[Honeywall] honeywall 1.4 system update, hflow, snort, problems

Konrad konrad at track666.com
Fri Jan 28 06:18:17 CST 2011


Hi,
I am doing a project about Virtual Honeynets. One of the main aims of it 
is to design and implement laptop based detection system based on 
virtual honeynet (Honeywall roo CDROM). Its main role is to analyze LAN 
traffic and alert.

One of the problems I have come across are out-of-date snort rules. 
roo-1.4 is based on snort 2.6 but rules for are not available for this 
version. 2.8.6.1 is the lowest version available (Jan 2011).

What I have done so far:
- Hwall was successfully updated using CentOS 5.5 repos,
- compiled and installed snort 2.8.6
- installed new set of rules 2.8.6.1 using oinkmaster

After the last step when I issue command
/snort -T -c /etc/snort/snort.conf
/I get
/Segmentation fault
/
However when snort is started, it works and logs packets with no errors./
/
After updating Honeywall and restarting, I get hflow error/s
/starting hflow: premature failure
/
In /var/log/hflow/hflow.d I get:
/cannot read file header from snort .. aborting/
also it complains about not reading
Tried to restart/start/stop hflow several times and error appears every 
time.
command:/ service hflow start/stop/restart/

Can anyone enlighten me what might be the problem here, please?

Configuration:
host: Toshiba laptop 3gb ram, backtrack 4 rc2 nemesis kernel 2.6.34
vmware: workstation 7.1

honeynet:
VM1: roo-1.4, honeywall, 1gb ram, default config
       yum repositories taken from standard CentOS 5.5 installation
       snort 2.8.6: compiled from source
        snort-rules updated via oinkmaster  
       tcpdump 3.9.4
       libpcap 0.9.4

Thanks
Konrad


More information about the Honeywall mailing list