lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eef88341f7496aa3ce4e4012275c4943d6fb1acb
hpr-knowledge-base/hpr_transcripts/hpr0331.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

179 lines
11 KiB
Plaintext
Raw Blame History

Episode: 331
Title: HPR0331: Snort Part 2
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0331/hpr0331.mp3
Transcribed: 2025-10-07 16:31:18
---
Music
Hello, and welcome to this episode of Packer Public Radio with your host, Operator.
You can check out my site on McCurdy.com, R-M-C-C-U-R-D-Y.com, got a bunch of stuff on there
for applications, all kinds of goodness.
Today's topic is going to be snort, okay, yes, we all know what snort is, that's fine.
But has any of you actually implemented it and if you have, how are you using it or are
using it to its best ability?
Okay, so yeah, you've used snort before, whatever, it's an IDS and it's blogs and that's
great.
Well, it can do a lot more than that.
It's an IDS, it can be a wireless IDS, detect rogue access points, crazy stuff like that,
intrusion detection prevention, which is the blocking aspects of it, and actions not necessarily
blocking, but you can do any action based on that, malware, signatures, command and control
for botnet, shenanigans, rogue services like DHCP services, DNS services, etc., denial
of service attacks, all kinds of stuff that you would think that your network would cause
problems with, even malformed packets, all kinds of good stuff, snort has out of the
box for the most part.
And what's even better is if you don't like it, you can write your own signatures, do
whatever the hell you want.
Okay, so let's get started.
It's not IDS proof.
There's a lot of good guides out there.
There's a couple of good ones for BSD specifically, but first things first, once you start
your running, you're going to find false positives all over the place.
We're also going to have issues with updating or automatic updating, and then if you do patch
anything into it, besides doing signatures, you're going to have to compile it or patch
it, the actual snort part of it, to do it, get it to work with snort sam, etc., then
you've got all this other crap like base and snort and oink and oink master and barnyard
and inline and all that mess, which is a different story altogether.
Then you've got environment variables, so for things like signatures that get pop up
for something that's not even run on a specific port.
So for example, if you've got SSH running over port 8 and you're flipping bits across
there, you're going to trigger alerts or vice versa.
If you're running something on a different port than snort would normally listen on, it's
going to trigger alerts, trigger false positives, and you're going to have all kinds of mess
going on.
But for the general network, and you're not going to have to do a whole lot with the environment
variables, unless you've got the infamous security through obscurity, stuff not on a
port, so it's not supposed to be run or what you need to know before you start.
What OS you're doing it with, are you going to use IPFW or are you going to use IP tables
here, Linux flavors, as far as ease of use, I would start with a BST box, free BST, open
BST, not for the newbie, you're going to start with free BST and then kind of go from
there on the guides online.
There's also some mess to get into as far as the preprocessors, what they do, how they're
set up into all the magical goodness that they can do.
And then like I said, you've got your oink master and barnyard and acid and basin and snort
and inline and all that good stuff, which oink master from what I can remember is the
guy that kind of helps you update your signatures and you get an oink code from snort and I'll
kind of go over that, then you got stuff like barnyard that sends the base information
into a SQL or postgres backend and all kinds of fancy stuff and then you got the alternative
method for instead of snort sand, you've got snort inline that does similar actions.
Okay, so here's your idiot proof guide for snort sand.
You start off with a free BST box or open BST if you want to go squarely, alright, so
you get an open BST or free BST box and go to the, what is this?
These are reports security snort folder and do make space config.
Now you'll check the box that says snort sand and hope for the best.
You will have errors with auto comp auto make.
If you do, go ahead and go to the configuration of all the packages and get rid of anything
auto make auto comp and you don't have to worry about the mislinking and it making to the
wrong binary.
So let's just get rid of auto make and have it go down the dependencies of whatever auto
make and auto comp at once.
So once you've finally gotten snort to configure with snort sand or snort inline or whichever
one you want to use, you want to do snort sand in my case.
You want to also go to the ports folder for snort sand and compile snort.
And at this point, you'll have snort and snort sand compiled ready to go.
And now you're going to go to the configuration part.
Okay, so from ports, you got snort to configure with the snort sand madness and then you
got snort sand itself to configure and compile from ports.
Okay, so then you get this sample configuration for snort sand of course and I will post
my configuration and as far as configuration icon for snort sand, that's the easy part.
I'm really going to go into that snort and however is the more difficult part to get
running the way you want it.
Now after getting all this mess set up, I realize it snort inline now supports free
BSD.
So whatever, if you want to use snort inline to do your actual blocking deal, I would use
that.
Go for that.
I'm sure there's tutorials on that that are a little bit better.
But this is more mainly for people that have snort running and want to actually know
how to update the configuration and update the rules and automate all this stuff to get
nice and clean and updated.
All right, so you have snort listening and you have some signatures and you have it
doing something when you get triggered a signature, either dumping to an SQL database
and blocking or doing both or six one half and a dozen the other.
Okay, okay, so now we're going to go over my horrid update script for snort.
Barnyard and you could probably do all this or if not more than this, but I don't even
go down the barnyard yard because I was just way too complicated for me and I'd rather
just write a script to do what I want to do.
So first thing, we download snort rules.
Before I had a PHP scroll script, it would log into the web interface and download the
rules that way.
Apparently now it's just a one URL, one liner.
You get a snort code that's some weird fancy hash and once you register for their free
feeds that don't update that often, you'll get a snort point master code and you can just
feed it one URL and that's going to be in the update script if you want that.
So just W get whatever and you're done.
The merging threats rules, you also be bleeding edge threats or bleeding threats and
God knows whatever else it was before that.
Now it's emerging threats dot net.
Take a look at the website, it's awesome.
The rules are free and they're small, they're zipped up and you're good to go.
So along with those two rules, those are your signatures, the base signatures you start
with.
What I do on the next step is unremove unrun one of the rules.
The first thing you're going to need, like I said, is your false positives that are going
to be triggering all over the place.
You're going to ICMP rules I'm removing.
I remove the chat rules, FTP and the peer to peer stuff.
Now you're still going to have false positives regarding all these.
You're going to have ICMP chat and NETTP and peer to peer false signatures, probably
that you're going to have to get rid of manually.
You'll want to do the way I set it up on the next step is have a template with a base
and then everything that I add to it is going to be in this nor update.
Okay, so this is the template file.
It's just everything except for everything that's in this nor update script.
So the unwanted signatures removal and the suppression and anything after this, what
is this for this step?
Okay, so after that, we remove unwanted signatures based on just a text stream.
Now I know this is not the best way to do it.
You're supposed to use the actual ID of the signature, but I got lazy and we know what
happens when we get lazy.
We got rid of DNS stuff, some disclosure feeds, NC.exe was getting triggered and all
these unwanted and false positive signatures that I got rid of.
Here on the other side after that, I started using the actual IDs, signature IDs for each
event instead of just doing a grip stream.
And I don't even know what most of them are.
They're just mostly false positives.
Then this other rule is the other line here is the ads nor sam tag.
Now all it does is ads the tag for nor sam and you'll see that in the notes if you go
to snort sam.net, it'll have the notes to tell you what to put on the end of each signature
for this to work.
Now apparently I think Barnyard or at least you could do it probably straight inside
the config and just append it to one instead of having an append it to all of it.
But for whatever reason, I'm still using it this way.
Then I have a snort check script that runs every 10 minutes or so to make sure that snort
sam is running and snort is running.
If I get the alert more than twice, then I know something else is going on.
Alright so you manage to get snort running, you manage to get it updated, you manage to
get it automated and doing some cool stuff with maybe dumping it to a SQL database or
dumping it to a database and having nitsypc charts and all that good stuff.
Or just like mine is snort snarf, which is a pro plug-in for it that just dumps the
html and it's no big work right.
So let's talk about detecting scans which was originally I think the whole reason I went
with snort back in forever ago.
It's fairly different now they have the pre-processor mess and the pre-processor is a whole different
road.
But mainly you'll look for the sf port scan option and you'll set the scents underscore
level to high.
Now the first thing that happens when you do that is goes apeshit when you start using
torrent because snort has the ability to detect port scans from different host or some
shit.
It's some magical stuff that I don't know how the hell it knows but what it sees is a
bunch of host connecting on a bunch of ports and it's like somebody scanning some creative
things you can do with it recently have a semi-automated incident response system that
will do who is on the ip, give them the logs and look up all the emails on the actual who
is information and send it out to you'll be used at or info at or whoever at.
And I've been getting some interesting responses back from it so another idea I had was something
that would listen and have open for all ports or maybe like a firewall that I could set
up that says that's open for all ports and you're going to get a lot more traffic with
that because what happens is these automated bots and scanners they're scanning ports
scan the ports close and then you're done.
Now if you get a port open and maybe some do its back you might even want to set up a
honey pod or something crazy like that and your signatures will probably go up a lot of
wise so.
So yeah that pretty much wraps up my random cycle battle for snort.
Anybody has any questions?
Everything will be in the show notes that I have that I can possibly give you and if
anybody has any questions just send me a line at our McCurdy.com that's our mccurdy.com
Thank you for listening to HACCA Public Radio.
HPR is sponsored by Carol.net so head on over to CARO.NAT for all of her speed.
Reference in New Issue View Git Blame Copy Permalink