily (I think it was luck) freebsd.org still had it in their archives.
Also luckily Mr. Security Thought Leader only wants to send snort alerts to a centralized SIM/SIEM syslog server, which simplifies everything (although he doesn’t know that… he would complicate the fuck out of everything if he did know it). This is the only documented design requirement in the whole project:
Send snort to syslog!
That’s it! Nothing more. What he plans to do after that is a mystery. Right now I have the Proof of Concept running on a few Windows servers and as usual they’re not producing anything of any interest whatsoever.
The Linux servers are another matter entirely.
I hate to say it, but our *ix admins are the biggest newbz I’ve ever met in my long and glorious IT career. They need to have a vendor hold their hand whenever they do anything and their collective mantra is the age old refrain:
THE VENDOR WON’T SUPPORT IT!!!
To make matters worse, they are going to have to build snort if their vendor doesn’t distribute a 2.8.6 version of snort. And considering they run Red Hat, they’re going to have a long wait.
So with all that in mind I built snort 2.8.6.1 for my Linux firewall (good old Debian Etch) and configured it for syslog alerts only.
It’s been running for about an hour now and all I’m getting is:
(http_inspect) LONG HEADER [Priority: 3]
… from just about every Web site I visit. You would think with all this proxy crap running every hour I’d at least get a “Hey! Somebody’s using an external proxy” kind of alert but no.
There’s obviously some tuning that needs to be done (max http header was 750, so I upped it first to 1024, which wasn’t enough, and then to 2048), but with all the doom & gloom about hackers and cybercrime, et cetera, I really expected a shitload more alerts.
I guess my firewall rules are pretty good after all.
FWIW, it took less than ten hours for some idiot named Tedickhead to remove my PoTTY entry at Wikipedia, without any reason given. Of course, it pissed me off but I refrained from putting it back in for the time being.
