Results 1 to 4 of 4

Thread: Win XP Snort installation help needed

  1. #1

    Win XP Snort installation help needed

    I have everything pretty much buttoned up at this point. Allow me to explain what I have done so far so as to avoid confusion.

    I installed snort from a binary file with IDS Center 2001, installation was smooth, I got the snort.conf file all setup to include everything listed below:

    include webcgi-lib
    include webcf-lib
    include webiis-lib
    include webfp-lib
    include webmisc-lib
    include overflow-lib
    include finger-lib
    include ftp-lib
    include smtp-lib
    include telnet-lib
    include misc-lib
    include netbios-lib
    include scan-lib
    include ddos-lib
    include backdoor-lib
    include ping-lib
    include rpc-lib

    I have an external log file viewer/editor set to use Notepad.exe.
    I have the IP of the computer I wish to monitor set at 192.168.0.2/32.
    I have set the log directory to c:\Snort\snortlog
    I have the following flags turned on: -d -C -b -A -c

    Theres 2 things so far that I have not been able to overcome, in the GUI (IDS Center) in the overview section in the error log it states "|> Snort Logdir doesn´t exist". I figured I had it set to c:\snort\snortlog???? edit even if I turn logging off it still wants a logdir, grrrrr.

    I figured, oh well, I'll fire it up just to see if I got it to work, after all that ****, and when I do it says "generate a script first" WTF?

    I'm not really interested in a bulletproof install as this is for purely educational purposes only (think 192.168.0.2 set up as the DMZ server ) Any help would be greatly appreciated.

  2. #2
    I have had similar problems with an earlier version of IDS Center. Actually, I never got it to be completely reliable. However, the "generate a script first" stuff is related to the various "saves" that you can make as you edit files. I don't have IDS on this computer, so I'm depending on my aging memory, but as you make changes in various settings, there usually is an invitation to save either below the change window or on the toolbar. Generously pressing these save buttons will do away with this message.

  3. #3
    If its the "apply" button, I have already configured everything and hit apply. I'm assuming that is the same function as the save function your speaking of. I also was asked if I had a packet driver installed, and yes I do, from a previous installation of Nmap and Etherreal. I have scoured google, and have not yet found any info as to what may cause this. Any help would be GREATLY appreciated.

    edit, me gots it working, I tried running an Nmap scan against my computer. it generated an alert, but when I went to view the log files, I couldent. What are you all using for a logger/editor?

    Jonesy

  4. #4
    I have a couple of low volume web sites on fast servers, so I am getting adequate results from the simple ASCII logging option and examining them with a simple ASCII editor. Someone on this site mentioned the DeMarc PureSecure package and I have been trying this out.

    See below for quick review and URL
    http://www.securityfocus.com/tools/2113

    Nice package that uses snort (probably others are also possible) for an IDS sensor, allows update of snort rules, and provides nice reports using a web browser. The only down side is that it requires you to remove the .exe exclusion from URLScan on the web server you use for this purpose. You can replace it with specific exe file exclusions like root.exe and cmd.exe, but it could just be an exploit waiting to happen. Nevertheless, it is a nice package that installs with a lot less hassle than IDS center and provides nice reporting facilities. Overall, I would recommend it highly.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •