OISF Suricata 1.1.0 beta 1 debian package for Ubuntu 10.04

I also got time to put together a package for the latest version of Suricata, namely 1.1 beta1.

My plan was to stick to a stable version when OISF released 1.0.3, but they skipped that, and went for a 1.1 release instead.
As I also try to help out where I can, I don’t mind running beta software, and reporting bugs etc. when and if I can. I’ll probably pack beta2 and so on until OISF hits a stable release, and then I’ll stick with that in my gamelinux PPA. So until then, I hope you try out Suricata with me on the quest for a stable release 🙂

Read more about suricata 1.1 beta 1 here.

Sourcefire daq-0.5 and Snort-2.9.0.3 debian packages for Ubuntu 10.04

Well, I did get a small hour to play today, so I packed updated versions for snort and daq, namely Snort-2.9.0.3 and daq-0.5.

You can read some more details about my last build of the packages here.

My PPA can be found here.

Comments and suggestions are welcome 🙂

Sourcefire daq-0.4 and Snort-2.9.0.2 debian packages for Ubuntu 10.04

Moving to the new Snort 2.9 version, it added dependencies on a new library, namely DAQ(Data Acquisition library) for packet I/O.

So the little extra of packaging a new deb (daq) and check snort-debian files that they where compliant to the new version, made me debianize Suricata instead, as I saw that as quicker way to get an IDS up and running on my new firewall at home.

Now that I have suricata in place, plus some extra time last night, and I see people struggling trying to install/upgrade to Snort 2.9 on Ubuntu, I could not help my self trying to be helpful, again…

So I made debian packages and put them in my Ubuntu 10.04 Lucid PPA on launchpad. I started a new clean debian package for Snort. Its not yet packed with “debian-easy-features”, so it just installs Snort, makes the directories and adds some default configuration files. I will improve this as I go.

DAQ is built with:

Build AFPacket DAQ module.. : yes
Build Dump DAQ module…… : yes
Build IPFW DAQ module…… : yes
Build IPQ DAQ module……. : no
Build NFQ DAQ module……. : no
Build PCAP DAQ module…… : yes

And Snort is compiled with:

–enable-perfprofiling
–enable-ipv6
–enable-sourcefire
–enable-dynamicplugin
–enable-targetbased
–enable-zlib
–enable-ppm
–enable-gre
–enable-mpls
–enable-decoder-preprocessor-rules
–without-mysql
–without-postgresql

So, if you add my PPA, you apt-get install snort version 2.9.0.2. Pronto though, Snort 2.9.0.3 will be out, and I’ll upgrade accordingly. Suricata will also soon be out in 1.0.3, hopefully this week. Maybe we get fresh releases from this Santa for both engines 🙂

Until then,

-*> Snort! <*-
Version 2.9.0.2 IPv6 GRE (Build 92)
By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3.3

Debian/Ubuntu package of barnyard2

Barnyard2 is a fork of the original barnyard project. I used to debianize the original barnyard, but since BY2 is more up to date, I have switched.

It is hosted on my Ubuntu PPA, and you can find it here.

Ubuntu repo for sguil

I have spent the last week setting up a Ubuntu Launchpad PPA for my packages I used to hoste here on my blog.

The URL to my PPA is : https://launchpad.net/~ebf0/+archive/gamelinux

I pack the packages mainly for Lucid Lynx 10.04.
To try them out, you can add the following in /etc/apt/sources.list:
deb http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main
deb-src http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main

To add my key to you Ubuntu installation:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4B04D050


Then you should be able to apt-get update, and then apt-get install my packages 🙂

Please try them out and give me feedback!
You will find my howto on how to configure them here.

Happy F8’ing!

Ubuntu 10.04 and my sguil-client .deb package

Finally moving on to Ubuntu 10.04 LTS (lucid) and installing my sguil-client_0.7.0-3_all.deb package, I had to run into some problems…

$ ./sguil.tk
ERROR: Cannot fine the Iwidgets extension.
The iwidgets package is part of the incr tcl extension and is
available as a port/package most systems.
See http://www.tcltk.com/iwidgets/ for more info.


Read here if you want to know more.

Quick and dirty, this is how I fixed it after installing the sguil-client:

$ sudo apt-get remove tcl8.5

Install itk3 and itcl3 from here and here.
Then:

$ sudo apt-get install iwidgets4


Install the sguil-client_0.7.0-3_all.deb again, and Bob is your uncle!

I also pinned the packages, so that an upgrade would not b0rk things.
In /etc/apt/preferences.d/00Sguil:

Package: itcl3
Pin: release a=hardy
Pin-Priority: 900

Package: itcl3
Pin: release a=lucid
Pin-Priority: -10

Package: itk3
Pin: release a=hardy
Pin-Priority: 900

Package: itk3
Pin: release a=lucid
Pin-Priority: -10

Not sure if this is 100% correct, as I don’t have hardy in my sources.list, but it seems to work 🙂
For aptitude, use:

$ sudo aptitude hold itcl3 itk3

Enjoy!

snort-2.8.6.1 debian/ubuntu packages

Back from vacation 🙂

I did pack 2.8.6.0, but it never made it to the public before I went on vacations

You can find 2.8.6.1 here:
http://debs.gamelinux.org/snort/hardy/

-*> Snort! <*-
Version 2.8.6.1 IPv6 GRE (Build 39)

Prads 0.2.0 released

As Kacper stated here, PRADS 0.2.0 has been released!

You can download some debian packages here, or you can check out the GIT repo here.

Bug reports, issues, thoughts or any comments are very welcome!

Enjoy!

Bumped version on PADS

Small PADS info:

I bumped the version of pads to 1.2.1 (My version) after applying a patch that fixes many issues as follow:
PADS did not enable warnings during compilation. Enabling that revealed
that it did not actually include header files declaring the functions it
used. Fixing this revealed a multitude of little bugs of varying
severity, including:
- Uninitialized variables
- Unused variables
- Using close() instead of fclose()
- Using a bstring as a string, rather then using bdata()
- Useless statements
- Return without argument, even though function must return something
- Assuming time_t is int
- Passing pointers to arrays instead of the array itself

Many thanks to Erwin Paternotte for submitting this patch in the work of getting pads to work on Hardened Gentoo 64bit.

Sguil on Ubuntu 10.04 LTS (Lucid Lynx)

As Ubuntu 10.04 (Lucid Lynx) is the next LTS (Long Time Support) version of Ubuntu that is coming out soon (April 29, 2010), I have started to look at how sguil and my dot deb packages will work.

I installed Lucid Lynx yesterday and installed my server and sensor debs on it.

Some first notes:

* MySQL is not eating the create_sguildb.sql (Just remove the comments)
* Lucid (and Karmic) does not ship with tclx8.3 😦 (Installing the Hardy version worked just fine)

(I filled a bug report to Ubuntu, hoping to get tclx8.3 into the final release…)

So, from my first tests, it seems to work fine!

I have yet to test the sguil-client on Lucid, and also I did not get to test with extensive amount of traffic and operations on the Lucid test server.

So, looking promising 🙂