How to Insall Mongo DB cluster Guide

1: Add the MongoDB Repository vi /etc/yum.repos.d/mongodb.repo [mongodb] name=MongoDB Repository baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64/ gpgcheck=0 enabled=1 Then exit and save the file with the command :wq 2: Install MongoDB yum install mongo-10gen mongo-10gen-server

Config server

The config server processes are mongod instances that store the cluster’s metadata.
More

Replca Set

A MongoDB replica set is a cluster of mongod instances that replicate amongst one another and ensure automated failover.
More

Mongos

mongos for “MongoDB Shard,” is a routing service for MongoDB shard configurations that processes queries from the application layer, and determines the location of this data in the sharded cluster, in order to complete these operations.
More

Example:

Server Setup

Add a new user

Create a new user named mongodb on each server, this user will be the one who starts the mongodb processes.

adduser mongodb su - mongodb

Prepare directories:

We need to prepare all the data and log directories with proper privileges.

# Commands are using to setup the server. # Creating a directory for data path. sudo mkdir /var/lib/mongodb/dbs sudo chown mongodb:mongodb -R /var/lib/mongodb/dbs cd /etc/ sudo mkdir mongodb sudo chown mongodb:mongodb -R /etc/mongodb sudo cp mongodb.conf mongodb/ sudo mv mongodb.conf mongodb.conf.default

We did this on all the servers running mongodb cluster.

Configuration Servers:

Make a configuration file for mongodb’s config server.

cd /etc/mongodb/ vi config_db.conf

The configuration file of mongod running on config servers should have,

fork=true dbpath=/var/lib/mongodb/dbs/config_db logpath=/var/log/mongodb/config_db.log logappend=true port=27020

Last step, start the config server by

sudo mongod --configsvr --config /etc/mongodb/config_db.conf

And do the same thing on all 3 config servers of our own.

Mongos

First we need to create a configuration file for mongos.

cd /etc/mongodb/ vi mongos.conf

The content in mongos configuration file is

fork = true port = 27017 configdb = xxx.xxx.xxx.xxx:port,xxx.xxx.xxx.xxx:port,xxx.xxx.xxx.xxx:port # Here you should put the domain name of your 3 configuration servers. logpath=/var/log/mongodb/mongos.log

Now we start our mongos process.

mongos --config /etc/mongodb/mongos.conf

Replica Sets

First we need to create configuration files for our mongod.

We have 3 Replica Sets and each set has 3 mongod running, one of them is ”arbiter”, we create 3 

configuration files on each of our data server like.

cd /etc/mongodb/ touch set0_db.conf touch set1_db.conf touch set2_db.conf

The content inside should have

fork = true port = 27017 dbpath=/var/lib/mongodb/dbs/set<index of this set>_db logpath=/var/log/mongodb/set<index of this set>_db.log logappend = true journal = true replSet = set<index of this set>

And as usual, we start the mongod process using command:

mongod --config set<index of this set>_db.conf

Last step, we need to initialize these 3 sets seperately.

set0

rs.initiate({_id:'set0', members:[{_id: 0, host: 'xxx.xxx.xxx.xxx:port'}, {_id: 1, host: 'xxx.xxx.xxx.xxx:port'}]}); rs.addArb("xxx.xxx.xxx.xxx:port");

set1

rs.initiate({_id:'set1', members:[{_id: 0, host: 'xxx.xxx.xxx.xxx:port'}, {_id: 1, host: 'xxx.xxx.xxx.xxx:port'}]}); rs.addArb("xxx.xxx.xxx.xxx:port");

set2

rs.initiate({_id:'set2', members:[{_id: 0, host: 'xxx.xxx.xxx.xxx:port'}, {_id: 1, host: 'xxx.xxx.xxx.xxx:port'}]}); rs.addArb("xxx.xxx.xxx.xxx:port");

Add Shards:

Now we can connect to ‘mongos’ and add our 3 Replica Sets as 3 shards.

mongo --host <domain name of mongos> --port <port of mongos running> connecting to: <domain name of mongos>/test mongos> sh.addShard("set0/<primary of set0>:<port>"); { "shardAdded" : "set0", "ok" : 1 } mongos> sh.addShard("set1/<primary of set1>:<port>"); { "shardAdded" : "set1", "ok" : 1 } mongos> sh.addShard("set2/<primary of set2>:<port>"); { "shardAdded" : "set2", "ok" : 1 }

Enable database sharding:

In order to make use of sharding in MongoDB, we need to manually choose the database and collections those
we want them to be sharded.

Take our system as an example.
First connect to mongos,

mongo --host <host> --port <port>

Then type the following commands in mongo shell.
Here we need to set the collection ‘students’ in database ‘test’ being able to be sharded.

use admin sh.enableSharding("test") sh.shardCollection("test.students", { "grades": 1 })

That’s it, we have successfully set up our MongoDB Sharding Cluster!

Verify Sharding:

Now you need to find out if your cluster is really working.
You can use the following code to verify the sharding we currently have.

mongo --host 198.211.98.146 --port 27017 use admin db.runCommand( { listshards : 1 } );

And you suppose to have the result below

{  "shards" : [   {    "_id" : "set0",    "host" : "set0/198.211.100.130:27018,198.211.100.172:27017"   },   {    "_id" : "set1",    "host" : "set1/198.211.100.130:27017,198.211.100.158:27018"   },   {    "_id" : "set2",    "host" : "set2/198.211.100.158:27017,198.211.100.172:27018"   }  ],  "ok" : 1 }

Other Settings

Copy DB

Sometimes, like we encountered once, we need to change one of our config servers to another machine.

In this case, we need to do the following things.

• Shutdown all processes (mongod, mongos, config server).
• Copy the data subdirectories (dbpath tree) from the config server to the new config servers.
• Start the config servers.
• Restart mongos processes with the new –configdb parameter.
• Restart mongod processes.

You can use this command to copy a database from another server.

mongo --port 27020 use config db.copyDatabase("config", "config", "xxx.xxx.xxx.xxx:27020");

More

Logrotate

Since every day MongoDB generates a lot of logs, we need a way to compress them and delete them after a period of time.

So we can created 2 crontab jobs to achieve this goal.

This script runs daily at 0:05AM to collect the old logs and compress them.

#! /bin/sh killall -SIGUSR1 mongod killall -SIGUSR1 mongos # This line only applicable on swordfish find /var/log/mongodb -type f \( -iname "*.log.*" ! -iname "*.gz" \) -exec gzip -f {} \;

This script runs every first day of a month, this will remove all the compressed logs from last month.

#! /bin/sh find /var/log/mongodb -type f -name "*.gz" -exec rm -f {} \;

We also need to add crontab for these two shell commands.

crontab -e 0  0 * * * /path/to/your/mongodb_logrotate.sh 0 10 1 * * /path/to/your/mongodb_clearlog.sh

Deploy MMS Agent

We are now using 10gen’s MMS as our monitoring system. In order to use this, we need to let their agent running
on our mongos server.

Here is how we set it up.

First download the agent from your hosts dashboard.

Then

# prereqs sudo apt-get install python python-setuptools sudo easy_install pip sudo pip install pymongo #set up agent cd /path/to/your/dir mkdir mms-agent unzip name-of-agent.zip -d mms-agent cd mms-agent nohup python agent.py > logs/agent.log 2>&1 &

And we finished!

The agent will auto discover other servers in you cluster, although it still needs some manually work for you to do in the dashboard, but it is really helpful for us to monitor the whole system in real time.

How to install Zabbix on Centos. IT Infrastructure Availability and performance Monitoring Tool

1. Installing Zabbix daemons
1 Download the source archive
$ tar -zxvf zabbix-2.4.2.tar.gz

2 Create user account
groupadd zabbix   
useradd -g zabbix zabbix

3 Create Zabbix database
Database creation scripts
MySQL
shell> mysql -u<username> -p<password>
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> quit;
shell> mysql -u<username> -p<password> zabbix < database/mysql/schema.sql
# stop here if you are creating database for Zabbix proxy
shell> mysql -u<username> -p<password> zabbix < database/mysql/images.sql
shell> mysql -u<username> -p<password> zabbix < database/mysql/data.sql

4 Configure the sources
prerequisites:
yum install net-snmp
yum install php-common php-mbstring php-bcmath

Step 2
Make sure that all software prerequisites are met.
cd zabbix-2.4.2
./configure --enable-server --enable-agent --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2

5 Make and install everything
make install

note: error: 'XML_PARSE_HUGE' undeclared (first use in this function) zabbix upgrade
vi /usr/include/libxml2/libxml/parser.h
add:

 typedef enum {
     ...
     XML_PARSE_HUGE = 1 << 19, / * relax any hardcoded limit from the parser * /
     ...
 } XmlParserOption;

save and type
make install

6 Review and edit configuration files
edit the Zabbix agent configuration file /usr/local/etc/zabbix_agentd.conf
edit the Zabbix server configuration file /usr/local/etc/zabbix_server.conf

if you have installed a Zabbix proxy, edit the proxy configuration file
/usr/local/etc/zabbix_proxy.conf

vi /usr/local/etc/zabbix_server.conf
DBPassword=password


7 Start up the daemonsshell> zabbix_server
shell> zabbix_agentd

To start/stop daemons copy scripts from
/zabbix-2.4.2/misc/init.d/fedora/core to /etc/init.d/

2. Installing Zabbix web interface
Copying PHP files
Common locations of HTML documents directories for Apache web servers include:
/var/www/html (Fedora, RHEL, CentOS)

mkdir <htdocs>/zabbix
cd frontends/php
cp php <htdocs>/zabbix

chmod -R 777 /var/www/html/zabbix

Installing frontend
Step 1
In your browser, open Zabbix URL: http://<server_ip_or_name>/zabbix
You should see the first screen of the frontend installation wizard.



After completing all the steps: you will see Zabbix “Welcome” screen. Enter the user name Admin with password zabbix to log in as a Zabbix superuser.




Install Windows Agent:

Create zabbix agent configuration file c:\zabbix_agentd.conf.
sample file available at zabbix_agents_2.2.0.win\conf\zabbix_agentd.win.conf.

Now edit configuration and update following values.
Server=192.168.1.11
Hostname=WIN-SERVER-2012

Lets install zabbix agent as windows server by executing following command from command line:
c:\zabbix_agents_2.2.0.win\bin\win64> zabbix_agentd.exe --install

Use following command to start zabbix agent service from command line
c:\zabbix_agents_2.2.0.win\bin\win64> zabbix_agentd.exe --start

Open run windows >> type “services.msc” >> press enter
start zabbix service.


Install Zabbix-Agent from source on the Linux server that you want to monitor.
download zabbix source package
tar -xzf zabbix-2.0.2.tar.gz
./configure --enable-agent
make install
adduser zabbix

Copy the sample configs to /usr/local/etc for the agentd.
[root@mail zabbix-2.0.2]# cp conf/zabbix_agentd.conf /usr/local/etc

Now go to /etc/zabbix/zabbix_agentd.conf, and edit (at least):
Server=192.168.0.69
ServerActive=192.168.0.69 [Example IP address of the Zabbix Server]
Hostname=Mail_Server [Exactly the same name as our zabbix host name – See #1 above.

NOTE:This name is case sensitive!]
ListenIP=192.168.0.100 [Example

Next, configure /etc/init.d/
cp misc/init.d/debian/zabbix-agent /etc/init.d/zabbix-agent

Install Zabbix Agent on CentOS/RHEL

Step 1: Add Required Repository
CentOS/RHEL 6:
# rpm -Uvh http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-release-2.2-1.el6.noarch.rpm

CentOS/RHEL 5:
# rpm -Uvh http://repo.zabbix.com/zabbix/2.2/rhel/5/x86_64/zabbix-release-2.2-1.el5.noarch.rpm

Step 2: Install Zabbix Agent
yum install zabbix zabbix-agent

Step 3: Update Zabbix Agent Configuration
Edit zabbix agent configuration file /etc/zabbix/zabbix_agentd.conf and update

Zabbix server ip
#Server=[zabbix server ip]
#Hostname=[ Hostname of client system ]

Server=192.168.1.11
Hostname=Server1

Step 4: Start/Stop Zabbix Agent
# /etc/init.d/zabbix-agent start
# /etc/init.d/zabbix-agent stop


Screen shots:

How to Install MongoDB on CentOS 6 x86_64

Step #1: Add the MongoDB Repository
vi /etc/yum.repos.d/mongodb.repo
[mongodb]
name=MongoDB Repository
baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64/
gpgcheck=0
enabled=1

Then exit and save the file with the command :wq

Step #2: Install MongoDB
yum install mongo-10gen mongo-10gen-server


Dependencies Resolved
=======================================================================
 Package                   Arch          Version           Repository      Size
=======================================================================
Installing:
 mongodb-org               x86_64        2.6.5-1           mongodb        4.6 k
 mongodb-org-server        x86_64        2.6.5-1           mongodb        9.0 M
Installing for dependencies:
 mongodb-org-mongos        x86_64        2.6.5-1           mongodb        6.8 M
 mongodb-org-shell         x86_64        2.6.5-1           mongodb        4.3 M
 mongodb-org-tools         x86_64        2.6.5-1           mongodb         89 M

Transaction Summary
=======================================================================
Install       5 Package(s)

Total download size: 109 M
Installed size: 276 M
Is this ok [y/N]: y

MongoDb configuration file path:
/etc/mongod.conf

Step #3: Get MongoDB Running
service mongod start


Check MongoDB Service Status
service mongod status

Summary List of Status Statistics
mongostat

Enter the MongoDB Command Line
mongo


By default, running this command will look for a MongoDB server listening on port 27017 on the localhost
interface.

If you’d like to connect to a MongoDB server running on a different port, then use the –port option. For example,

if you wanted to connect to a local MongoDB server listening on port 22222, then you’d issue the following
command:

mongo --port 22222

To Shutdown MongoDB:
service mongod stop


MondoDB Usage:

>mongo

Select a Database
>db

list of databases:
>show dbs

create a new database with name mydb:
>use mydb

confirm the db is created:
>db

Your created database (mydb) is not present in list. To display database you need to insert atleast one document into it.

> db.movie.insert({"name":"linux space station"})

> show dbs

To delete database:
>use test
>db.dropDatabase()

This will delete the selected database. If you have not selected any database, then it will delete default 'test'
database

>show dbs

How To Install Audio Streaming Server With Icecast 2.x On CentOS 6.4 x86_64 Linux

This tutorial explains creating your own streaming audio server with Icecast (OGG/MP3). Icecast was designed to stream any audio file if a appropiate streaming client is available. For OGG/Vorbis you can use ices and for MP3 icegenerator. Here is a small tutorial how to set up Icecast for streaming OGG/Vorbis and MP3.

This article contains following topics:
Setting up the server: Icecast
Setting up the OGG/Vorbis streaming client: ices
Setting up the MP3 streaming client: icegenerator


Setting up the server: Icecast

First get the software:
# yum groupinstall "Development Tools"
# yum install -y curl-devel libtheora-devel libvorbis-devel libxslt-devel speex-devel libxslt
# rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
# cd /home
# wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
# mkdir -p /usr/src/icecast
# cd /usr/src/icecast
# wget http://downloads.xiph.org/releases/icecast/icecast-2.3.3.tar.gz

Next extract the sources and change into the new driectory:

# tar xf icecast-2.3.3.tar.gz
# cd icecast-2.3.3

Then configure the sources:

# ./configure --prefix=/opt/icecast/2.3.3

And finally compile the sources and install the binaries:

# make
# make install

You should have now the icecast binary under /opt/icecast/2.3.3/latest/bin:

# ls /opt/icecast/2.3.3/bin/

icecast*

Now go into the icecast directory and link the 2.3.3 directory to latest:

# cd /opt/icecast
# ln -s 2.3.3 latest

Now configure icecast by editing the icecast.xml file. First move the orignal sample file to an alternate place:

# cd /opt/icecast/latest/etc
# mv icecast.xml icecast.xml.orig
# vi icecast.xml

<icecast>
 
     <!-- LIMITS -->
     <limits>
       <clients>100</clients>
       <sources>10</sources>
       <threadpool>5</threadpool>
       <queue-size>524288</queue-size>
       <client-timeout>30</client-timeout>
       <header-timeout>15</header-timeout>
       <source-timeout>10</source-timeout>
       <burst-on-connect>1</burst-on-connect>
       <burst-size>65535</burst-size>
     </limits>
 
     <!-- GENRIC -->
     <authentication>
       <source-password>password</source-password>
       <admin-user>admin</admin-user>
       <admin-password>password</admin-password>
     </authentication>
     <hostname>MyHost/IP</hostname>
     <listen-socket>
       <port>8000</port>
     </listen-socket>
     <fileserve>1</fileserve>
 
     <!-- PATHES -->
     <paths>
       <basedir>/opt/icecast/latest/share/icecast</basedir>
       <webroot>/opt/icecast/latest/share/icecast/web</webroot>
       <adminroot>/opt/icecast/latest/share/icecast/admin</adminroot>
       <logdir>/var/log/icecast</logdir>
       <pidfile>/var/run/icecast/icecast.pid</pidfile>
       <alias source="/" dest="/status.xsl"/>
     </paths>
 
     <!-- LOG -->
     <logging>
       <accesslog>access.log</accesslog>
       <errorlog>error.log</errorlog>
       <playlistlog>playlist.log</playlistlog>
       <loglevel>1</loglevel>
       <logsize>10000</logsize>
       <logarchive>1</logarchive>
     </logging>
 
     <!-- SECURITY -->
     <security>
       <chroot>0</chroot>
       <changeowner>
         <user>icecast</user>
         <group>icecast</group>
       </changeowner>
     </security>
 
   </icecast>

The above icecast.xml is very simple. The first section LIMITS defines how many radio stations you maximum want to provide (sources=10), how many clients may connect (clients=100) etc.

The second section GENERIC defines a username, hostname MyHost/IP), port (8000) for the server itself etc.

The section PATHES defines the pathes to the webgui.

Icecast has a small and simple webgui to see what is going on and this section defines where to find the web documents.

The LOGGING section is of course for logging, where and what to log etc.

The SECURITY section defines that the Icecast software itself should run under the user icecast and the group icecast.

Now we need three more things to do: create a user and a group called icecast as defined in the icecast.xml configuration file, create the place for the logs and a place for the pid file.

First create the icecast user with the ID 200 and the group icecast with the ID 200:

# groupadd -g 200 icecast
# useradd -d /var/log/icecast -m -g icecast -s /bin/bash -u 200 icecast

With the -m option set the directory for the logs was automatically created and the second step can be spared. Only the directory for the pid file is now needed:

# mkdir -p /var/run/icecast
# chown -R icecast:icecast /var/run/icecast

Now give it a try and start the icecast server:

# /opt/icecast/latest/bin/icecast -c /opt/icecast/latest/etc/icecast.xml -b

Starting icecast2
Detaching from the console
Changed groupid to 200.
Changed userid to 200.

Your server is now running as your icecast user and logs will be produced under /var/log/icecast:

# ls /var/log/icecast/

access.log  error.log  playlist.log

Check that it is really running:

# pgrep -fl icecast

4434 /opt/icecast/latest/bin/icecast -c /opt/icecast/latest/etc/icecast.xml -b

Also the icecast server should be reachable via webgui under your given hostname and port, EG http://MyHost/IP:8000/, when you have setup one or more stations they will show up here. The user for the administrative webgui is defined in the icecast.xml file above - icecast. The password in this case is password.


Setting up the OGG/Vorbis streaming client: ices

Before you can compile ices you need the libshout library. First download it:

# cd /usr/src/icecast
# wget http://downloads.us.xiph.org/releases/libshout/libshout-2.3.1.tar.gz

Then extract the tar file and change into the new directory:

# tar xf libshout-2.3.1.tar.gz
# cd libshout-2.3.1

Run the configure script:

# ./configure --prefix=/opt/icecast/latest

And compile the sources and install the library:

# make
# make install

Now download the ices client:

# cd /usr/src/icecast
# wget http://downloads.us.xiph.org/releases/ices/ices-2.0.2.tar.bz2

Extract the tar file and change into the new directory:

# tar xf ices-2.0.2.tar.bz2
# cd ices-2.0.2/

Before you run the configure script, export the PKG_CONFIG_PATH variable so ices will be able to include the libshout library:

# export PKG_CONFIG_PATH=/opt/icecast/latest/lib/pkgconfig:$PKG_CONFIG_PATH
# ./configure --prefix=/opt/icecast/latest

Now compile the sources and install the binaries:

# make
# make install

Check that the ices client is available:

# ls /opt/icecast/latest/bin/

icecast*  ices*

Finally configure the ices client and create your first OGG/Vorbis radio station:

# cd /opt/icecast/latest/etc/
# vi ices1.xml

<ices>
 
     <!-- GENERIC -->
     <background>1</background>
     <pidfile>/var/run/icecast/ices1.pid</pidfile>
 
     <!-- LOGGING -->
     <logpath>/var/log/icecast</logpath>
     <logfile>ices1.log</logfile>
     <logsize>2048</logsize>
     <loglevel>3</loglevel>
     <consolelog>0</consolelog>
 
     <!-- STREAM -->
     <stream>
       <metadata>
         <name>RadioStation 1: OGG</name>
         <genre>Varios</genre>
         <description>Test Radio 1</description>
         <url>http://localhost:8000/</url>
       </metadata>
       <input>
         <param name="type">basic</param>
         <param name="file">/opt/icecast/latest/etc/playlist1.txt</param>
         <param name="random">1</param>
         <param name="once">0</param>
         <param name="restart-after-reread">1</param>
       </input>
       <instance>
         <hostname>MyHost/IP</hostname>
         <port>8000</port>
         <password>password</password>
         <mount>/radiostation1</mount>
       </instance>
     </stream>
 
   </ices>

The ices configuration file is as easy as the icecast configuration file. The section GENERIC defines to run ices in background and where the pid file can be found.

The section LOGGING is all about logging, where and what to log. The STREAM section needs a little more attention. It defines the radio station itself like the name of the station, where the icecast server can be reached etc.

The password is the source password from the icecast configuration file. If you don't set a password here everybody can connect to your icecast server and create a station.

One more thing: the playlist. The playlist is a plain text file and contains all your songs you want to play.

Every OGG/Vorbis file inside this file must have the full path, eg:

# cd /opt/icecast/latest/etc/
# vi playlist1.txt

/music/artist/album/song1.ogg
/music/artist/album/song2.ogg

You can create this list easily with find:

# find /music/artist/album/ -name "*.ogg" > /opt/icecast/latest/etc/playlist1.txt

With the ices configuration file and the playlist created, start up ices as user icecast:

# su - icecast -c "/opt/icecast/latest/bin/ices /opt/icecast/latest/etc/ices1.xml"

Now take a look into the log file:

# cat /var/log/icecast/ices1.log

[2011-12-16  12:17:05] INFO signals/signal_usr1_handler Metadata update requested
[2011-12-16  12:17:05] INFO playlist-basic/playlist_basic_get_next_filename Loading playlist from file "/opt/icecast/latest/etc/playlist1.txt"
[2011-12-16  12:17:05] INFO playlist-builtin/playlist_read Currently playing "/music/artist/album/song2.ogg"
[2011-12-16  12:17:05] INFO stream/ices_instance_stream Connected to server: MyHost/IP:8000/radiostation1


As you can see the first radio station is ready and available under http://MyHost/IP:8000/radiostation1

Now try to connect to your streaming server with an audio client and enjoy listening to your radio.

For each radio station you want to provide you need to create a single ices configuration file with it's own playlist etc. Eg. you can create a seperate radio station for your Rock music and a seperate radio station for your Pop music.


Setting up the MP3 streaming client: icegenerator

To stream MP3 files you need a streaming client like icegenerator. Before you can compile icegenerator you have to install libshout first.

# cd /usr/src/icecast
# wget http://downloads.us.xiph.org/releases/libshout/libshout-2.3.1.tar.gz

Then extract the tar file and change into the new directory:

# tar xf libshout-2.3.1.tar.gz
# cd libshout-2.3.1

Run the configure script:

# ./configure --prefix=/opt/icecast/latest

And compile the sources and install the library:

# make
# make install

To compile icegenerator download the source package from http://sourceforge.net/projects/icegenerator/ and store it in your src directory. Then go into the src directory and extract the source:

# cd /usr/src/icecast
# wget http://netcologne.dl.sourceforge.net/project/icegenerator/icegenerator/0.5.5-pre2/icegenerator-0.5.5-pre2.tar.gz
# tar xfz icegenerator-0.5.5-pre2.tar.gz
# cd icegenerator-0.5.5-pre2

Now run the configure script (the --prefix option will be ignored, just run the configure script without the --prefix option):

# ./configure

And compile the sources and install the binaries:

# make
# make install

Check that icegenerator is available:

# ls -lah /usr/local/bin/ice*

-rwxr-xr-x 1 root root 55K 2011-12-16 12:41 /usr/local/bin/icegenerator*

Now configure icegenerator and create your first MP3 radio station:

# cd /usr/local/etc
# vi icegen1.cfg

IP=192.168.1.249
PORT=8000
SERVER=2
MOUNT=/radiostation2
PASSWORD=password
FORMAT=1
MP3PATH=m3u:/usr/local/etc/playlist2.m3u
LOOP=1
SHUFFLE=1
NAME=RadioStation 2: MP3
DESCRIPTION=Test Radio
GENRE=Varios
URL=http://localhost:8000/
LOG=2
LOGPATH=/var/log/icecast/icegen1.log
BITRATE=48000
SOURCE=source

The configuration file is a bit more complicated than the ices configuration file.At first you to define the IP and port for your Icecast server.The SERVER option is for the icy or http protocol, here it is http. MOUNT and PASSWORD are same as the OGG/Vorbis station, where to reach the station itself (http://MyHost/IP:8000/radiostation2) and how to authenticate.The FORMAT option is for either streaming MP3 (1) or OGG/Vorbis (0). LOOP and SHUFFLE for looping the playlist and randomized plaing. NAME, DESCRIPTION and GENRE will describe your radio.MP3PATH defines which files to stream, in this case all from a m3u compatible playlist (created later).URL tells where to reach the streaming server or any other address. This address will maybe displayed by your player. Specifiy LOG and LOGPATH for logging.The BITRATE defines the streaming quality..

# vi /usr/local/etc/playlist2.m3u

/music/artist/album/song1.mp3
/music/artist/album/song2.mp3

# find /music/artist/album/ -name "*.mp3" > /usr/local/etc/playlist2.m3u

# su - icecast -c "export LD_LIBRARY_PATH=/opt/icecast/latest/lib:$LD_LIBRARY_PATH; /usr/local/bin/icegenerator -f /usr/local/etc/icegen1.cfg"

# pgrep -fl icegen

31255 icegenerator -f /usr/local/etc/icegen1.cfg

# cat /var/log/icecast/icegen1.log

Fri Dec 16 13:44:38 2011: Connected to stream serverFri Dec 16 13:44:38 2011: Now playing song1.mp3Fri Dec 16 13:48:41 2011: Wait for all child process to terminate......

As you can see the second radio station is ready and available under http://MyHost/IP:8000/radiostation2

Now try to connect to your streaming server with an audio client and enjoy listening to your radio.

--------------------


How to starts icecast when system power up, and how to start icegen (for mp3 stream) too.

It's simple and usefull. So let's go.

 1) Create a init script:
nano /etc/init.d/icecast

2) Paste the code: http://downs.animesrox.com.br/icecast.txt
----------------------------------------------------------------------

    #! /bin/sh
    #
    # icecast       This is the init script for starting up the Icecast 2
    #               server. Written by Gabor Horvath <gaben@severity.hu>
     
    # Source function library
    . /etc/rc.d/init.d/functions
     
    # Daemon
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/opt/icecast/latest/bin/icecast
    LOCKFILE=/var/lock/subsys/icecast
    PIDFILE=/var/run/icecast/icecast.pid
    NAME=icecast
    MP3DIR=/music/artist/album/
     
    # Defaults
    CONFIGFILE="/opt/icecast/latest/etc/icecast.xml"
    STARTUPLOG="/var/log/icecast/startup.log"
    USERID=icecast
    GROUPID=icecast
    ENABLE="true"
     
    # Variables
    RETVAL=0
    RESULT=0
     
    start() {
        # Start daemon
        echo -n $"Starting $NAME service: "
     
        if [ ! -x $DAEMON ]
        then
            echo
            echo -n "$DAEMON is not a valid executable, or missing."
            echo_failure
            echo
            RESULT=3
            return
        fi
     
        if [ ! -f $CONFIGFILE ]
        then
            echo
            echo -n "$CONFIGFILE could not be found."
            echo_failure
            echo
            RESULT=2
            return
        fi
     
        if [ -f $LOCKFILE ]
        then
            echo
            echo -n "$NAME service is already running."
            echo_failure
            echo
            RESULT=1
            return
        fi
     
        su -l $USERID -c "$DAEMON -c $CONFIGFILE -b" >> $STARTUPLOG 2>&1 < /dev/null
        RETVAL=$?
 sleep 3
 su - icecast -c "export LD_LIBRARY_PATH=/opt/icecast/latest/lib:$LD_LIBRARY_PATH; /usr/local/bin/icegenerator -f /usr/local/etc/icegen1.cfg"
     
        if [ $RETVAL -eq 0 ]
        then
            touch $LOCKFILE
            [ ! -f $PIDLIFE] && pidof $NAME > $PIDFILE
            success
            echo
        else
            RESULT=1
            failure
            echo
        fi
    }
     
    stop() {
        echo -n $"Stopping $NAME service: "
     
        if [ -f $LOCKFILE ]
        then
            killproc $NAME
     killproc icegenerator
            RETVAL=$?
     
            if [ $RETVAL -eq 0 ]
            then
                rm -f $LOCKFILE
                rm -f $PIDFILE
                success
            else
                RESULT=1
                failure
            fi
    #    else
    #        success
        fi
        echo
    }
     
    restart() {
        stop
        sleep 1
        start
    }

    reload() {
 echo "Updating Mp3 Playlist..."
        stop
        sleep 1
 find $MP3DIR -name "*.mp3" > /usr/local/etc/playlist2.m3u
        start
        sleep 1
 echo "Playlist updated!"
    }
     
    # Check if the daemon is enabled
    if [ "$ENABLE" != "true" ]
    then
        echo "$NAME daemon disabled"
        exit 0
    fi
     
    #set -e
     
    case "$1" in
        start)
            start
            ;;
     
        stop)
            stop
            ;;
     
        restart)
            restart
            ;;
     
        status)
            status $NAME
            RESULT=$?
            ;;

 reload)
     reload
     ;;
     
        *)
            echo "Usage: $0 {start|stop|restart|status|reload}"
            exit 1
            ;;
    esac
     
    exit $RESULT
----------------------------------------

3) Set permission to init.d icecast file:
chmod +x /etc/init.d/icecast

4) Set permission to root (or another user - change the root) to use the command:
gpasswd -a root icecast

5) Check icecast status:
service icecast status

PS: This check only icecast, not icegen. But if you use start, stop or restart the command will works with icegen too.

Done!

Check icecast is running:
service icecast status

Start icecast and icegenerator:
service icecast start

Stop icecast and icegenerator:
service icecast stop

Restart icecast and icegenerator:
service icecast restart

That's it !

Ho to Install HA-Proxy + Stunnel on Linux Machine

Install HA-Proxy + Stunnel on Linux Machine

Prerequisites:

yum install perl-5*
yum install make wget gcc-* pcre-static pcre-deve

openssl
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar zxvf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
make clean
./config shared --prefix=/usr --openssldir=/usr/local/openssl
make && make test
make install

Download HA-Proxy source package:
wget www.haproxy.org/download/1.5/src/haproxy-1.5.8.tar.gz

tar -zxvf haproxy-1.5.8.tar.gz
cd haproxy-1.5.8
make TARGET=linux26 USE_STATIC_PCRE=1 USE_LINUX_TPROXY=1
cp haproxy /usr/sbin/haproxy
cp examples/haproxy.cfg /etc/haproxy.cfg

vi /etc/haproxy.cfg
--------------------------------------------------------------------
global
        daemon
        maxconn 500000
        stats socket    /tmp/haproxy
        log 127.0.0.1 local0 debug

    defaults
        log     global
        mode http
        timeout connect 3600s
        timeout client 3600s
        timeout server 3600s
        #option keepalive
        option http-server-close
        option forwardfor
        maxconn 500000
        option  httplog
        #balance roundrobin
        #balance source
        retries 3
        option redispatch
        #stats enable
        #stats auth statsadmin:fAzaceg7Dr
####

 listen httpfarm
        bind 192.168.30.7:80
        mode http
        option httpchk HEAD  /this.txt HTTP/1.1\r\nHost:\ apply.pebc.ca
        cookie SERVERID insert nocache indirect maxidle 4h maxlife 4h
        balance roundrobin
        server web1 192.168.30.4 cookie A check inter 20000 maxconn 500000
        server web2 192.168.30.6 cookie B check inter 20000  maxconn 500000
        option abortonclose
        option httpclose
        timeout check 10
#
   listen httpsfarm
        bind 192.168.30.7:81 accept-proxy
        mode http
        option httpchk  HEAD /this.txt HTTP/1.1\r\nHost:\ www.pebc.com
        cookie SERVERID insert nocache indirect maxidle 4h maxlife 4h
        balance roundrobin
        server web1 192.168.30.4:80 cookie A check inter 20000 maxconn 500000
        server web2 192.168.30.6:80 cookie B check inter 20000  maxconn 500000
        #option forwardfor except 10.212.238.80
        option abortonclose
        option httpclose
        option forwardfor
        reqadd X-Forwarded-Proto:\ https
        #acl hostname hdr_beg(host) -i pebc.
        #acl is_ssl src 10.212.238.80
#       #redirect prefix http://apply.pebc.com if hostname
##      #use_backend purehttp if hostname
##
    listen stats 1192.168.30.7:8765
        mode http
        stats uri /
        stats enable
        stats auth statsadmin:fAzaceg7Dr
        maxconn 500000
--------------------------------------------------------

/usr/sbin/haproxy -f /etc/haproxy.cfg
ps -aux | grep haproxy

http://192.168.30.7:8765/

wget https://www.stunnel.org/downloads/stunnel-5.07.tar.gz
tar -zxvf stunnel-5.07.tar.gz
cd stunnel-5.07
./configure
make
make install

mkdir /etc/stunnel
cp /usr/local/etc/stunnel/stunnel.conf-sample /etc/stunnel/stunnel.conf

vi /etc/stunnel/stunnel.conf
----------------------------------------------------------------
#
chroot = /usr/local/var/lib/stunnel/
protocol = proxy

;CApath==/cert
;cert=/usr/local/var/lib/stunnel/cert/all.pem
;key=/var2/SSL/apply.pebc.ca.key
setuid=nobody
setgid=nobody

; PID is created inside the chroot jail
pid = /stunnel.pid

; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /stunnel.log

options = NO_SSLv2

socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1

[https]
cert=/var/SSL/apply.pebc.ca.crt
key=/var/SSL/apply.pebc.ca.key
;
;key=/var/SSL/www.pebc.ca.key
;CApath=/usr/local/var/lib/stunnel/cert
;CApath=/var/SSL/GEO
;cafile=/var/SSL/www.pebc-intermediate.crt
;cert=/var/SSL/geochainfile.crt
;cafile=/var/SSL/geochainfile.crt
accept  = 192.168.30.7:443
connect = 192.168.30.7:81
;xforwardedfor = yes
TIMEOUTclose = 0
;
-----------------------------------------------------------------


useradd stunnel

vi /etc/init.d/stunnel
-------------------------------------------------------------------
#! /bin/sh -e
### BEGIN INIT INFO
# Provides:          stunnel
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $syslog
# Should-Stop:       $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
### END INIT INFO

DEFAULTPIDFILE="/var/run/stunnel.pid"
DAEMON=/usr/local/bin/stunnel
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
OPTIONS=""
ENABLED=1

get_pids() {
   local file=$1
   if test -f $file; then
     CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
     PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
     if [ "$PIDFILE" = "" ]; then
       PIDFILE=$DEFAULTPIDFILE
     fi
     if test -f $CHROOT/$PIDFILE; then
       cat $CHROOT/$PIDFILE
     fi
   fi
}

startdaemons() {
  if ! [ -d /var/run/stunnel ]; then
    rm -rf /var/run/stunnel
    install -d -o stunnel -g stunnel /var/run/stunnel
  fi
  for file in $FILES; do
    if test -f $file; then
      ARGS="$file $OPTIONS"
PROCLIST=`get_pids $file`
      if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
        echo -n "[Already running: $file] "
      elif $DAEMON $ARGS; then
        echo -n "[Started: $file] "
      else
        echo "[Failed: $file]"
        echo "You should check that you have specified the pid= in you configuration file"
        exit 1
      fi
    fi
  done;
}

killdaemons()
{
  SIGNAL=${1:-TERM}
  for file in $FILES; do
    PROCLIST=`get_pids $file`
    if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
       kill -s $SIGNAL $PROCLIST
       echo -n "[stopped: $file] "
    fi
  done
}

if [ "x$OPTIONS" != "x" ]; then
  OPTIONS="-- $OPTIONS"
fi

test -f /etc/default/stunnel && . /etc/default/stunnel
if [ "$ENABLED" = "0" ] ; then
  echo "$DESC disabled, see /etc/default/stunnel"
  exit 0
fi

test -x $DAEMON || exit 0

set -e

case "$1" in
  start)
        echo -n "Starting $DESC: "
        startdaemons
        echo "$NAME."
        ;;
  stop)
        echo -n "Stopping $DESC: "
        killdaemons
        echo "$NAME."
        ;;
  reopen-logs)
        echo -n "Reopening log files $DESC: "
        killdaemons USR1
        echo "$NAME."
        ;;
  force-reload|reload)
        echo -n "Reloading configuration $DESC: "
        killdaemons HUP
        echo "$NAME."
        ;;
  restart)
        echo -n "Restarting $DESC: "
        killdaemons
        sleep 5
        startdaemons
        echo "$NAME."
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
        exit 1
        ;;
esac

exit 0
-------------------------------------------------------------

chmod +x /etc/init.d/stunnel

service stunnel start

To start HA-Proxy:
/usr/sbin/haproxy -f /etc/haproxy.cfg -p /var/run/haproxy.pid

ps -aux | grep haproxy

service stunnel restart

to create haproxy logs:
vi /etc/rsyslog.conf
#proxy logging
local0.*                                                /var/log/haproxy.log

service rsyslog restart

check haproxy stats on http://localhost:8765

How to install OSSEC and configuring (host based intrusion detection)

OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.

File Integrity checking
There is one thing in common to any attack to your networks and computers: they change your systems in some way. The goal of file integrity checking (or FIM – file integrity monitoring) is to detect these changes and alert you when they happen. It can be an attack, or a misuse by an employee or even a typo by an admin, any file, directory or registry change will be alerted to you.

Log Monitoring
Your operating system wants to speak to you, but do you know how to listen? Every operating system, application, and device on your network generate logs (events) to let you know what is happening. OSSEC collects, analyzes and correlates these logs to let you know if something wrong is going on (attack, misuse, errors, etc). Do you want to know when an application is installed on your client box? Or when someone changes a rule in your firewall? By monitoring your logs, OSSEC will let you know of that.

Rootkit detection
Criminals (also known as hackers) want to hide their actions, but using rootkit detection you can be notified when they (or trojans, viruses, etc) change your system in this way.

Active response
Take immediate and automatic responses when something happens. Why wait for hours when you can alert your admin and block an attack right way?

Working:
OSSEC is composed of multiple pieces. It has a central manager monitoring everything and receiving information from agents, syslog, databases and from agentless devices.

Manager
The manager is the central piece of the OSSEC deployment. It stores the file integrity checking databases, the logs, events and system auditing entries. All the rules, decoders and major configuration options are stored centrally in the manager, making easy to administer even a large number of agents.

Agents
The agent is a small program installed on the systems you desire to monitor. It will collect information on real time and forward to the manager for analysis and correlation. It has a very small memory and CPU footprint by default, not affecting with the system’s usage.
Agent security: It runs with a low privilege user (created during the installation) and inside a chroot jail isolated from the system. Most of the agent configuration is pushed from the manager, with just some of them are stored locally on each agent. In case these local options are changed, the manager will receive the information and will generate an alert.

Agentless
For systems that you can’t install an agent, OSSEC allows you to perform file integrity monitoring on them without the agent installed. It can be very useful to monitor firewalls, routers and even Unix systems where you are not allowed to install the agent.





INSTALLATION:
Download ossec-hids-2.x.tar.gz from https://github.com/ossec/ossec-hids/archive/2.8.2.tar.gz
#tar xzvf ossec-hids-2.x.tar.gz
#cd ossec-hids-2.x.tar.gz
#./install.sh





For English type : en
What kind of installation do you want (server,agent,local.hybrid): server
Choose wghere to install the OSSEC-HIDS [/var/ossec]: /var/ossec
Do you want email notification: y
what’s your email address: sam@sam.com
what’s your SMTP server ip/add: mail.sam.com
Do you want to run the integrity check daemon: y
Do you want to run the rootkit detection engine: y
Do you want to enable active response: y
Do you want to enable remote syslog (port 514 udp): y



#/var/ossec/bin/ossec-control start
#cd /var/www/html
#wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
#tar zxvf ossec-wui-*.tar.gz
#rm -f ossec-wui-*.tar.gz
#mv ossec-wui-* ossec-wui
#mkdir /var/www/html/ossec-wui/tmp
#chown -R apache:apache /var/www/html/ossec-wui
#add apache user to ossec group
#usermod -G ossec apache
#/var/ossec/bin/ossec-control start



Configure apache to run at startup and start it
#chkconfig httpd on
#service httpd start
That’s it. Ossec server installation completed.now I can can browse to http://localhost/ossec-wui. The default user and password are: ossec/ossec.




Installing ossec agent (client in linux system)
Download ossec-hids-2.7.tar.gz from http://www.ossec.net/main/downloads
#tar xzvf ossec-hids-2.7.tar.gz
#cd ossec-hids-2.7.tar.gz
#./install.sh

For English type : en
What kind of installation do you want (server,agent,local.hybrid): agent
Choose where to install the OSSEC-agent [/var/ossec]: /var/ossec
What’s the ip address of OSSEC-HIDS server: 192.168.31.1
Do you want to run the integrity check daemon: y
Do you want to run the rootkit detection engine: y
Do you want to enable active response: y
Do you want to enable remote syslog (port 514 udp): y



On the OSSEC server run manage_agents tool to add a new client
#/var/ossec/bin/manage_agents
Choose A to add an agent: A
provide a name for your new agent: arthar2
provide the IP of your new agent: 192.168.31.150
Provide an OSSEC ID for your new agent: 001
Confirm adding it?: y
Choose E to extract key for an agent: E
Provide the ID of the new agent: 001
Copy the agent key information
press ENTER to return to the main manu
Choose Q to quit




On the OSSEC client run manage_agent tool to configure the new client
 
#/var/ossec/bin/manage_client
Choose I to Import key from the server: I
Paster the the already copied agent ket: paste
confirm adding it: y
Press Enter to return to the main manu
Choose Q to Quit



Start OSSEC
#/var/ossec/bin/ossec-control start
That’s it. OSSEC client installation completed. Now i can browse to http://localhost/ossec and see messages from my new OSSEC client.




Installing ossec agent (client in windows system)
Download OSSEC windows agent from http://www.ossec.net/main/downloads

Run the downloaded exe file
A. Welcome to OSSEC HIDS Windows Agent v2.6 Setup Wizard – Click Next
B. License Agreement – Read the license agreement and if you agree click on I agree
C. Choose Components – If you are not running IIS, click to remove the mark on “Scan and monitor IIS 

logs” and click Next
D. Choose Install Location – Click Install
E. Completing the OSSEC HIDS Windows Agent v2.6 Setup Wizard – check that “Run OSSEC Agent 

Manager” is marked and click Finish
On the OSSEC server run manage_agents tool to add a new client
#/var/ossec/bin/manage_agents
Choose A to add an agent: A
provide a name for your new agent: arthar
provide the IP of your new agent: 192.168.31.2
Provide an OSSEC ID for your new agent: 002
Confirm adding it?: y
Choose E to extract key for an agent: E
Provide the ID of the new agent: 002
Copy the agent key information
press ENTER to return to the main manu
Choose Q -> Enter to quit



On the OSSEC windows client run manage_agent tool if it’s not already running and configure your new client installation
A. Start -> All Programs -> OSSEC -> Manage Agents
B. OSSEC Agent Manager – Fill my 192.168.31.1, and the “Authentication Key” that was copied from the server. Click save
C. Confirm Importing Key – Click OK
D. OSSEC Agent Manager – Click on Manage -> Start OSSEC
E. Close OSSEC Agent Manager
That’s it. OSSEC client installation completed. Now i can browse to http://localhost/ossec and see messages from my new OSSEC client.


 


 

How to writing snort rules - Part III

Continuing with the posts about Snort Snort installation (part II), now we have a complete installation and web interface to monitor our network alerts. One of the most important things when you maintain an IDS like Snort in a network, is the include of new rules to alert of possible attacks, behaviors of Malware or simply the needed of control a part of our traffic for some reasons. The rules of Snort are very flexible and has a lot of possibilities of configuration, logically in this post I’ll do a short introduction to write basic rules explaining the components of a rule and some options that can be useful.

Anatomy of a rule
A Snort rule, basically is composed by the header (information about the traffic) and the options (contains some action to do on the packet).

• Headers is composed by:

Action Protocol Source IP Source Port Direction Operator Destination IP Destination Port (Options)
Action: Refers what snort will do when a packet match with the rule. Possible actions:
– alert: Generates an alert and register the packet.
– log: register the packet.
– pass: ignore the packet.
– activate: make an alert and next run other dynamic rule.
– dynamic: Remain inactive until an activate rule active them. Then will run as log action.
Protocol: We can use TCP, UDP, ICMP and IP protocols.
We can use the next syntax to refer an IP address or Port number:
– “!” : exclude the IP address or Port number for the rule.
– “172.16.0.0/16″: refers all the device from this network.
– “any”: refers any IP address or Port number.
– “:” : Refers a range of ports number.
– variables: We can use the variables declared in snort.conf like HOME_NET and EXTERNAL_NET.
Direction Operator: indicates the orientation of the packet for the apply of the rule. The possible operators:
– “->”: Indicates the source IP and port before the operator and after the destination.
– “<>”: Used to refer bidirectional traffic, Snort consider the pair IP and port numbers as source or destination.

Some examples of header rules
alert tcp any any -> 172.16.0.0/16 1:1023 : This rule will match with the attempts for tcp connection from any source to all the hosts in the network 172.16.0.0 to a port range from 1 to 1023.
log udp 10.0.0.0/8 :1024 -> 192.168.1.0/24 100: : Log all the UDP traffic from the network 10.0.0.0 with source port less than 1024 and destination for the network 192.168.1.0 with destination port greater than 100.
log tcp 192.168.1.0/24 any <> 192.168.1.1 22 : Log all the SSH requests from the network 192.168.1.0 to the host 192.168.1.1 and the SSH request from this host.

• Options: Contains the messages and information necessary for the decision of the alert. The different options are separated with the caracter “;”. Exists 4 main categories of options:

Meta-data: Provides some information about the rule. Posible metadata options can be:
– msg: Indicates a string message to print when the rule is matched.
– sid: identification for a single snort rule.
– rev: Used with the option id for reference a revision number for a rule.
– classtype: Defines the classification of a rule and is defined in the file configuration classification.config and is classified by a priority.
Payload: Refers to the “useful” data from the interior of a packet, usually is known the body of the data excluding the data overhead like the packet headers. Some possible options:
– content: This option allows a rule to search specific content in useful data of a packet. The pattern to search can be in text format or in binary mode written between the character pipe “|”, representing binary numbers like hexadecimal format.
– rawbytes: Allows a rule search in the packet data without any decodification from the preprocessor.
– depth: indicates the number of bytes that Snort will search on the payload.
Non-payload: Looks data in other parts of the packet different of the body data. Some options:
– dsize: Indicates the payload size in bytes.
– id: Is used to revise the ID field on the packet header. Some exploits or scanners specify this field.
– flags: Used to check if specific TCP flag bit is enabled, some useful flags are S (SYN), A (ACK), F (Finish).
Post-detection: This option is a trigger for a rule when this is activate.
Some Examples of Snort Rules

• Detecting when root user is trying to send an email:

alert tcp any any ->; 192.168.1.0/24 25 (sid:1002345;rev:2;msg: "root users attempts to send an email"; content: "mail from: root";classtype:suspicious-login;)

• Identifying the source of icmp traffic of a windows host:

– First of all I had to capture a icmp packet with tcpdump to see what’s the signature for a ping packet of a Windows host, and this is the capture that I received of data in Hexadecimal format:

alert icmp any any ->; 192.168.1.0/24 any (sid:1002356;msg:"Hey!! A windows Host is pinging me!";itype:8;content:"|6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869|";nocase;depth:32;classtype:icmp-event;)

• Registering all access to the url /admin on the web server 192.168.1.250:

alert tcp any any ->; 192.168.1.250 80 (sid:1002354;rev:2;msg:"Warning!!, A host is trying to access /admin"; uricontent:"/admin";classtype:web-application-activity;)

• Alert all SMTP traffic that contains a file virus.exe attached:

alert tcp any any ->; 192.168.1.0/24 25 (sid:1002311; rev:3; msg:"Warning!! The virus.exe is included in one mail!!"; content:"filename="virus.exe"";classtype:suspicious-filename-detect;)

 


 

To add our rules in needed to include the new file in snort.conf file and restart snortd:

# vi /etc/snort/snort.conf include $RULE_PATH/test.rule

# /etc/init.d/snortd restart

• To see in more depth of write rules on Snort visit the official documentation: http://manual.snort.org/node27.html