[Honeywall] honeywall 1.4 system update, hflow, snort, problems

Konrad konrad at track666.com
Fri Jan 28 11:31:33 CST 2011


Earl Sammons wrote:
> Not sure how you built snort but the one in the Honeywall is a custom
> build.  It was one binary built --with-inline (or whatever the switch
> is to turn on the inline stiff) so that it can be run as both inline
> IPS and traditional IDS (if you turn on the inline stuff it still
> works either way).
>
> If youre really brave, have a look at the somewhat autmated RPM build
> env in the SVN repo here:
> https://projects.honeynet.org/honeywall/browser/honeywall/trunk/rpm-devel/snort
>
> You can start by looking at the RPM .spec file to see how it was built
> and go from there.
>
>
> Earl
>
> On Fri, Jan 28, 2011 at 7:18 AM, Konrad <konrad at track666.com> wrote:
>   
>> Hi,
>> I am doing a project about Virtual Honeynets. One of the main aims of it
>> is to design and implement laptop based detection system based on
>> virtual honeynet (Honeywall roo CDROM). Its main role is to analyze LAN
>> traffic and alert.
>>
>> One of the problems I have come across are out-of-date snort rules.
>> roo-1.4 is based on snort 2.6 but rules for are not available for this
>> version. 2.8.6.1 is the lowest version available (Jan 2011).
>>
>> What I have done so far:
>> - Hwall was successfully updated using CentOS 5.5 repos,
>> - compiled and installed snort 2.8.6
>> - installed new set of rules 2.8.6.1 using oinkmaster
>>
>> After the last step when I issue command
>> /snort -T -c /etc/snort/snort.conf
>> /I get
>> /Segmentation fault
>> /
>> However when snort is started, it works and logs packets with no errors./
>> /
>> After updating Honeywall and restarting, I get hflow error/s
>> /starting hflow: premature failure
>> /
>> In /var/log/hflow/hflow.d I get:
>> /cannot read file header from snort .. aborting/
>> also it complains about not reading
>> Tried to restart/start/stop hflow several times and error appears every
>> time.
>> command:/ service hflow start/stop/restart/
>>
>> Can anyone enlighten me what might be the problem here, please?
>>
>> Configuration:
>> host: Toshiba laptop 3gb ram, backtrack 4 rc2 nemesis kernel 2.6.34
>> vmware: workstation 7.1
>>
>> honeynet:
>> VM1: roo-1.4, honeywall, 1gb ram, default config
>>       yum repositories taken from standard CentOS 5.5 installation
>>       snort 2.8.6: compiled from source
>>        snort-rules updated via oinkmaster
>>       tcpdump 3.9.4
>>       libpcap 0.9.4
>>
>> Thanks
>> Konrad
>> _______________________________________________
>> Honeywall mailing list
>> Honeywall at public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/honeywall
>>
>>     
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>
>   
hi Earl,
Thanks for that.
I had a look at the spec of snort rpm you referred to.
Perhaps compilation with inline option would help. My guess is that 
there is something wrong with either snort or rules updated or both.
Once I am done testing I will post the results.

By the way, I could not find any info about upgrading Honeywall roo-1.4  
software/packages to more recent versions.
A problem is that snort rules are quite outdated and lots of attacks fly 
under the radar.

Cheers,
Konrad


More information about the Honeywall mailing list