This week was spent doing more work with Snort to get it running proper in the virtual network. In a Windows environment, that is a lot of work with piss-poor documentation... so I hope I am making a valued contribution on that level by writing all this out.
The Simwitty project is working on a base set of instructions to govern getting Snort and MS SQL set up, just so everyone is on the same page. I followed these basic rules to get started but it took quite a bit of tweaking for things to start working. I documented all the steps I took for the install and that file will be available on the Simwitty Redmine pages.
The first issue I had (as noted last week) was that Snort wasn't talking to the database. This was even after I located a copy of ntwdblib.dll (I also found out I needed msvcr71.dll on this particular machine). I found a tip from Microsoft for testing the connection to a SQL Server. This entailed creating a file with a .udl extension, which will open as a shell dialog when double clicked, but in reality is just a text file. Details at How to connect to an instance of SQL Server Desktop Edition or of SQL Server 2005 Express Edition (http://support.microsoft.com/kb/319930) under the Verify connectivity section.
Once I created this file, it would connect fine but Snort was still a no go. I fired up Wireshark to see what was uhappening. In looking at the packets I could see the difference between the good connection and the failed connection. The thing that stood out was the difference between two strings.
The Simwitty project is working on a base set of instructions to govern getting Snort and MS SQL set up, just so everyone is on the same page. I followed these basic rules to get started but it took quite a bit of tweaking for things to start working. I documented all the steps I took for the install and that file will be available on the Simwitty Redmine pages.
The first issue I had (as noted last week) was that Snort wasn't talking to the database. This was even after I located a copy of ntwdblib.dll (I also found out I needed msvcr71.dll on this particular machine). I found a tip from Microsoft for testing the connection to a SQL Server. This entailed creating a file with a .udl extension, which will open as a shell dialog when double clicked, but in reality is just a text file. Details at How to connect to an instance of SQL Server Desktop Edition or of SQL Server 2005 Express Edition (http://support.microsoft.com/kb/319930) under the Verify connectivity section.
Once I created this file, it would connect fine but Snort was still a no go. I fired up Wireshark to see what was uhappening. In looking at the packets I could see the difference between the good connection and the failed connection. The thing that stood out was the difference between two strings.
Now it was just the ugly task of installing the Snort rules. As far as I could find, this procedure isn't clearly documented anywhere. At least nothing warned me of things like: 1) The snort.conf included with the snapshot is old and broken. Keep the one you modified from the install. 2) What's with the so_rules folder, is it necessary? I figured it was *nix related and deleted it. 3) Some files are newer in the snapshot, some files aren't. How to decide what to keep? 4) For crying out loud, do I need to install that signatures directory with its 16,000 files? It's a very frustrating experience and I am going to upload a file to the Simwitty Redmine detailing my travails.
No comments:
Post a Comment