Snort mailing list archives
Re: Problems with Snort, Barnyard2, BASE on SUSE 11
From: "Billy Marshall" <Billy.Marshall () state co us>
Date: Thu, 29 Apr 2010 10:37:46 -0600
Also,
You might consider implementing a 'Heartbeat'. I have written a script that invokes via a cron job everyday at 2
different times. This ensures my sensors that are relatively quiet are working and keeps mysql communication open.
This is to implement the following rule on satellite sensors in the local.rules file. It is invoked by an hping3 script
on the main sensor providing a "HeartBeat" of the targeted machine. It uses port 12345 as source and destination and
hits the broadcast IP of the sensors network for the alert to trigger. (or any other IP that is not firewalled)
0 6 * * * /etc/snort/HeartBeat/HeartBeat.sh >> /var/log/snort/cron.err.log 2>&1
0 14 * * * /etc/snort/HeartBeat/HeartBeat.sh >> /var/log/snort/cron.err.log 2>&1
Location:
/etc/snort/HeartBeat/data.txt
/etc/snort/HeartBeat/HeartBeat.sh
This uses the following basic rule in the satellite sensors local rules file (/etc/snort/rules/local.rules)
Rule:
source IP src port dst port alert message contents of
packet duh duh
v v v v
v v v
alert tcp xxx.xxx.xxx.xxx 12345 -> any 12345 (msg:"Heart Beat Traffic from <location>"; content:"Heartbeat";
sid:1000000; rev:1;)
This allows hping3 to craft a packet that will comply with the above rule.
Command in linux script Heartbeat.sh:
hping3 -c 5 -I eth0 -s 12345 -p 12345 -d 9 -E /etc/snort/HeartBeat/data.txt <broadcast of trust>
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Problems with Snort, Barnyard2, BASE on SUSE 11 Billy Marshall (Apr 29)