Page 10 of 31 FirstFirst ... 8910111220 ... LastLast
Results 91 to 100 of 309

Thread: Intrusion Detection

  1. #91
    Join Date
    Dec 2006
    Beans
    197

    Re: Intrusion Detection

    I am running into some problems trying to activate snort. I seem to be able to run it fine from my Ubuntu's /usr/src/snort/snort-2.8.3.2 and /etc/snort directory, but when I try to run it from /usr/local/bin, I get the fullowing error message:
    Code:
    @thunder:/usr/local/bin$ snort -v
    Running in packet dump mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Verifying Preprocessor Configurations!
    ERROR: Failed to lookup for interface: no suitable device found. Please specify one with -i switch
    Fatal Error, Quitting..
    Here is what it looks like when I run it successfully:
    Code:
    root@thunder:/etc/snort# snort -v
    Running in packet dump mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Verifying Preprocessor Configurations!
    ***
    *** interface device lookup found: eth0
    ***
    
    Initializing Network Interface eth0
    Decoding Ethernet on interface eth0
    
            --== Initialization Complete ==--
    
       ,,_     -*> Snort! <*-
      o"  )~   Version 2.8.3.2 (Build 22)  
       ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
               (C) Copyright 1998-2008 Sourcefire Inc., et al.
               Using PCRE version: 7.8 2008-09-05
    
    Not Using PCAP_FRAMES

  2. #92
    Join Date
    May 2006
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Intrusion Detection

    Hi,

    Thank you very much for the tutorial it was more than great.

    I have a strange issue, after I installed everything with no problems at all, and Snort + BASE + OSSEC are all working and I can access BASE + OSSEC from a browser, I don't see any activity in the BASE page !!!

    Isn't that strange?

    I even disabled my firewall to make sure that the sensor of snort is not being blocked (if I'm correct) and still nothing !!!

    What do you think is the problem?

  3. #93
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Intrusion Detection

    This is a common question. Most likely you are not getting much traffic which violates the snort rules.

    If snort does not log an alert to mysql, the connection times out. I am not sure how long it takes, but I re-start snort every 6 hours.

    Hit your machine with a port scanner to test snort. And yes, iptables and ossec will block traffic so turn them off when you test snort.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  4. #94
    Join Date
    May 2006
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Intrusion Detection

    Quote Originally Posted by bodhi.zazen View Post
    This is a common question. Most likely you are not getting much traffic which violates the snort rules.

    If snort does not log an alert to mysql, the connection times out. I am not sure how long it takes, but I re-start snort every 6 hours.

    Hit your machine with a port scanner to test snort. And yes, iptables and ossec will block traffic so turn them off when you test snort.
    Thank you very much for your reply. I do the same as you do "restart snort every 6 hours" using the cron jobs you explained in your tutorial.

    It seems that my network is cleaner than I imagined, today I got my first ALERT

    BTW: what are the best tutorials, papers or useful information to go beyond what is displayed here? (Ex: advance config, writing rules, howto know which rule raised the alert, etc). I only asked because I see you have great experience in SNORT.

    Thank you in advance for your help and support.

  5. #95
    Join Date
    Apr 2009
    Beans
    7

    Question Re: Intrusion Detection

    Thank you ever so much for such a well written and complete tutorial! I went through seven others before discovering yours.
    't
    I am having one problem though and forgive me in advance if it turns up being a semi-noob error.

    After following your instructions and placing commands in the proper startup files, snort never starts as a daemon; it doesn't start at all. The thing is I can run snort from a command line with no problems.

    I'll be grateful for anything you can do to set me in the right direction.

    Very best regards,

    Mike McCoy

  6. #96
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Intrusion Detection

    Yes, you need to start snort manually. Once you start it it will run in the background (if you use the commands in my tutorial).

    I re-start snort every 6 hours with a cron script.

    I would just add the command to start snort in /etc/rc.local , then it will start on boot.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #97
    Join Date
    Apr 2009
    Beans
    7

    Re: Intrusion Detection

    I am trying to start snort from local.rc, thats why I'm perplexed.

  8. #98
    Join Date
    Apr 2009
    Beans
    7

    Re: Intrusion Detection

    I am starting from rc,local rather...

  9. #99
    Join Date
    Apr 2009
    Beans
    7

    Re: Intrusion Detection

    I am so sorry for being dense, but I configured my rc.local file per your instructions in your tutorial and snort doesn't start. I edited my cron file to match yours as well. I don't have to start manually every time I restart do I?

    Signed,
    Truly a noob

  10. #100
    Join Date
    May 2006
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Intrusion Detection

    BTW: bodhi.zazen

    I think the current setup shall only monitor the traffic going into the IDS system, or going out of the IDS system, if we are in a switched network. If we want to monitor the whole network? then we need a TAP, or a switch with monitoring ports enabled.

    If the network is built on HUBs then there is no problem, everything shall be monitored weather destined to the system holding the IDS or not.

    Q: Does the white list mean: don't monitor these systems? IF yes? then I think it is wrong to assign such an IP, because SNORT shall not monitor it.

Page 10 of 31 FirstFirst ... 8910111220 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •