Snort IDS Help
Results 1 to 7 of 7

Thread: Snort IDS Help

  1. #1
    Junior Member
    Join Date
    Mar 2003
    Posts
    6

    Snort IDS Help

    Hey, I'm kinda new to linux I was using M$ Windows for a few years, (learned about linux from shell-accounts)
    and now that I have my own linux box I need to learn how to do the security part. I did some research learned about SUID programs and so on.. Did some permission checking, set up iptables, blah blah.. anyways, Now I was told all I need is to set up some kind of IDS. So I downloaded Snort Version 1.9.1, I read the man pages and help but I still cant figure out how to really use it like I want to. I want to run it as a daemon so I used 'snort -D' but it didn't do anything, I checked 'ps' and snort was not listed. Can someone kinda tell me how it works, I would like to make it run in the background and choose where the log files go. Thanks..
    WARNING: Your computer might be infected with a well known virus called \'windows\'.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Did you edit snort.conf? In snort.conf you define what and how things get logged.
    Did you check /var/log/messages for any error messages? Remember that snort needs to be started as root because it wants to put the networkcard in promiscuous mode.

    Try running it like:

    /usr/local/bin/snort -b -c /usr/local/etc/snort.conf -u snort -g snort -l /home/snort -D

    This is assuming snort is in /usr/local/bin and snort.conf is in /usr/local/etc. It will start logging in /home/snort and run as user/group snort.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Mar 2003
    Posts
    6
    No, I didn't edit snort.conf, but that seems to be what I was looking for, thanks . I got one more question.. How about using snort as a packet sniffer so I can see all incomming/outgoing packets. Think someone can give me a grip on that?
    WARNING: Your computer might be infected with a well known virus called \'windows\'.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Snort only looks for packets based on the rules that are defined in the snort.conf.

    You'd be better off using WinDump as that will pick up EVERYTHING. What do you want to packet sniff for?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Junior Member
    Join Date
    Mar 2003
    Posts
    6
    You'd be better off using WinDump as that will pick up EVERYTHING. What do you want to packet sniff for?
    WinDump? I use linux....
    I would like it to do a little C programming and would like to make my own chat clients (yahoo, etc..)
    WARNING: Your computer might be infected with a well known virus called \'windows\'.

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    D'oh! Wasn't paying attention. My bad. Then in that case TCPDUMP would be good. Might also want to check out Ethereal or Ettercap
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    oh, you also might consider getting the latest version of snort. There was a CERT release today about two fairly large vulnerabilities in the version you have.

    Actually one of them exists in 2.0x previous to RC1. I think I saw something about them coming out with 2.02 RC2 as a fix, but I could just be remembering stuff incorrectly.

    You can check out the vulnerability information here.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •