Issues using Snort on Ubuntu - snort

I installed snort on Ubuntu 14.04 but am having issues seeing the alerts. I also want it to log the alerts to a GUI but am having issues also with MySQL database. Please guide.

You can test your installation running snort -v. Make sure you run snort as root user or else you will get an error as shown below.
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Failed to lookup interface: no suitable device found. Please specify one with -i switch
Fatal Error, Quitting..
If snort -v is working then try running the basic IDS mode using
snort -d -l ./log -c snort.conf
where log is the directory where you want to store the log and alert files. snort.conf is the name of your snort configuration file. It should contain the your snort rules.
If you don’t specify an
output directory for the program, it will default to /var/log/snort
Here is the manual. https://www.snort.org/documents/snort-users-manual

Related

Mongo Procedures Dependencies Cause Neo4j Connection Issues

I am using Neo4j on a remote server (ubuntu 20.4) and would like to stream data from MongoDB to Neo4j. I followed the instructions here. I tried both ways by using the following approaches:
Use the following command:
sudo wget https://github.com/neo4j-contrib/neo4j-apoc-procedures/releases/tag/4.3.0.7/apoc-mongodb-dependencies-4.3.0.7.jar -O /mnt/neo4j/plugins/apoc-mongodb-dependencies-4.3.0.7.jar
Note that the plugins directory has a different path due to mounting. I changed the path in the configuration file accordingly. This should not be causing any problems because I had the same problem before mounting.
Also, I tried to match the same release as the apoc-core file (4.4.0.3) in a separate attempt with no better outcome.
Changing the ownership and read permissions as follows didn't help either:
sudo chown neo4j:neo4j apoc-mongodb-dependencies-4.4.0.3.jar
sudo chmod 755 apoc-mongodb-dependencies-4.4.0.3.jar
Use the following commands:
sudo wget https://repo1.maven.org/maven2/org/mongodb/mongo-java-driver/3.12.11/mongo-java-driver-3.12.11.jar -O /mnt/neo4j/plugins/mongo-java-driver-3.12.11.jar
sudo wget https://repo1.maven.org/maven2/org/mongodb/mongodb-driver/3.12.11/mongodb-driver-3.12.11.jar -O /mnt/neo4j/plugins/mongodb-driver-3.12.11.jar
sudo wget https://repo1.maven.org/maven2/org/mongodb/mongodb-driver-core/4.7.1/mongodb-driver-core-4.7.1.jar -O /mnt/neo4j/plugins/mongodb-driver-core-4.7.1.jar
sudo wget https://repo1.maven.org/maven2/org/mongodb/bson/4.7.1/bson-4.7.1.jar -O /mnt/neo4j/plugins/bson-4.7.1.jar
Note that I used the latest versions. I tried the versions available in the instructions as well with no difference in the outcome.
Now when restarting the neo4j.service, I no longer can access the cypher-shell nor the browser. In the first case, I get "connection refused", while I get a blank page in the browser case. When I check the status, the service is active and running. But I noticed that it is missing a line compared to when I don't have the dependencies.
Starting...
This instance is ServerId{#}
======== Neo4j 4.4.5 ======== (This line is missing with the dependencies downloaded!)
When I delete the dependencies from the plugins directory and restart, everything goes back to normal and functions as expected. One more thing to note is that apoc-core procedures work just fine!
I don't know if I'm doing something wrong here or if there is some sort of underlying problem!

MongoDB - can't run because of SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen

After install, my mongod server was running well. I have created user and restart the server without issue.
But now when modified gonfi file by adding 0.0.0.0 to bindip, server wont restart.
Error message are
Jan 24 11:59:53 localhost.localdomain setroubleshoot[4656]: failed to retrieve rpm info for /proc/sys/net/ipv4/tcp_fastopen
Jan 24 11:59:54 localhost.localdomain setroubleshoot[4656]: SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen. For complete SELinux messag>
Jan 24 11:59:54 localhost.localdomain setroubleshoot[4656]: SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mongod should be allowed open access on the tcp_fastopen file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mongod' --raw | audit2allow -M my-mongod
# semodule -X 300 -i my-mongod.pp
ausearch -c 'mongod' --raw | audit2allow -M my-mongod
semodule -X 300 -i my-mongod.pp
does not solved the problem.
Mongodb doc say that version 4 activate by default use of tcp_fastopen
I can't find out how to apply semanage permissive to use tcp_fastopen.
Thanks in advance
If you're running on RHEL, CentOS, or Oracle Linux, follow the instructions for the official SELinux policy for the MongoDB server:
sudo yum install -y git make checkpolicy policycoreutils selinux-policy-devel
git clone https://github.com/mongodb/mongodb-selinux
cd mongodb-selinux
make
sudo make install
Verify your operating system is supported by MongoDB.
Install a vanilla version of your operating system, do not change any settings, use published MongoDB documentation to install MongoDB and get it working.
Identify differences between your current installation and the vanilla installation.
Update your question with findings.
I couldn't find an answer to this exact error. I was starting to pull my hair out. I ended up looking at the mongod.log file. It had a permission denied error in there. journalctl showed the tcp_fastopen, so I was troubleshooting SELinux while it was actually a permission denied error. Hopefully this will help someone else running into this error.
I had the same problem after upgrading mongod to 4.4.6.
I ended up applying what is suggested here, compiling the module manually.
Now it works!
I did many tries, so I am not 100% sure that what I did is more than necessary.
The audit2allow command does not include the rule
allow mongod_t sysctl_net_t:file { getattr read open };
# cat > mongodb_sysctl_net.te << EOF
module mongodb_sysctl_net 1.0;
require {
type mongod_t;
type sysctl_net_t;
class dir search;
class file { getattr read open };
}
#============= mongod_t ==============
allow mongod_t sysctl_net_t:dir search;
allow mongod_t sysctl_net_t:file { getattr read open };
EOF
# checkmodule -M -m -o mongodb_sysctl_net.mod mongodb_sysctl_net.te
# semodule_package -o mongodb_sysctl_net.pp -m mongodb_sysctl_net.mod
# semodule -i mongodb_sysctl_net.pp
# systemctl start mongod.service
NOTE: I already had policy modules installed from the previous installation written according to the mongodb documentation
I had the same issue (semodule error about accessing tcp_fastopen) with a mongo 4.4 replica-set configuration. It couldn't be an os (oracle linux 8) issue, since I had the error on just one of three identical replica-set nodes (same update status).
The system already had the selinux configuration as suggested in the official documentation, with
semodule -l | grep mongo
returning
mongodb
mongodb_cgroup_memory
mongodb_proc_net
Digging inside mongod.log I finally found:
"Failed to unlink socket file","attr":{"path":"/tmp/mongodb-27017.sock","error":"Operation not permitted"}}
I don't know which condition led to this status, but when I unlinked the socket (as root), the mongo daemon started again without errors so far.

Crashes not displayed in sulley fuzzing framework on fuzzer localhost:26000

Question: Is the sulley fuzz control supposed to update in real time?
background:
It apears that my procmon script is not recording crashes in the crashbin file. I have setup sulley fuzzing framework step by step with the install instructions however I am not able to see access violations within the fuzzer script output or the sulley web app. I am fuzzing a application given to me from a course and the application is crashing correctly. I have fuzzed multiple programs to test sulley and get many crashes however the debugger is not displaying access violations. I have sulley and paimei setup "perfectly" and can import all library's from each folder location and globally. here is a list of library's. My fuzz script is configured perfectly! All connections happen with all sulley scripts correctly and I get info, debug and warnings, I am using log level 10. My crashbin is not growing when the application crashes and I request any help to fix the issue.
scripts run on the fuzzed machine
python network_monitor.py -l 10 -d 0 -f "port 80" -P audits --port 26001
python process_monitor.py --port 26002 -l 10 -c audits/master_server.crashbin -p "application.exe"
pydasm,
pdbg
pcapy
impacket
sulley
tornado
flask
pedrpc
installation instructions
https://github.com/OpenRCE/sulley/wiki/Windows-Installation
following a guide I fuzzed the vulnserver LTER /.:AAA and below is an output of the PEDRPC results

Why psql could not connect to server?

I have previously installed Postgresql on Mac with Homebrew.
When I try to access database, keep getting the error below:
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/tmp/.s.PGSQL.5432"?
Is there a way to get a better error message compared to the one I am getting from psql?
Yes.
Unfortunately, when a Homebrew service starts, it can fail silently without you realising.
To confirm this is your case too, run:
brew services list
You should see PostgreSQL's status as started. However, the colour is yellow, not green (can be a bit hard to see depending on your colour scheme).
Yellow means; the actual status is unknown not started!
To make a meaning out of the unknown status, use pg_ctl to start PostgreSQL server:
# For Intel
pg_ctl -D /usr/local/var/postgres -l /usr/local/var/postgres/server.log start
# For M1:
pg_ctl -D /opt/homebrew/var/postgresql#11 start
This command should output the real issue:
dyld: Library not loaded: /usr/local/opt/icu4c/lib/libicui18n.63.dylib
Referenced from: /usr/local/Cellar/postgresql/10.6_1/bin/postgres
Reason: image not found
no data was returned by command ""/usr/local/Cellar/postgresql/10.6_1/bin/postgres" -V"
The program "postgres" is needed by pg_ctl but was not found in the
same directory as "/usr/local/Cellar/postgresql/10.6_1/bin/pg_ctl".
Check your installation.
For the example above, the problem was icu4c lib's version.

Display Postgres server logs output in terminal and record to logs at same time

I'm running Postgres 9.1 (Homebrew installation on Mac OSX) and I'd like to monitor my postgres server more closely.
My question relates to logs. I'd like to get the logs displaying in a terminal pane. Here's what the Postgres docs say about the logs:
"On Unix-like systems, by default, the server's standard output and standard error are sent to pg_ctl's standard output (not standard error). The standard output of pg_ctl should then be redirected to a file or piped to another process such as a log rotating program like rotatelogs; otherwise postgres will write its output to the controlling terminal (from the background) and will not leave the shell's process group. On Windows, by default the server's standard output and standard error are sent to the terminal. These default behaviors can be changed by using -l to append the server's output to a log file. Use of either -l or output redirection is recommended."
So, when I get my postgres server running with the following:
pg_ctl start -D /usr/local/var/postgres
The logs display in the terminal window. When I run:
pg_ctl start -D /usr/local/var/postgres -l /usr/local/var/postgres/server.log
the logs go to my logfile and don't display in terminal.
In short, it would be great if anyone can tell me what command I use after I've directed logs to the file (with the second command) to make the logs also appear at the command line. It helps when I'm developing (in Django) to watch the SQL statements get executed in real time.
You could watch the log with the command:
tail -f /usr/local/var/postgres/server.log
I was able to find the logs in:
less /var/log/postgresql/postgresql-10-main.log
using ubuntu 18.04 with postgresql version: 10
For Centos7 and Postgress12
/var/lib/pgsql/12/data/log