Just for quick reference, newer versions of libpcre will install (on Ubuntu anyway) the shared object libraries in the following structure:
/usr/lib/libpcre.so
Snort, and many other apps will look for the libpcre.so.0 file. Simple fix, symlink the new one to the old name:
ln -s /usr/lib/libpcre.so /usr/lib/libpcre.so.0
This should fix any errors, and can be confirmed by running:
ldd /usr/local/bin/snort
Substituting the path to match your current install.
Installing from source, no deinstall options in the make file? No problem! – Use checkinstall instead!
On Debian based operating systems, such as Ubuntu, installing software from source often causes issues when we want to remove it. However, with this little gem (that has somehow avoided me up until now) you can remove software built from source just as if you had installed it from a package! – Checkinstall monitors where a source installation copies its files/folders and builds a .deb file based upon what happened. This can then be used to remove the software using aptitude purge ‘package name’ as you would with a package installed from the repos! How cool is that!
Just aptitude install checkinstall, run your ./configure && make && checkinstall (replacing make install with checkinstall) – it will ask you some options, such as what to do with the doc files, what to name the package and if it should clean up after itself (accepting defaults should be fine) and away you go. HTH.
Virtualisation is not something we usually associate with intrusion detection capability (minus perhaps consolidating your back-office technology & the cost saving and green benefits that brings) however there is much to be gained from developing solutions around virtual environments. Take for example the traditional sensor configuration, many implementations will focus around a single product. From the open-source perspective this would usually be one built around Snort, or perhaps Bro. Most analysts will know the limitations this brings, and most will realise that the resulting view of the network is severely limited…. Continue reading ‘The Power of Virtualisation for Comprehensive Intrusion Detection’
I will be using this post to review, day by day, the content of this course whilst I’m over here in Orlando. The course is being lead by Jonathan Ham, of jham corp and co-written by Sherri Davidoff, who have now both converged to form Lake Missoula Group – an independent, vendor-neutral consulting collective. The 558 course focuses on forensic investigations “without the hard drive” – can enough information be gathered through network analysis to make/break a case? Lets find out! Continue reading ‘Sans Security 558 – Network Forensics’
I wrote a little bash script on the weekend. Concept is simple, it takes a file name and directory as command line arguments, then searches IMDb for the title, returning the artwork (600x600px) and the genre. Script then moves the file to a given location under the “genre” folder. For example I have a folder setup with an incrontab entry that watches the folder for anything moved into it. When incron detects a file, the script is called with the monitored directory and filename as arguments. The movie and corresponding art is moved to my NAS “movies” folder, under the correct genre. Anyway, script is here (it serves my purpose, you will probably want to edit it for your own use):
Continue reading ‘Bash Script – Automatic IMDb Genre & Artwork For Movie Files’
Today I spent the majority of the day installing and configuring a new Snorby frontend server for testing. I am documenting the process here and will be submitting the process to Snorby.org to add to the wiki. I will be making some inital assumptions that you are comfortable using the command line, have some experience with SQL and Apache. Although pretty much anyone should be able to follow this guide through with no prior knowledge, it is useful to have the background knowledge so that you “understand” what it is you are typing! It’s worth noting I won’t be installing Snort, or detailing any configuration at this point, I am building a bare frontend with the intention that data will be fed into the database from elsewhere, as building a sensor, DB server and frontend onto a single box is a bad idea, and pretty un-realistic tbh! With that over, lets begin!
Updated 03/03/10 to include Apache configuration 
Continue reading ‘Installing Snorby With Apache2 on Ubuntu 9.04 Server’
Hi. I'm Matt Newham, 23 years old. I'm a network security engineer, specializing in Intrusion Detection.
