ok i tared the snort 2.8.4 and then changed directory but now what is with this command:
tar zxvf ../snortrules* i need step by step like baby steps thank you in advance.
ok i tared the snort 2.8.4 and then changed directory but now what is with this command:
tar zxvf ../snortrules* i need step by step like baby steps thank you in advance.
I did exactly what you said to do with that URL it downloads really quick then i try to use the tar command does not work errors out what am i doing wrong?
Some minor problems here:
in your guide:
I am using snort 2.8.4 and there is no such directory (doc/signatures). What should I do here?Code:cp -R /usr/src/snort-2.8.3/doc/signatures .
Another thing: I only downloaded the community rules so if I issue:
I get errors stating that I don't have the appropriate rules (local.rules, icmp.rules, ...). I commented out the includes of those files in snort.conf, and inserted includes for all the community rules. Maybe it would be helpfull to also incorporate that in your guide.Code:snort -c /etc/snort/snort.conf
Another small thing: the machine I am installing on is my gateway, so it only has 2 NICs. Currently I configured snort to run on eth1 which is my internet interface, but I guess since snort puts eth1 in promiscuous mode, it would kill performance (however it's only my home network so not too much traffic)... Is it possible to deploy snort on this machine or should I buy an extra NIC; or worse: should I have an inline machine in front of my gateway?
I tried snort on the internet interface and started snort via:
This resulted in:Code:/etc/init.d/snort start
My entry in /var/log/messages:Code:Snort failed to start ...
Why isn't this working?Code:Apr 21 14:43:32 artoo kernel: [158473.114012] device eth1 entered promiscuous mode Apr 21 14:43:32 artoo kernel: [158473.114040] audit(1240317812.170:22): dev=eth1 prom=256 old_prom=0 auid=4294967295 Apr 21 14:43:32 artoo kernel: [158473.143981] device eth1 left promiscuous mode Apr 21 14:43:32 artoo kernel: [158473.143999] audit(1240317812.200:23): dev=eth1 prom=0 old_prom=256 auid=4294967295 Apr 21 14:43:32 artoo kernel: [158473.174009] device eth1 entered promiscuous mode Apr 21 14:43:32 artoo kernel: [158473.174041] audit(1240317812.230:24): dev=eth1 prom=256 old_prom=0 auid=4294967295 Apr 21 14:43:32 artoo kernel: [158473.204105] device eth1 left promiscuous mode Apr 21 14:43:32 artoo kernel: [158473.204138] audit(1240317812.260:25): dev=eth1 prom=0 old_prom=256 auid=4294967295
Then I tried:
I let this run for a couple minutes and my packet wire totals were:Code:snort -v &
All the rest was 0%. I find this weird, since I pinged from another machine and since I am remotely logged in on my machine through SSH and I was surfing the web. Isn't this weird since the amount of packets from SSH/web traffic coming through for example? On top of that, nothing logged in BASE (mysql).Code:=============================================================================== Packet Wire Totals: Received: 11 Analyzed: 10 (90.909%) Dropped: 0 (0.000%) Outstanding: 1 (9.091%) =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 6 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 6 (100.000%)
Thanks in advance & kudos for your guide mate.
Last edited by MarnickV; April 21st, 2009 at 01:51 PM.
I am having the same problems. I followed the snort/base instructions exactly on a fresh install of Hardy server.
Does anyone have any suggestions? I've been trying to troubleshoot this for a week, and I'm about ready to install the package from the repos (but I don't want to!)...
The community rules are very very old and IMO outdated.
You really should register with snort so that you may download a more updated set of rules.
The community rules do not have signatures, so you will have to live without them if you use the community rules. Signatures are nothing more then an explanation of alerts, and the same information is available on line if you wish. You will see links in Base when you look at an alert. "Local" == signatures.
As far as configuration, I am not sure you will need to look at your config file. Snort places your network card in promiscuous mode (snort is a packet sniffer after all, lol), which is fine with modern switches.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Just to clarify, snort is running, I've made another database and also installed base 1.4.1 (which works fine!), but I still get a big-fat-zero for sensors in base:
I have snort set to run as a daemon (which it is), but I'll try 'snort -v' anyway, and run 'nmap -v -A my_snort_machine's_ip' from my windows machine, and here's what I get:Code:Sensors/Total: 0 / 0 Unique Alerts: 0 Categories: 0 Total Number of Alerts: 0
Code:root@guinness:~# snort -v 04/21-05:49:02.911991 10.1.1.132:22 -> 10.1.8.21:6012 TCP TTL:64 TOS:0x10 ID:64889 IpLen:20 DgmLen:444 DF ***AP*** Seq: 0x83C77398 Ack: 0x8D825380 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Term-Signal Run time prior to being shutdown was 451.369952 seconds =============================================================================== Packet Wire Totals: Received: 3095040 Analyzed: 2606794 (84.225%) Dropped: 488103 (15.770%) Outstanding: 143 (0.005%) =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 2606794 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 24 (0.001%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 2604165 (99.899%) IP4disc: 62835 (2.410%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 2539817 (97.431%) UDP: 1448 (0.056%) ICMP: 65 (0.002%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 2204 (0.085%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 401 (0.015%) DISCARD: 62835 (2.410%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 2606794 =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== Snort exiting root@guinness:~#
Last edited by polecat409; April 21st, 2009 at 05:24 PM.
I you do not see any sensors in base, than base is not working.
Possibilities are :
1. mysql is not set up properly.
2. snort lost it's connection with mysql. To test this, clear the database in base (from the admin panel) even though it reads "0", then restart snort. You should now see 1 sensor in base.
3. Base is not working, ie base is not connecting to the mysql database.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
I managed to get my snort working with your script bodhi.zazen, my /var/log/daemon.log showed that snort didn't have the right permissons for /var/log/snort/alert. So after I changed that, everything started like it should.
However, I too have problems in BASE seeing the sensor. I believe BASE _can_ connect to mysql, since I can log in (I have enabled authentication on BASE, table base_users in database snort).
I connected to mysql and I checked some tables:
*tcphdr
*event
Both have one row (the latter has a timestamp from just moments ago).
However, table "sensor" does not have any rows.
Number 2 of your list does not work at my setup, I cleared data tables (from the Cache & Status menu) and then restarted snort. Still no sensor.
Any advice?
Hi Tronnix
.. refers to a directory above where you are currently. Bodhi wants you to unpack all the tar files that start with snortrules from the parent directory, into the directory you are in. So if you downloaded a couple (I just downloaded one, but there is different ones like bleeding edge, current etc. - I say for now just download one. ) of tar files containing the rules into:
/usr/src/snort2.8.4, then I believe the procedures call for creating a directory called /usr/src/snort2.8.4/rules. So from the rules directory the command tar zxvf ../snortrules* would unpack all the rules and place them in the rules directory. I hope I got all the directory names right; I am trying to do it from memory. Good luck.
Great Tutorial, thanks its much appreciated someone going into such detail other than just 'sudo apt-get install snort'
Thanks
Bookmarks