-
August 7th, 2002, 05:00 AM
#1
Another snort problem
I recently made two posts regarding seting up snort, both my posts were answered, I have solved both problems but have another. I do not have any web server, and I don't want a web server. I dont know much about mysql other then it has something to do with a database.
I get the error message saying a required dll NTWDBLIB.DLL was not found, So I did a web search at google and found a dozen fourms where somone has been asking about NTWDBLIB.DLL and I did not find any answers., Can someone tell me where I can get that dynamic link library. I already have the WinPcap stuff.
Do I need msql, iis, apache or any of that other funny stuff to run snort. ?
All I want is to give myself some ease of mind knowing I am protected, because ZoneAlarm is not makeing me feel very safe at all. I do not have a network, I only have one computer. I only want snort to run as a IDS
In snatches, they learn something of the wisdom
which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~
-
August 7th, 2002, 05:12 AM
#2
Can I make a quick suggestion? Post all of your Snort questions in one thread instead of starting all new ones every time you have a new question.
As for the DLL file, you shouldn't need MSQL, Apache or anything else to run Snort. I know that the DLL in question is definately an SQL file, though. Did you change a setting to use SQL somehow within Snort? If not, try installing OBDC. That may fix the problem.
AJ
-
August 7th, 2002, 05:39 AM
#3
I think maybe in my snort.conf possibly i set it for mysql, but I dont know how to shut it off, here are my snort.conf stuff:
var HOME_NET 24.101.155.x/32 # x is the actual number in my file
var EXTERNAL_NET $HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH c:\snort\
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 1521
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output database: log, mysql, user=snort dbname=snort host=localhost
include c:\snort\classification.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
# include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
include $RULE_PATH/local.rules
I had changed $RULE_PATH, $HOME_NET, include c:\snort\classification.config and
output database: log, mysql, user=snort dbname=snort host=localhost
But that is all I changed
In snatches, they learn something of the wisdom
which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~
-
August 7th, 2002, 01:52 PM
#4
Please make your IP address I little harder to figure out next time. Even by blocking out the last octet, there is only a maximum of 254 IP address that you can have. I don't think you really want some people having this information.
Snort itself does not require any web server or DB server, but many of the tools that are used to generate readable report for Snort (such as Demarc and Acid) to require it, and it is highly recommended. SnortSnarf, if I remember correctly, also requires a web server of some sort if you want to be able to view the reports from another machine, because the snortsnarf.pl file generates the output in HTML. Although if you only have one machine, you can just open the HTML file in your local browser and you would not need a web server.
Hope that answers your questions...
-
August 7th, 2002, 11:58 PM
#5
Thanks for the tip, I will remember. Sorry for starting new threads, I will keep all the same topic threads together next time.
However I still cant figure out why it is l;ooking for that dll. I tryed commenting out my output line, I only put that there because I was following directions, but I think that from what you are saying I dont need the database thingy, But I tryed commenting it out and it is still giveing me the error. I am not going to give up though, i will keep trying to figure it out. Thank you both for being patient with me.
In snatches, they learn something of the wisdom
which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~
-
August 8th, 2002, 12:10 AM
#6
Banned
I got so frustrated with trying to get the Windows version of snort running that I boot one of my PCs on my home network with Trinux. The box runs Win98SE. However, after I'm done with it at night, i use a boot diskette to start Trinux and then run snort and labrea tarpit. I use an unassigned IP as DMZ. That lets snort tell me what's going on while labrea tarpits them.
http://trinux.sourceforge.net
I'll post a trinux tut if ya think that it would help.
-
August 8th, 2002, 02:41 AM
#7
you dont have to have apache or mysql to run snort....only snortsnarf. see if you can get tcpdump to work (winpcap) then go from there.
-
August 9th, 2002, 03:22 PM
#8
Junior Member
I notied your config is configure to output to a database:
output database: log, mysql, user=snort dbname=snort host=localhost
Is this what you intended? If you are not using mySQL then this could be the reason why you are getting that error. If you did not intend to use mySQL then comment out or remove that line.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|