Another snort problem

[ele5125]

I recently made two posts regarding seting up snort, both my posts were answered, I have solved both problems but have another. I do not have any web server, and I don't want a web server. I dont know much about mysql other then it has something to do with a database.

I get the error message saying a required dll NTWDBLIB.DLL was not found, So I did a web search at google and found a dozen fourms where somone has been asking about NTWDBLIB.DLL and I did not find any answers., Can someone tell me where I can get that dynamic link library. I already have the WinPcap stuff.

Do I need msql, iis, apache or any of that other funny stuff to run snort. ?

All I want is to give myself some ease of mind knowing I am protected, because ZoneAlarm is not makeing me feel very safe at all. I do not have a network, I only have one computer. I only want snort to run as a IDS

[avdven]

Can I make a quick suggestion? Post all of your Snort questions in one thread instead of starting all new ones every time you have a new question.

As for the DLL file, you shouldn't need MSQL, Apache or anything else to run Snort. I know that the DLL in question is definately an SQL file, though. Did you change a setting to use SQL somehow within Snort? If not, try installing OBDC. That may fix the problem.

AJ

[ele5125]

I think maybe in my snort.conf possibly i set it for mysql, but I dont know how to shut it off, here are my snort.conf stuff:

var HOME_NET 24.101.155.x/32 # x is the actual number in my file
var EXTERNAL_NET $HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH c:\snort\
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 1521
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode

output database: log, mysql, user=snort dbname=snort host=localhost

include c:\snort\classification.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
# include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
include $RULE_PATH/local.rules

I had changed $RULE_PATH, $HOME_NET, include c:\snort\classification.config and
output database: log, mysql, user=snort dbname=snort host=localhost

But that is all I changed

[iNViCTuS]

Please make your IP address I little harder to figure out next time. Even by blocking out the last octet, there is only a maximum of 254 IP address that you can have. I don't think you really want some people having this information.

Snort itself does not require any web server or DB server, but many of the tools that are used to generate readable report for Snort (such as Demarc and Acid) to require it, and it is highly recommended. SnortSnarf, if I remember correctly, also requires a web server of some sort if you want to be able to view the reports from another machine, because the snortsnarf.pl file generates the output in HTML. Although if you only have one machine, you can just open the HTML file in your local browser and you would not need a web server.

Hope that answers your questions...

[ele5125]

Thanks for the tip, I will remember. Sorry for starting new threads, I will keep all the same topic threads together next time.

However I still cant figure out why it is l;ooking for that dll. I tryed commenting out my output line, I only put that there because I was following directions, but I think that from what you are saying I dont need the database thingy, But I tryed commenting it out and it is still giveing me the error. I am not going to give up though, i will keep trying to figure it out. Thank you both for being patient with me.

[Zadok0552]

I got so frustrated with trying to get the Windows version of snort running that I boot one of my PCs on my home network with Trinux. The box runs Win98SE. However, after I'm done with it at night, i use a boot diskette to start Trinux and then run snort and labrea tarpit. I use an unassigned IP as DMZ. That lets snort tell me what's going on while labrea tarpits them.


http://trinux.sourceforge.net

I'll post a trinux tut if ya think that it would help.

[AngryBob]

you dont have to have apache or mysql to run snort....only snortsnarf. see if you can get tcpdump to work (winpcap) then go from there.

[Biznicchio]

I notied your config is configure to output to a database:

output database: log, mysql, user=snort dbname=snort host=localhost

Is this what you intended? If you are not using mySQL then this could be the reason why you are getting that error. If you did not intend to use mySQL then comment out or remove that line.