Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Snort install

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    144

    Unhappy Snort install

    Hi,
    i hav been trying to install snort into my linux, i read the installation manual, it seems very confusing to me, can someone explain why do i need to install and setup so many program to get Snort up? What is the relationship between Webadmin and ACID to Snort?
    BlAcKiE
    GearBlitz

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    My experience is with the Win32 version of Snort but it's pretty similar in the way they all interact I think.

    Snort is the data collector. It picks up everything on the wire and passes it through the rules. If the packet matches a rule it passes an alert to wherever you tell it in the output section of snort.conf. In your case you should have installed MySQL so that snort has somewhere to log it's alerts. MySQL is the data repository which holds all the alerts. But unless you are accomplished at MySQL you can't see much so you would use a program to show you the data in a nice readble format..... That's ACID..... a php based web application for reading snort logs on a MySQL server.

    That's why it seems you are adding so many programs. You need to bring up webadmin because the machine itself has to act as a server so that ACID can read the database and present the information you request.

    You could have snort simply dump everything to text files but, IME, have fun scooting around a dozen text files on a busy network to find out what is going on......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    you should only need to install snort and libpcap in order for snort to "work".

    However, it will not have the ACID management console, and without mysql it will only be storing alerts to a file.

    So, to answer your question, if you do not install all of those things, they won't work together. If all you want is snort command line interface, don't install them. Just do libpcap and snort, and have fun.

  4. #4
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by Tiger Shark
    My experience is with the Win32 version of Snort but it's pretty similar in the way they all interact I think.

    Snort is the data collector. It picks up everything on the wire and passes it through the rules. If the packet matches a rule it passes an alert to wherever you tell it in the output section of snort.conf. In your case you should have installed MySQL so that snort has somewhere to log it's alerts. MySQL is the data repository which holds all the alerts. But unless you are accomplished at MySQL you can't see much so you would use a program to show you the data in a nice readble format..... That's ACID..... a php based web application for reading snort logs on a MySQL server.

    That's why it seems you are adding so many programs. You need to bring up webadmin because the machine itself has to act as a server so that ACID can read the database and present the information you request.

    You could have snort simply dump everything to text files but, IME, have fun scooting around a dozen text files on a busy network to find out what is going on......
    what is a webadmin?can i install apache?

    Originally posted here by IchNiSan
    you should only need to install snort and libpcap in order for snort to "work".

    However, it will not have the ACID management console, and without mysql it will only be storing alerts to a file.

    So, to answer your question, if you do not install all of those things, they won't work together. If all you want is snort command line interface, don't install them. Just do libpcap and snort, and have fun.
    can u explain more about libpcap?

    i tried to install mysql and snort into my windows machine and tried to run it...but i encounter this error msg saying "A required .DLL file, WPCAP.DLL, was not found.
    what should i do?
    BlAcKiE
    GearBlitz

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    MsMittens has written a nice little tutorial on how to install it in the AO newsletter #6!

    I have yet to try it as it is still on my todo list. I look forward to installing and playing with it though!

    I have read though it and she make it very easy. Have a look at it. I think it is the last section of the newsletter.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    i figured out what happened already...i din instaill the WPCAP.DLL
    i downloaded the program and installed...the snort can run now but when i type "snort -v",
    i dont seems to see any special log appear on the screen...somebody help...
    BlAcKiE
    GearBlitz

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Talking

    Penguin,

    It sounds like you installed it on your Windows box. WebMin is just a tool to administer the Snort interface a little better. If you are comfortable with command line it should work fine. ACID is a nice PHP interface to read the results of Snort. I personally don't install WebMin but do install ACID. It's effective to show ISPs and Managers the kinds of attacks that occur. I've noticed with my recent setup that some schmuck on my ISPs network is infected with Code Red and Code Red II. Like, he had to have BOTH! (*ARGGH*)

    To test your configuration, scan the snort box with nmap or some other scanning tool. It should result in some alerts happening. If nothing happens then snort is not configured correctly and there may be something missing or out of place.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by MsMittens
    Penguin,

    It sounds like you installed it on your Windows box. WebMin is just a tool to administer the Snort interface a little better. If you are comfortable with command line it should work fine. ACID is a nice PHP interface to read the results of Snort. I personally don't install WebMin but do install ACID. It's effective to show ISPs and Managers the kinds of attacks that occur. I've noticed with my recent setup that some schmuck on my ISPs network is infected with Code Red and Code Red II. Like, he had to have BOTH! (*ARGGH*)

    To test your configuration, scan the snort box with nmap or some other scanning tool. It should result in some alerts happening. If nothing happens then snort is not configured correctly and there may be something missing or out of place.
    btw is 'snort -v' a command for packet log?if it is then something is wrong...because it did not print to the screen nor it is printing anything into a log file...or 'snort -v' is a command that listens to suspicious packet?
    BlAcKiE
    GearBlitz

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    You need to spend some time reading your man pages. -v is verbose. Just sends the packet it collects to the screen.

    Before I can help you I need a little more information.

    On what OS have you installed Snort? And what version of Snort?

    What were the commands you ran to install snort (compile or rpm binary)?

    What was the rule set you downloaded?

    What directories did you make for snort?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    I had massive probelms with snort running on XP, yes I got to, the setup was fine, but while it was it stoped all my internet traffic! Has anyone else had this problem?

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •