[Honeywall] honeywall 1.4 system update, hflow, snort, problems

Earl Sammons earl.sammons at gmail.com
Fri Jan 28 10:21:48 CST 2011


Not sure how you built snort but the one in the Honeywall is a custom
build.  It was one binary built --with-inline (or whatever the switch
is to turn on the inline stiff) so that it can be run as both inline
IPS and traditional IDS (if you turn on the inline stuff it still
works either way).

If youre really brave, have a look at the somewhat autmated RPM build
env in the SVN repo here:
https://projects.honeynet.org/honeywall/browser/honeywall/trunk/rpm-devel/snort

You can start by looking at the RPM .spec file to see how it was built
and go from there.


Earl

On Fri, Jan 28, 2011 at 7:18 AM, Konrad <konrad at track666.com> wrote:
> Hi,
> I am doing a project about Virtual Honeynets. One of the main aims of it
> is to design and implement laptop based detection system based on
> virtual honeynet (Honeywall roo CDROM). Its main role is to analyze LAN
> traffic and alert.
>
> One of the problems I have come across are out-of-date snort rules.
> roo-1.4 is based on snort 2.6 but rules for are not available for this
> version. 2.8.6.1 is the lowest version available (Jan 2011).
>
> What I have done so far:
> - Hwall was successfully updated using CentOS 5.5 repos,
> - compiled and installed snort 2.8.6
> - installed new set of rules 2.8.6.1 using oinkmaster
>
> After the last step when I issue command
> /snort -T -c /etc/snort/snort.conf
> /I get
> /Segmentation fault
> /
> However when snort is started, it works and logs packets with no errors./
> /
> After updating Honeywall and restarting, I get hflow error/s
> /starting hflow: premature failure
> /
> In /var/log/hflow/hflow.d I get:
> /cannot read file header from snort .. aborting/
> also it complains about not reading
> Tried to restart/start/stop hflow several times and error appears every
> time.
> command:/ service hflow start/stop/restart/
>
> Can anyone enlighten me what might be the problem here, please?
>
> Configuration:
> host: Toshiba laptop 3gb ram, backtrack 4 rc2 nemesis kernel 2.6.34
> vmware: workstation 7.1
>
> honeynet:
> VM1: roo-1.4, honeywall, 1gb ram, default config
>       yum repositories taken from standard CentOS 5.5 installation
>       snort 2.8.6: compiled from source
>        snort-rules updated via oinkmaster
>       tcpdump 3.9.4
>       libpcap 0.9.4
>
> Thanks
> Konrad
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>


More information about the Honeywall mailing list