The script asked for the Mysql root password. On entering (a possibly bad password), the script hits a loop, repeating:

./autosnort-centOS-ppinteg.sh: line 695: /usr/src/barnyard2*/schemas/create_mysql: No such file or directory
the command did NOT complete successfully. (bad password?) Please try again.

as fast as the console will allow.

Hello,
I receive the error attached when trying to install Snort via the Building VM's book. I tried downloading and installing the LuaJIT library, but receive the same error each time. Any help would be greatly appreciated.
Thank you!

http://code.google.com/p/libdnet/ mirror goes to 404
I changed the line
403 wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz &>> $logfile
into git clone https://github.com/dugsong/libdnet &>> $logfile
and commented out lines 406 and 407 where it unpacks it
and changed line 412 to reflect the new folder which is libdnet
I also tried to install it through apt with apt install libdnet

Next error was

checking for net/netmap.h... no
checking for net/netmap_user.h... no
checking whether NETMAP_API is declared... no
checking dnet.h usability... no
checking dnet.h presence... no
checking for dnet.h... `no`
checking dumbnet.h usability... no
checking dumbnet.h presence... no
checking for dumbnet.h... no

   ERROR!  dnet header not found, go get it from
   http://code.google.com/p/libdnet/ or use the --with-dnet-*
   options, if you have it installed in an unusual place
make: *** No targets and no makefile found. Stop(in my native language)

Any halp?
Using Debian stretch (2019-05-13)
Edit.
I compiled the libdnet by hand and commented the whole thing with downloading and unpacking libdnet because there was an error when the folder was already present in /usr/src.
Two more missing packages followed during configuration of snort. These two were LuaJIT(https://luajit.org/install.html) and openssl/x509.h(libssl-dev in apt)
after that snort compiled just fine but pulling snort.conf resulted in 404
I updated the link and it went through.
next was the pulled pork which had outdated links as well as populating the pulledpork.conf with outdated data(for version v0.7.0 instead of v0.7.4) I went to stop here. Will report more when I get into it.

Autosnort will fail on KALI with this error:

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

/usr/local/rvm/rubies/ruby-2.2.1/bin/ruby -r ./siteconf20150402-14071-2eiohp.rb extconf.rb

creating Makefile

make "DESTDIR=" clean

make "DESTDIR="
compiling generator.c
In file included from generator.c:1:0:
../fbuffer/fbuffer.h: In function ‘fbuffer_to_s’:
../fbuffer/fbuffer.h:175:47: error: macro "rb_str_new" requires 2 arguments, but only 1 given
../fbuffer/fbuffer.h:175:20: warning: initialization makes integer from pointer without a cast [enabled by default]
make: *** [generator.o] Error 1

make failed, exit code 2

Gem files will remain installed in /var/www/snorby/vendor/bundle/ruby/2.2.0/gems/json-1.7.7 for inspection.
Results logged to /var/www/snorby/vendor/bundle/ruby/2.2.0/extensions/x86_64-linux/2.2.0/json-1.7.7/gem_make.out
An error occurred while installing json (1.7.7), and Bundler cannot continue.
Make sure that gem install json -v '1.7.7' succeeds before bundling.

Need to reassure users of file integrity of script.

I am getting following error while I run the script autosnort script.

I am trying to run the script on the CentOS Linux version 2.6.32-279.5.2.el6.centos.plus.x86_64

Kindly look into this.

Regards,
Anshuman

Hi,

I suggest that AUTOSNORT should also create upgrade scripts for all the core applications that are installed with the script like Snort, Barnyard, Snorby, pulledpork, etc. I thought of this when I was planning to upgrade our Snort test setup but couldn't find any script for it.

This would definitely help us to keep our software up-to-date with use of script and make upgradations more smooth.

Thank you.

Ran autosnort-ubuntu-AVATAR.SH and got stuck with an error stating it could not find the opensource.gz file with my oinkcode. Verified that I type my oinkcode in properly as well. SQUID Proxy has been configured and I included the commands that needed to be included for the Ubuntu system.

I have attached a screenshot of my log and the URL it redirects too.

URL: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/007/284/original/opensource.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20180306%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180306T000347Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=c19cb382b40cfd60dc24c464576b4140b1cbfbf1c9aecf313e788b5aeba05361

System Specifications
Ubuntu 16.04
Snort version 2.9.11.1

I am getting errors while executing the script. Could you please let me know how do I resolve the same? This is a CentOS 6.3 Virtual OS with kernel 2.6-32-279.5.2.el6.x86_64

Kindly refer the attached image.

Hi All,

I ran the script related to ubuntu and monitored while installing,it runs successfully but when booting it says banyward2 fails to start.

Can you please let know how can we fix this.

I think it failed at the ##ui_inst## step.
"

ui_inst

This option sets whether or not Autosnort will install and configure a local Apache and mysql-server in order to install a web-based intrusion event review interface.

If you want to install a web-based IDS event console (e.g. snorby) this option MUST be set to 1.

Options

#1: Setting ui_inst to 1 enables apache and mysql server to be enabled on startup. This is required for web-based IDS event review consoles. It also generates a private key and self-signed cert for SSL operation.
#2: Setting ui_inst to 2 means apache and mysql will not be configured to run on startup, you will not have an private key and self-signed cert generated.

default setting: 1 (Installs mysql and apache in order to install a fully functional stand-alone sensor)

ui_inst=1
"

This is the log information:

�[01;34m[]�[0m Checking for config file..
./autosnort-ubuntu-11-02-2014.sh: line 140: [: too many arguments
�[01;32m[]�[0m Found config file.
./autosnort-ubuntu-11-02-2014.sh: line 147: /tmp/Autosnort: No such file or directory
�[01;34m[]�[0m OS Version Check..
�[01;32m[]�[0m OS is Ubuntu. Good to go.
�[01;34m[]�[0m Checking for root privs..
�[01;32m[]�[0m We are root.
�[01;34m[]�[0m Checking to ensure sshd is running..
ssh: unrecognized service
�[01;33m[]�[0m
�[01;34m[]�[0m Wget check..
�[01;32m[]�[0m Found wget.
�[01;34m[]�[0m Performing apt-get update and upgrade (May take a while if this is a fresh install)..
�[01;32m[]�[0m System updates successfully completed.
�[01;34m[]�[0m Installing base packages: ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libmysqlclient-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libarchive-tar-perl libcrypt-ssleay-perl libwww-perl..
�[01;32m[]�[0m Package installation successfully completed.
�[01;33m[*]�[0m Invalid choice, Check your full_autosnort.conf file and try again.
/extras.ubuntu.com trusty Release.gpg

We are getting error of installing EPEL repository. The version of script we are using is CentOS-03-31-2014.

Kindly help.

Kindly refer the screenshot.

You expressed concern to me about taking passwords and shoulder-surfing. The following snippet should ask for a password and confirmation without echoing the input until they match, at which point the password is retained in $pass1 (and also $pass2, of course):

while true; do
read -s -p "Please enter a password:" pass1
echo
read -s -p "Confirm:" pass2
echo
if [ "$pass1" == "$pass2" ]
then
break
else
echo -e "Passwords do not match\n"
fi
done

I'm having an issue installing snort; I tried popping my oinkcode into the perl file itself and it didn't work either. I was also switching between commenting out line #441 like in #65 while i was troubleshooting that;

        IPRVersion = /opt/snort/rules/iplists
** GET https://www.snort.org/rules/snortrules-snapshot-29130.tar.gz.md5?oinkcode=`o_code_from_file` ==> -^H200
OK
** GET https://snort.org/downloads/community/opensource.gz.md5 ==> -^H200 OK                                                        
** GET https://snort.org/downloads/community/community-rules.tar.gz.md5 ==> -^H200 OK                                               
You need to define an oinkcode, please review the rule_url section of the pulledpork config file!                                   
 at pulledpork.pl line 2101.
MISC (CLI and Autovar) Variable Debug:
        Process flag specified!

Hi All,

I have ran the autosnort and choose to install snorby. after rebooting the ubuntu, i managed to view the web gui (http://localhost) but unable to login into the admin console.

I have tried the default "[email protected]" with the password "snorby" but unable to login.

Any ideas?

A clean install on a CENTOS box required the following additional steps to reach snortreport remotely using a web browser:

chown -R apache /var/www

And the following entry in /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

I have found a problem with snorby-sh.When trying to get the RVM hits some errors with curl with failed body.I have corrected the issue ( pretty messy but works ) with the following :

The old code :

\curl -k -#L https://get.rvm.io | sudo bash -s stable &>> $snorby_logfile
if [ $? -eq 0 ]; then
print_good "RVM installed successfully."
else
print_error "RVM failed to install."
exit 1
fi

The replace i made.

wget https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer --no-check-certificate &&
chmod +x rvm-installer && bash rvm-installer

We've been communicating via email, but I figured I'd use Git to formalize my findings. These were discovered running the Autosnort Scripts available as of today, for CentOS 6.3 x86_64 Live DVD, clean install, physical hardware.

To get snort running, I had to perform the following:

cp /usr/src/snort-2.9.4/etc/classification.config /usr/local/snort/etc/
cp /usr/src/snort-2.9.4/etc/reference.config /usr/local/snort/etc/
cp /usr/src/snort-2.9.4/etc/gen-msg.map /usr/local/snort/etc/
cp /usr/src/snort-2.9.4/etc/threshold.conf /usr/local/snort/etc/
cp /usr/src/snort-2.9.4/etc/unicode.map /usr/local/snort/etc/

To get Barnyard2 running, I had to perform the following:

edit /usr/local/snort/etc/barnyard2.conf
change
config reference_file: /usr/local/snort/etc/reference.config
change
config sid_file: /usr/local/snort/etc/sid-msg.map

Jan 7 11:13:00 localhost barnyard2[2301]: Writing PID "2301" to file "/var/run//barnyard2_NULL.pid"
Jan 7 11:13:00 localhost barnyard2[2301]: FATAL ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)

To restart properly on reboot:
add mysqld to chkconfig
chkconfig --level 345 mysqld on
add httpd to chkconfig
chkconfig --level 345 httpd on

There's an outstanding issue that I believe is Selinux related, keeping snortreport from being reachable. I'm still working on that one, but snort/barnyard/mysql all seem sane.

edit: I just realized the source for the selinux stuff came from your blog. :)

EDIT2: the port 80 permit in IPTABLES isn't set. Everything is peachy with the changes I've listed above.

Hi,

I am getting following error while running the snorby install script.

Here is the error-

Gem::LoadError: You have already activated rake 10.4.2, but your Gemfile requires rake 0.9.2. Prepending bundle exec to your command may solve this.
/var/www/html/snorby/config/boot.rb:8
/var/www/html/snorby/config/application.rb:1
/var/www/html/snorby/Rakefile:4
(See full trace by running task with --trace)

OS: Ubunto 12.04, script output shows:

The following packages have been kept back:
linux-headers-server linux-image-server linux-server
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Packages and repos are fully updated.
Grabbing required packages via apt-get.
./autosnort-ubuntu-04-14-2013.sh: 129: ./autosnort-ubuntu-04-14-2013.sh: Syntax error: "(" unexpected

It doesn't seem to like the multi-package string passed to install_packages

@da667

I'm at this stage where I'm downloading the rule but it has failed. I have checked my oink code and its correct.But could not understand why the download failed.

Getting a 422 Unprocessable Entity error trying to download the md5 file for the snort rules (snortrules-snapshot-29120.tar.gz.md5). This is causing the script to error out, saying the rules didn't download.

I'm trying to install AVATAR on Ubuntu 18.04, and it seems to be hanging indefinitely at "attempting to download .conf file for snort-2.9.12." This is a clean install of Ubuntu following the instructions in the book.

I’m getting the following error message during the Ubuntu autosnort-ubuntu-12-7-2015.sh install.

OS Ubuntu 16.04.3 LTS

[] Found config file.
[] Installing Sguil/TCL pre-reqs..
[] Building TCL 8.5 source package (without threading)
autosguil-ubuntu.sh: line 89: cd: tcl: No such file or directory
[*] Build of TCL deb package failed. Please check /var/log/sguil_install.log for more details, or contact deusexmachina667 at gmail dot com for more assistance.

Checked the log file and it shows

autosguil-ubuntu.sh: line 89: cd: tcl*: No such file or directory
^[[01;31m[*]^[[0m Build of TCL deb package failed. Please check /var/log/sguil_install.log for more details, or contact deusexmachina667 at gmail dot com fo$
s already the newest version (1.18.4ubuntu1.3).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.9).
0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
Reading package lists...
E: You must put some 'source' URIs in your sources.list
Reading package lists...
E: You must put some 'source' URIs in your sources.list
sed: can't read debian/rules: No such file or directory
debuild: fatal error at line 633:
cannot find readable debian/changelog anywhere!
Are you in the source code tree?

Any ideas?

I unintentionally skipped step #4 "Which directory you put your snort rules snapshot from snort.org" . I hit enter twice (really, I was feeling a bit like bug testing the script I think) and the script kept on running. Does that mean snort will be running without rules at the end ?

Tested on Ubuntu 14.04.1 LTS.

Can't download snort from http://snort.org, but if I add "www" the script continues like it should.

https://github.com/da667/Autosnort/blob/master/Autosnort%20-%20Ubuntu/autosnort-ubuntu-07-21-2014.sh#L264

Same on line 278 and 286.

Should be easy to write a check to see if EPEL is previously installed (and correct/latest version available), otherwise the script fails at this point if it tries to reinstall it.

Hi all,
running into some issues here.
Everything is working good system wise, I can get events populated on splunk and it seems to be working good.
I am experiencing an issue when I try to update the pulled pork via /usr/src/pulledpork/pulledpork.pl

I get the following:

root@ips001:/opt/splunkforwarder/etc/apps/TA-unified2/default# /usr/src/pulledpork/pulledpork.pl -c /usr/src/pulledpork/etc/pulledpork.conf

   https://github.com/shirkdog/pulledpork
     _____ ____
    `----,\    )
     `--==\\  /    PulledPork v0.7.3 - Making signature updates great again!
      `--==\\/
    .-~~~~-.Y|\\_  Copyright (C) 2009-2016 JJ Cummings
 @_/        /  66\_  [email protected]
   |    \   \   _(")
    \   /-| ||'--'  Rules give me wings!
     \_\  \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2990.tar.gz....
   Error 400 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2990.tar.gz.md5 at /usr/src/pulledpork/pulledpork.pl line 534.
   main::md5file("MY_OINK_CODE_WAS_HERE", "snortrules-snapshot-2990.tar.gz", "/tmp/", "https://www.snort.org/reg-rules/") called at /usr/src/pulledpork/pulledpork.pl line 2007
root@ips001:/opt/splunkforwarder/etc/apps/TA-unified2/default# 

I've tried to fetch the file manually and I can only get 404s.
The oink code is correct.

Also, because of this, I think, but please correct me if I'm wrong, I see splunk like the attached screenshot instead of being able to see "signature.msg"

Events:

By this one I can see snort is forwarding properly because those are events of test attacks.

if I filter properly the output goes empty:

No "signature.msg" table.

If anyone could help would be GREAT!!

instance details:
Ubuntu 16.04.1 LTS VM on vBox.
4GB RAM 2 CPU
AVATAR PDF followed religiously :)

Thanks!
cheers.

The script at Autosnort/Autosnort - Ubuntu/AVATAR/autosnort-ubuntu-AVATAR.sh produces an error:

[*] Checking for snort user and group..
autosnort-ubuntu-AVATAR.sh: line 285: print_notificiation: command not found

All of those "sleep 2" lines seem unnecessary to me. I suppose you could make a case for allowing the user time to abort at any step or for giving them time to read the output, but I don't think either of these are valid concerns. If I'm building something, I don't really care very much about success messages and, if I do, I'll pipe it through less. If it bails on error, then the terminal will be left sitting on the relevant data anyway.

I'm getting the error message:

[*] Invalid choice, Check your full_autosnort.conf file and try again.

when trying to run the script on Debian Jessie. I have been trough the config several times and can't find anything that is wrong.

Maybe somebody can point me in the right direction.

sid-msg.map not created during install.

Ran '/usr/src/pulledpork/pulledpork.pl -c /usr/src/pulledpork/etc/pulledpork.conf' from crontab and sid-msg.map got created which also resolves Splunk forwarder not forwarding.

Hi there,
Thanks for your work! Made the installing process become painlessly.
However, I'm experiencing a few problem.
When it comes to installing the web interface (in this case I choose BASE), I'm pretty sure that I copy the base-[os].sh to the / (root) directory along with the autosnort-[os].sh file. But the script still says that:
bash: base-[os].sh: No such file or directory.
Note that I use root access throughout the process. I'm working on Virtual Machine of VMware, and I've tried on different OS, including CentOS 6.5 and Ubuntu 12.04, but the outcome stays the same. At the end, I choose the option 6 (no interface) and complete the remaining step. Finally, just before reboot the machine, I open another terminal with root access and run the bash: base-[os].sh alone, and it worked perfectly. My question is, if I do like that, may the whole system works properly?
Please help me on this problem,
Sincere,
Tran.

Autosnort, more precisely Pulledpork, is failing due to missing file IPRVersion.dat.

autosnort_install.log:

Unable to open /opt/snort/rules/iplists/IPRVersion.dat for writing! - No such file or directory
at pulledpork.pl line 1324.
main::blacklist_write(HASH(0x55872d1b3308), "/opt/snort/rules/black_list.rules") called at pulledpork.pl line 2328

Simply creating an empty file IPRVersion.dat did the trick for me. In autosnort-ubuntu-AVATAR.sh at line 383 insert this:
dir_check $snort_basedir/rules/iplists
touch $snort_basedir/rules/iplists/IPRVersion.dat

Does anyone have a clue why the file is not being created by snort installation?

Snort Version: 2.9.11.1
Pulledpork Version: 0.7.4

Hello,

I found a bug in the snorby install script for CentOs.The git clone does not work.All the needed modification is changing http to https and everything is done.

Thank you

This may be more a matter of 'nuke /usr/local/snort' before re-running autosnort, or it may not be.

Relevant output from the installation log:

libtool: install: (cd /usr/src/daq-2.0.2/os-daq-modules; /bin/bash /usr/src/daq-2.0.2/libtool --tag CC --mode=relink gcc -DBUILDING_SO -g -O2 -fvisibility=hidden -Wall -Wwrite-strings -Wsign-compare -Wcast-align -Wextra -Wformat -Wformat-security -Wno-unused-parameter -fno-strict-aliasing -fdiagnostics-show-option -pedantic -std=c99 -D_GNU_SOURCE -module -export-dynamic -avoid-version -shared -o daq_ipfw.la -rpath /usr/local/lib/daq daq_ipfw_la-daq_ipfw.lo ../sfbpf/libsfbpf.la )
libtool: relink: gcc -shared -fPIC -DPIC .libs/daq_ipfw_la-daq_ipfw.o -L/usr/local/lib -lsfbpf -O2 -Wl,-soname -Wl,daq_ipfw.so -o .libs/daq_ipfw.so
libtool: install: /usr/bin/install -c .libs/daq_ipfw.soT /usr/local/lib/daq/daq_ipfw.so
libtool: install: /usr/bin/install -c .libs/daq_ipfw.lai /usr/local/lib/daq/daq_ipfw.la
libtool: install: warning: relinking daq_nfq.la' libtool: install: (cd /usr/src/daq-2.0.2/os-daq-modules; /bin/bash /usr/src/daq-2.0.2/libtool --tag CC --mode=relink gcc -DBUILDING_SO -g -O2 -fvisibility=hidden -Wall -Wwrite-strings -Wsign-compare -Wcast-align -Wextra -Wformat -Wformat-security -Wno-unused-parameter -fno-strict-aliasing -fdiagnostics-show-option -pedantic -std=c99 -D_GNU_SOURCE -module -export-dynamic -avoid-version -shared -L/usr/local/lib -ldnet -o daq_nfq.la -rpath /usr/local/lib/daq daq_nfq_la-daq_nfq.lo -lnfnetlink -lnetfilter_queue -L/usr/local/lib -ldnet ../sfbpf/libsfbpf.la ) libtool: relink: gcc -shared -fPIC -DPIC .libs/daq_nfq_la-daq_nfq.o -L/usr/local/lib -lnfnetlink -lnetfilter_queue -ldnet -lsfbpf -O2 -Wl,-soname -Wl,daq_nfq.so -o .libs/daq_nfq.so /usr/bin/ld: /usr/local/lib/libdnet.a(addr.o): relocation R_X86_64_32 against.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/local/lib/libdnet.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
libtool: install: error: relink daq_nfq.la' with the above command before installing it make[2]: *** [install-pkglibLTLIBRARIES] Error 1 make[2]: Leaving directory/usr/src/daq-2.0.2/os-daq-modules'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory `/usr/src/daq-2.0.2/os-daq-modules'
make: *** [install-recursive] Error 1

the wget for the ruby-lang site needs a "www" in front. tested the change and it grapped the ruby files ok.

Download of Talos IP list kept hanging during AVATAR install.
They seem to have a new location for the file. It's redirecting in my browser but not in the script via the proxy.
Amended line 441 of autosnort-ubuntu-AVATAR.sh to include the new URL:
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/067/604/original/ip_filter.blf

Then it worked perfectly.
Thanks for a great script.

Hi,
can you create a ARM version of Autosnort to install on the Raspberry?

Lines 325 and 326:

decompress_swf { deflate lzma } \
decompress_pdf { deflate }

These lines introduce an error: "ERROR: /opt/snort/etc/snort.conf(326) => Invalid keyword '}' for server configuration."

By commenting out those lines and adjusting line 324 (removing the trailing '' from the line), snort is able to run successfully.

For more information: seclists.org/snort/2016/q4/76

Would adding bro to this mix and an interface for it be stretching things too far?

Hi, when I try to install snorby on Ubuntu It will exit when trying to run bundle step with the following error extracted from /var/log/snorby_install.log:
Enjoy Phusion Passenger, a product of Phusion (www.phusion.nl) :-)
https://www.phusionpassenger.com

Phusion Passenger is a trademark of Hongli Lai & Ninh Bui.
You are trying to install in deployment mode after changing
your Gemfile. Run bundle install elsewhere and add the
updated Gemfile.lock to version control.

You have added to the Gemfile:

• source: https://github.com/Snorby/delayed_job_data_mapper.git (at master)
• source: https://github.com/mephux/ezprint.git (at rails3)
• source: https://github.com/Snorby/snorby_cas_authenticatable.git (at master)

You have deleted from the Gemfile:

• source: http://github.com/Snorby/delayed_job_data_mapper.git (at master)
• source: http://github.com/Snorby/snorby_cas_authenticatable.git (at master)
• source: http://github.com/mephux/ezprint.git (at rails3)

You have changed in the Gemfile:

• devise_cas_authenticatable from
  https://github.com/Snorby/snorby_cas_authenticatable.git (at master) to no specified source
• ezprint from https://github.com/mephux/ezprint.git (at rails3) to no specified source
• delayed_job_data_mapper from
  https://github.com/Snorby/delayed_job_data_mapper.git (at master) to no specified source

I tried lots of times to execute the snorby installer but it always exit on that error. How can I solve it?

HI I've seccs3effully installad all packeges.
But I'm getting issue with configuration file
<Invalid choice, Check full_autosnort.conf >
I'm installing this on kali
It is a test environment so passwords and oink code aren't real
full_autosnort.txt

please see my config file attached
Thanks

Line 421:
echo "rule_url=http://talosintel.com/feeds/ip-filter.blf|IPBLACKLIST|open" >> pulledpork.tmp

should be changed to:
echo "rule_url=https://talosintel.com/feeds/ip-filter.blf|IPBLACKLIST|open" >> pulledpork.tmp

The redirect isn't handled well and autosnort-ubuntu-AVATAR.sh fails. Proxy variables are set.

Hello,

After the epel packages installation it will throw an error of not contacting snort.org .

One of the issues is that now it uses https instead of http.

The other big issue is that the snort website has been completely changed so a curl follow redirect will not work.The location will be written in the response header like this :

[root@localhost ~]# curl -I https://www.snort.org/downloads/snort/snort-2.9.6.2.tar.gz
HTTP/1.1 302 Found
Server: Cowboy
Connection: keep-alive
Date: Tue, 05 Aug 2014 12:31:37 GMT
Status: 302 Found
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Ua-Compatible: chrome=1
Location: http://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/218/original/snort-2.9.6.2.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1407245497&Signature=up%2BOPIiUnRRkRYSWzpH7jYH7gfE%3D
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Set-Cookie: request_method=HEAD; path=/; secure
Set-Cookie: _snort-org_session=NzFCTFlRblI0dUpIWFI0UHMvQlIxRUVhNTByNThVaGNJZkZtTTZ4M09NSlp1TjZ1ZFBacnNrckUvaDdIQ0oweEdjSEFiL01pWjdQcldPeG1qVW1XS01jSkZQWUtSUFM4QnE5VGRBbUhoTG5LbDh0VmFDaTl2Ui96V0wyTTRTY29SKzVzZlVHeHlGYStvbmtPSmdnV2txYm1GU3hIUS9TbU4xaE9paFV2ZW0zOEdBMWc3MHcwdGJ0eTBlM2hldTZGeCsxcWlPaDEvYVptUy9FVDJKN1dXTW1CaC9TSDdHczlNb3ZSMEJ1UW1uVFFBWjNSMUJ6TFRMbElRMjZUeUV6UkU3b1QxSnhGWUtWOU5OSEwzdzJpVDM1MkwzQUZTaXF1VVFvNE5kWVAvbm1qUi90Tzl0WEdrOFlTTDNnUmtHekRqUFBqM3JDNmgxa1FxZXNGTnVvVmcvMTlKOGk2em9Oalo3ZWFqZHNRbXR5TXFxVFBSNFdSQjFMUCtiNzMvTW5YQi9iYlJ6eHJwM2o0ejREbjVmOTMyNGh2NW5vb1VjdnhGWW5YS1p6RDF1QT0tLUpQdG9LUEkzTzBlcGdQWmlORU05Y0E9PQ%3D%3D--af4a2e9e5ec44966604548a7b6ab3a3c6be1b986; path=/; secure; HttpOnly
X-Request-Id: beca004f-3f88-4d97-a3ca-172afda25b8c
X-Runtime: 0.095467
Via: 1.1 vegur

As you see there is a location which servers the file. I tried to get the file using the following (had a cookie file ) :

curl -I https://www.snort.org/downloads/snort/snort-2.9.6.2.tar.gz | grep Location | cut -d ':' -f1 --complement -s > tst.txt && ur=$(cat tst.txt);wget --load-cookie=g2 $ga

Anyone has any solution other than this ?

Hi,

I have found a few issues in autosnort-ubuntu-04-21-2013.sh - so here they are - so you can fix them in you repo (provided you choose to do so). There are also changes that may be specific to me and you probably dont want them (see below)

My version is available at: http://pastebin.com/6A3kuQDi

I call you attention to:

a)
Line 29: hp=pwd
and Line 804: cd "$hp"
The original working directory should be saved and restored when calling installation of snortreport etc. Otherwise one ends up in /usr/src or so and installation of UI packages won't work. Please note, that it might seem that cd $hp would suffice, but when spaces are part of the path (and in case of Autosnort - Ubuntu they are) this is safer.

b)
Line 165: cd echo $daqver | sed "s/.tar.gz//g"
Line 200: snortdir=echo $snortver | sed "s/.tar.gz//g"

The above replaces stuff like cd daq-* and cd snort-*. Even though my solution is probably not perfect either, the original does not work when other snort version are present in /usr/src

c)
Lines 714-719 show dealing with blank snort db password. While the script works as expected when a password is actually used, for tryout deployment db password in not always necessary.

d) Looping on lines 204-240 is specific to my needs (I needed to have a chance to alter configuration on the background) and you should probably ignore it.

e) I believe it would be nice if the path of snort installation could be held in a variable, so it can be changed easily.

Despite the few above-mentioned imperfections I would like to thank you for the effort you put into autosnort. It has helped me greatly both in the actual snort deployment as well as in the process of understanding how snort is configured and used.

Regards,

Dan

Any chance this would work inside docker? I've been looking for something exactly like this.

hello and happy new year!!
1st I'd like to thank you for the Autosnort and also the amazing work you do for learners like me!

I am facing an issue when running snort inline.
before this I had many issues that I could found and fix like change 148 mysql -uroot -p$snort_mysql_pass to 148 mysql -usnort -p$snort_mysql_pass on autosguil-ubuntu.sh and some more just on my own capabilities to damage stuff :)

now with everything looking good at this step (blahg/?p=437) I am getting an error for inline operation on the snort.

FATAL ERROR: pcap DAQ does not support inline.

Reading around I notice the error is related to the need of using DAQ instead of pcap however DAQ is declared on the command given in the /etc/init.d/snortbarn so I am completely lost on what's wrong.

If I run snort without -Q everything works OK, so I am assuming something related to inline is failing.

Installed modules:

root@malware-ids001:/home/gg/git/Autosnort/Autosnort - Ubuntu# /opt/snort/bin/snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v3): readback live inline multi unpriv afpacket(v5): live inline multi unpriv

System specs:

root@malware-ids001:/home/gg/git/Autosnort/Autosnort - Ubuntu# uname -ropi 3.13.0-106-generic x86_64 x86_64 GNU/Linux

it's running on virtualbox on a macbook pro 16GB.

thanks!

cheers.

Hi,
During setup script the following error appears, can you please help me to solve this issue?
Thanks in advance.

--2019-06-19 04:42:40-- https://labs.snort.org/snort/3000/snort.conf
Resolving labs.snort.org (labs.snort.org)... 104.18.138.9, 104.18.139.9, 2606:4700::6812:8a09, ...
Connecting to labs.snort.org (labs.snort.org)|104.18.138.9|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.snort.org/snort/3000/snort.conf [following]
--2019-06-19 04:42:40-- https://www.snort.org/snort/3000/snort.conf
Resolving www.snort.org (www.snort.org)... 104.18.138.9, 104.18.139.9, 2606:4700::6812:8b09, ...
Connecting to www.snort.org (www.snort.org)|104.18.138.9|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-06-19 04:42:41 ERROR 404: Not Found.

--2019-06-19 04:42:41-- https://labs.snort.org/snort/2990/snort.conf
Resolving labs.snort.org (labs.snort.org)... 104.18.139.9, 104.18.138.9, 2606:4700::6812:8b09, ...
Connecting to labs.snort.org (labs.snort.org)|104.18.139.9|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.snort.org/snort/2990/snort.conf [following]
--2019-06-19 04:42:41-- https://www.snort.org/snort/2990/snort.conf
Resolving www.snort.org (www.snort.org)... 104.18.138.9, 104.18.139.9, 2606:4700::6812:8b09, ...
Connecting to www.snort.org (www.snort.org)|104.18.138.9|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-06-19 04:42:41 ERROR 404: Not Found.