Results 1 to 4 of 4

Thread: Puresecure/Snort 2.1.1 How To....

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Puresecure/Snort 2.1.1 How To....

    As any of you using Demarc's PureSecure know they are really slow about upgrading to the newest version of Snort. They are still on 1.9 I believe it is, (may be 2.0 by now). This means that all the fancy new stuff such as pcre and flowbits won't work because 1.9 doesn't understand them. The kicker is that Snort 2.1.1 uses a slightly different table structure then previous versions and it won't start because it can't find certain rows in some of the tables.

    If you are like me and run snort outside the control of PureSecure but have it reporting to the MySQL database that PureSecure uses I found out that you can update to Snort 2.1.1 and still have the benefit of the nice PureSecure interface and it's additional features.

    I downloaded a MySQL manager called SQLyog, (free 30 day trial here), because I know nothing about MySQL, (it's one of those things you keep meaning to get to but never quite manage it.... ), and logged in. It was immediately apparent that Demarc has it's own tables but seemed to leave the Snort tables as-is.

    When you d/l Snort 2.1.1 and install it there is a script in the contrib folder called create_mysql. This is the version 1.6 of the script that creates the tables for 2.1.1. So I deleted all the Snort tables, ("drop table" from the menu).

    NOTE: I didn't back my tables up, (export), so I could restore them, (import), because I only use PureSecure as a real time monitor - I have other systems for logging the Snort events in place for archival and analysis functions - but I believe this would work to keep your old data.

    NOTE 2: You need to stop Snort on the sensor and PureSecure on the reporting station or you will get sharing violations.

    I placed the create_mysql script in the c:\mysql folder and issued the following command to run the script thus creating the tables with the 2.1.1 structure.

    mysql -u AAAA -p BBBB < c:\mysql\create_mysql

    AAAA = the admin account name of the MySQL system, (usually root)
    BBBB = the name of the database that Snort reports to and PureSecure reads from.
    the -p will prompt you for the password

    If it runs with no errors then go back to SQLyog and you will find the new tables there.

    Copy the following files to your Sensor's Snort folder:-

    Snort.exe (the new 2.1.1 version)
    LibNetNT.dll
    pcre.dll

    and restart the Snort service, (or just restart Snort if you don't run it as a service) and the PureSecure service and it all works fine.

    Now you can go to your rules files and put in all those nice new updated rules that catch the new nasties but that wouldn't work in Snort 2.0.5 and below.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    I had been using the 2.0.X branch of snort with my PureSecure since last year. And up until Friday I have been using the 2.0.6 version from them.

    I had asked to get the 2.1.0 version of snort and they said there was was too many bugs in it and that it actually reported alerts wrong. Turn out they were right and snort has been fixed with the 2.1.1 version.

    I also received the 2.1.1 version from Demarc, even though Im not a customer. Maybe it is because I had asked for the 2.1.0 version.

    I had to copy over pcre.dll too. But they also told me that http_decode was not supported in 2.1.X anymore and that I had to make some conf changes to use http_inspect.

    Too bad you had to go through all this work. I would try writing them next time.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Angel: Frankly, I shouldn't have to write to a security vendor, (even if it is a free package I am using), to have them send me a new version. This is hardly a new problem, I have been using PureSecure for a couple or more years and they are often months behind newer versions of Snort. While this isn't a problem with version updates that do not add functionality it becomes one when the new rules are written with keywords that are not understood by the old version.

    Furthermore, it is my responsibility to ensure that I am aware of the shortcomings of any updates to security software and to either mitigate the issues within my network or chose not to use the newer product if the potential for compromise exceeds my level of comfort.

    Lastly, as best practice dictates, PureSecure is not my only line of defense. In fact, the GUI for the alerts is only used as a real-time monitor. I use other systems to determine what was going on on my network at any given time because they are quicker to search and can be scripted to provide me with complex daily reports when I arrive at work. (See my tutorial here if you are interested).
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Thats a very nice tutorial. I do not use IIS but I found it very interesting.

    I have to disagree with you the vendor providing you with the newest updates to there product. I can see if you had bought the product or if you had bought a support contract then you would be entitiled to all upgrades but you are using the free version. And it even says that in the freeware license that unless you have a support license that you are required to install and configure your software.

    The fact that we are using the product for free yet they provide me support whenever I write them (even if it does take a little while ) is really awesome.
    That which does not kill me makes me stronger -- Friedrich Nietzche

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •