Hi all, I am going insane trying to figure out how to get snort to work on OSSIM 4.3. I have a fresh install with 4 interfaces: eth0: external management interface eth1: promisc interface connected to vlan1 eth2: promisc interface connected to vlan2 eth3: internal interface for OSSEC communication to hosts on vlan1 & 2 eth1 & 2 have been configured in /etc/network/interfaces as follows: auto eth1 iface eth1 inet manual up ifconfig $IFACE 0.0.0.0 up up ifconfig $IFACE promisc down ifconfig down running snort -i eth1 I can sniff traffic on vlan1 hosts, same goes for eth2/vlan2.
Out of the box ps aux | grep snort returned no running processes but somehow snort was sniffing on eth0 and added a few Dropbox broadcast events to the framwork.
To use my promisc interfaces I made the following changes in Alienvault Setup menu: 2. Configure sensor 0. Select Listening interfaces (promisc mode): eth1 & eth2 3. Monitored networks (added vlan1 & 2 network addresses): 192.168.3.0/24,192.168.2.0/24 4. Select Data Sources: selected snort_syslog snortunified 7. Apply changes
I have a webserver with a purposely vulnerbale webapp(Wavsep) on vlan2 (192.168.2.0). After trying sqli, rfi,lfi,xss .... I get no events in the OSSIM framework. OSSEC on the other hand goes crazy. I have also tried disabling OSSEC but snort does not trigger. I have also tried nmap -Pn -p 445 ip repeatedly from a server in vlan1 to vlan2 to see if I could trigger a snort rule. No luck there either.
Both tcpdump -i ethx & snort -i ethx receive the packets but no events or snort rules are triggered.