Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 55

Thread: Snort Mysql & Base on Feisty

  1. #11
    Join Date
    Apr 2005
    Location
    Wales, UK
    Beans
    113

    Re: Starting Snort.

    Quote Originally Posted by tegwilym View Post
    Ok, I thought I had it all running, but now finding that I'm close, but not quite there just yet.

    At the command line, I enter:
    snort -b -i eth0 -A fast -N -c /etc/snort/snort.conf

    (I leave out the -D so I can see what happens)

    I get this, which looks all fine, until I get to the very end and see the message saying:
    command line overrides rules file alert plugin!
    ERROR: Suppress-Parse: incorrect argument count
    Fatal Error, Quitting..
    In /etc/snort/threshold.conf, change the 4 digit number after 'sig_id' to 1852. That should solve your problem.

  2. #12
    Join Date
    Apr 2007
    Location
    Bulgaria
    Beans
    36
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: Snort Mysql & Base on Feisty

    Hi, I have the same problem as Miles800

    after:

    Code:
    /etc/init.d/snort start
    I get:

    Code:

    Code:
    Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
    .

    What can I do to fix it? It seems I'm very close...

    thanks

  3. #13
    Join Date
    Jan 2006
    Location
    Renton, WA
    Beans
    142
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Cool Re: Snort Mysql & Base on Feisty

    I did get mine running. BASE, Snort, Ntop are all running now.
    I just don't see a whole lot of activity in the BASE application though. Of course this computer here at work is behind a firewall, so that's probably a good thing.

    I have a computer at home on the DMZ through my router, and I expected to see more in the BASE page, but there isn't much there either. Its fully exposed to all the filth and nastiness of the internet also, so I thought I would see more.

    ...of course maybe it's time that I start reading the Snort manual!

    Oh, I tried all this using Ubutnu 7.04 SPARC sever version on a Sunfire V100. I couldn't get Ntop to start. I always got a "Bus Error". It seems to be a known issue from what I've found, and there doesn't seem to be a fix for that yet. I'll stick with a normal x86 type machine for now.

    Tom

  4. #14
    Join Date
    Nov 2005
    Beans
    49
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Quote Originally Posted by weth View Post
    Hi, I have the same problem as Miles800

    after:

    Code:
    /etc/init.d/snort start
    I get:

    Code:

    Code:
    Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
    .

    What can I do to fix it? It seems I'm very close...

    thanks
    The way snort is designed you can have multiple configs for different interfaces. If snort doesn't find a config for a particular interface then it will default to /etc/snort/snort.conf. If you don't want to see that message theres two things you can do. I bet your snort is running even with that message.

    See if snort is running
    Code:
    pgrep -l snort
    Make a Copy of the default config (edit it if desired)
    Code:
    cp /etc/snort/snort.conf /etc/snort/snort.eth0.conf
    Create a symbolic link (like a shortcut)
    Code:
    ln -s /etc/snort/snort.conf /etc/snort/snort.eth0.conf

  5. #15
    Join Date
    Nov 2005
    Beans
    49
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Quote Originally Posted by tegwilym View Post
    I did get mine running. BASE, Snort, Ntop are all running now.
    I just don't see a whole lot of activity in the BASE application though. Of course this computer here at work is behind a firewall, so that's probably a good thing.

    I have a computer at home on the DMZ through my router, and I expected to see more in the BASE page, but there isn't much there either. Its fully exposed to all the filth and nastiness of the internet also, so I thought I would see more.

    ...of course maybe it's time that I start reading the Snort manual!

    Oh, I tried all this using Ubutnu 7.04 SPARC sever version on a Sunfire V100. I couldn't get Ntop to start. I always got a "Bus Error". It seems to be a known issue from what I've found, and there doesn't seem to be a fix for that yet. I'll stick with a normal x86 type machine for now.

    Tom
    What is NTOP?

    To test snort the easiest thing I found was to use the default logging method which was log files. (This eliminates mysql, apahce & php problems.)

    Run a port scan from another computer using nmap. If you have the sensor scan itself it won't show anything. You should see something in /var/log/snort/alert.
    Code:
    nmap -sX your_snort_ip_address
    If you don't see anything I would check iptables, make sure snort is running and then check the snort config. Make sure it's including the port scan rules and make sure your rules are installed correctly.

  6. #16
    Join Date
    Jan 2006
    Location
    Renton, WA
    Beans
    142
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Smile Re: Snort Mysql & Base on Feisty

    What is NTOP?.

    Look at http://www.ntop.org/
    It shows nice tables and graphs of all kinds of information that goes back and forth on the network. I'm not sure what it all means yet, but I'm working on it!




    Run a port scan from another computer using nmap. If you have the sensor scan itself it won't show anything. You should see something in /var/log/snort/alert.
    Code:
    nmap -sX your_snort_ip_address

    I've done - nmap localhost - as a check that I have snort running and it is listening on the port (I forget the number right off hand, but it does say "snort" so I know it's running).

    Good idea on the port scan to the IP address, I didn't know that. I'll try that!



    If you don't see anything I would check iptables, make sure snort is running and then check the snort config. Make sure it's including the port scan rules and make sure your rules are installed correctly

    I think it's running, and there is something showing up in the alert log ok. Even if snort isn't running the BASE page will come up which can be a little confusing, but of course that is just coming from apache anyway, and it won't do anything if snort isn't doing something in the background. I just want to figure out how to see more on BASE since that would be easier than looking at the confusing alert files.

    Hmm....might be time to ask the company if I can buy a Snort for Dummies book!
    Forums are great, but maybe if I read through all the steps more it could help too.

    Fun stuff though!

    Tom

  7. #17
    Join Date
    Nov 2005
    Beans
    49
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Quote Originally Posted by tegwilym View Post
    What is NTOP?.

    Look at http://www.ntop.org/
    It shows nice tables and graphs of all kinds of information that goes back and forth on the network. I'm not sure what it all means yet, but I'm working on it!




    Run a port scan from another computer using nmap. If you have the sensor scan itself it won't show anything. You should see something in /var/log/snort/alert.
    Code:
    nmap -sX your_snort_ip_address

    I've done - nmap localhost - as a check that I have snort running and it is listening on the port (I forget the number right off hand, but it does say "snort" so I know it's running).

    Good idea on the port scan to the IP address, I didn't know that. I'll try that!



    If you don't see anything I would check iptables, make sure snort is running and then check the snort config. Make sure it's including the port scan rules and make sure your rules are installed correctly

    I think it's running, and there is something showing up in the alert log ok. Even if snort isn't running the BASE page will come up which can be a little confusing, but of course that is just coming from apache anyway, and it won't do anything if snort isn't doing something in the background. I just want to figure out how to see more on BASE since that would be easier than looking at the confusing alert files.

    Hmm....might be time to ask the company if I can buy a Snort for Dummies book!
    Forums are great, but maybe if I read through all the steps more it could help too.

    Fun stuff though!

    Tom
    If your seeing traffic in the snort alert log files then you need to edit the config & setup mysql.

    Right now it's logging to a file. In order for base to work it needs to log to a database.

  8. #18
    Join Date
    Dec 2006
    Beans
    22

    Re: Snort Mysql & Base on Feisty

    followed the guide to the letter but nothing is being logged in the alert logfile. did an nmap from another machine on the network and it showed me what ports were open.

    any pointers on what i should be checking?

  9. #19
    Join Date
    Dec 2005
    Beans
    17
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Also stuck with no running snort. No errors, no logs, nada.

    Code:
    root@bobo:/etc/snort# /etc/init.d/snort restart
    Stopping Network Intrusion Detection System: snort(eth0).
    Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
    .
    root@bobo:/etc/snort# /etc/init.d/snort config-check
    checking  config: (eth0)...failed.
    Also, is it possible to not specify an interface so it will monitor all? I'm not sure if leaving "DEBIAN_SNORT_INTERFACE" blank in snort.debian.conf would do it. Since I can't get snort to run, I don't know.

  10. #20
    Join Date
    Dec 2005
    Beans
    17
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Figured it out. Ubuntu uses some customizations from Debian. Inside /etc/snort/snort.conf is the following:

    Code:
    # <debian>
    # Keep your paws off of these (#DBSTART#) and (#DBEND#) tokens
    # or you *will* break the configure process (snort-pgsql/snort-mysql only)
    # Anything you put between them will be removed on (re)configure.
    # 
    # (#DBSTART#)
    output database: log, mysql,
    # (#DBEND#) 
    # 
    # </debian>
    These were lines 502 to 511 for me. You need to comment out the "output database: log, mysql" line, and then you can run snort as he describes. Once you have completed this and verified that /var/log/snort/alert is created, you can continue on. I assume you may want to reenable this line after moving forward. I'm starting that process now.

Page 2 of 6 FirstFirst 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •