EasyIDS help, no TCP traffic on NTOP page, no activity at all on base/snort page
Linux - DistributionsThis forum is for Distribution specific questions.
Red Hat, Slackware, Debian, Novell, LFS, Mandriva, Ubuntu, Fedora - the list goes on and on...
Note: An (*) indicates there is no official participation from that distribution here at LQ.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36
Rep:
EasyIDS help, no TCP traffic on NTOP page, no activity at all on base/snort page
Well, there was no forum for the EasyIDS distribution yet, so I'll ask in the general Distributions forum.
If any one has experience troubleshooting and configuring this distro, any help would be greatly appreciated.
I have installed EasyIDS V0.3, and it went very smoothly. After the install, I logged in to the web GUI and configured the static IP for eth0 and changed the hostname. I also manually set eth1 to run in promiscuous mode, as it was not already configured to do so after the install.
The hardware setup is as follows:
1.8 GHz P4 (northwood)
512 MB DDR RAM
40 GB IDE HDD
Davicom PCI NIC (eth0)
Realtek PCI NIC (eth1)
The box is set up to monitor all traffic coming to and from the router within the LAN. Basically, to catch anything our firewall may not. We have a single 48 port Netgear switch (FS750T2) on which I have configured a "monitor" port which is connected to eth1 on the EasyIDS box, and I have included the port connecting the router in the monitor group.
The issue is that on the NTOP reporting pages there is no sign of any TCP traffic whatsoever. It shows UDP and BOOTP traffic, but no TCP.
Also, on the Base reporting pages, there is no sign of any activity at all, with the top line stating "Sensors/Total: 0/1"
I have tried to check the Snort logs for activity, but quickly discovered the logs must be binary since they only display a short line of garbled ASCII characters. I am also unable to locate logs for NTOP.
If anyone could give me some suggestions on how to troubleshoot this issue further, it would be greatly appreciated. I'm just not sure where else to look for signs of what may be misconfigured.
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36
Original Poster
Rep:
Update:
Well, in my attempts at further diagnosing what the problem may be, I enabled all the snort rulesets that came with the EasyIDS install. Then when I attempted to restart snort via the GUI, I get a red "[FAILED]" message. I went back and disabled all the rulesets that I had previously enabled, and then attempted to start snort again. Same red FAILED message. I'm pretty stuck now. The fail message that the GUI gives does not give me any indication as to why it failed to start. I'm quite certain the rulesets were all I changed. They are back to their original configuration but is still fails to start. Really not sure where to go from here. I see no option to restore defaults, and since the snort logs seem to be binary I've no idea what errors it might be spitting out that could help me see why its failing to start.
Anyone with a little more experience with this distro or just the snort service, your advice would be greatly appreciated.
The Snort service is likely failing because it doesn't like something in the rulesets. First thing you should do is go to snort.org to get your oinkcode and configure the rules to update. Version 0.3 doesn't support manual rule updates so you'll either have to wait until the rules get updated (set the rule update to e-mail you so you'll know when it ran) or edit the cron job for the snort user (crontab -u snort -e) to change the time when it runs.
After the rules have been updated the login to the console and run snort with the following script: snort -c /etc/snort/snort.conf and it will tell you which ruleset is causing snort to fail. You can then disable that specific ruleset from the web interface or comment out the line in the ruleset file that is causing the error.
I'm leaning towards it being your eth1 nic is why you aren't seeing any TCP traffic. I usually have good luck with Realteks but I have had one or two that wouldn't work.
I responded to your e-mail but since I can only work on EasyIDS on nights/weekends it sometimes takes me a while to answer.
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36
Original Poster
Rep:
OK, I got everything working and here is how...
First, the rulesets. I had to go through rulesets one by one and disable them and then attempt to restart. The Snort service finally restarted ok when I got to the spyware ruleset. So with that disabled, the service runs fine again.
As to my original problem of no Ntop TCP traffic, and no traffic at all being reported by Snort, I am sorry and embarassed to report it came down to a bad network switch. The netgear Smartswitch that was supposed to allow you to configure a monitoring port was malfunctioning and the traffic was not being properly mirrored to the monitor port. I discovered this by just using a basic dumb hub and putting the IDS box on it with the router and suddenly I had all sorts of traffic on both ntop and snort. So I replaced the netgear switch with a brand new one we had in stock, reconfigured the monitor port, and everything worked just as it did on the hub.
Sorry this all ended up boiling down to a hardware issue. I hope this thread can still help others to diagnose a similar issue.
Nevertheless, thanks for the closure. As a quick note, you have to pay attention to Snort sigs and the version # of the engine you're running. The sigs are not usually upwardly compatible when factoring in major version numbers (someone please correct me if I'm wrong but I think this is the case). That may have been your issue...not sure, though. I usually turn off Spyware sigs anyways.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.