At the outset I would like to state that as recommended I did try starting this thread in the Security forum. But was restricted, but anyway that is not the point.
I tried setting up the IDS via bodhi zazen post, then did my own R&D. It turns out I am facing a problem with the log file for snort.
When I installed snort it was snort pgsl that was installed as per the post by bodhi.
I installed it this way.
sudo apt-get install postgresql
sudo apt-get install -y apache2 php5 php-pear php5-gd php5-adodb php5-pgsql libphp-adodb snort-pgsql
2 separate commands.
Now then the error I see is:
ERROR: log_tcpdump: Failed to open log file "/var/log/snort/tcpdump.log.1348993619": No such file or directory
Fatal Error, Quitting..
when I type sudo snort -c /etc/snort/snort.conf
But...
When I try sudo snort -c /etc/snort/snort.conf -T
as per bodhis' post things are alright.
My question is why does the command not work without the -T at the end?
Also I edited "ipvar HOME_NET any" as when I used the search function it did not show "var HOME_NET any" I even looked everywhere in snort.conf and it is not there. This means the snort config file is pre-configured for ipv6?
I must admit that I have not set up the Snort Rules and Oinkmaster yet. But this should not be linked to getting a log file from snort with present rules.
Another thing is that there is a pgsl folder under /var/log/pgsl but the folder rquired for snort log /var/log/snort is not there.
That is what the error ideally states. Should I make the folder and in the first place isnt it already supposed to be there or is snort supposed to log to /var/log/pgsl.
I am also checking the snort manual. But any directions and guidance will surely help.
Bookmarks