May 1st, 2003, 02:33 AM
getting snort to work
Sorry if this has already been covered, but...
I'm playing around with snort, trying to learn and such, and I want to run it in a basic IDS mode. Whenever I type the command, it tells me that "no netmask has been specified for the home network" and it quits. Now, I know where my netmask is listed, but how do I specify it for snort? This is just my standalone home computer on a cable modem, btw.
May 1st, 2003, 03:05 AM
What OS and version of Snort are you using? You do need to setup the config file (snort.cfg) usually before running it. What tutorial did you use to setup snort or did you just uninstall and mucked about?
May 1st, 2003, 03:31 AM
Mandrake 9.1, snort 2.0.0
A little mucking around (sometimes seem to learn that way) but I also followed the usage file that came with snort (by Martin Roesch)
He starts walking you through some of the basic commands to sniff and log, and that all seemed to work fine. It then had a command for IDS, and when I typed it, then I got the error.
Here it is:
./snort -dev -l ./log -h 184.108.40.206/24 -c snort.conf
Now I should add that in my studpidity I have been trying to put my ip address in for the one listed, figuring it was just a sample, but since I have seen it in several places researching this problem since my first post (and yes, I was searching before it too) I tried leaving it as is. Now I am wondering why it would stay (if that is correct) because now all its asking for is the location of my conf file (which is a prob I can fix, I think)
Appears to be working now, but I am still left wondering: why would I include 220.127.116.11/24 in my command instead of something specific to my computer? Maybe I'll be able to find the answer before anyone has to tell me, but if you know, please post. Thanks.
May 1st, 2003, 05:03 AM
The ip address used in the sample is formatted as follows: [network address]/[subnet mask].
The network address for your configuration is: (first three digits of your computers address in dotted format).0, b/c the network address for the first subnet of all networks is *.*.*.0.
The subnet mask tells snort what range of ip addresses are valid after the network address you specified. The subnet mask is implemented in practice by a bitmask. The bitmask is a binary number where 1's represent masked fields, and 0's represent unmasked. the /24 in the example indicates the first 24 bits are masked out of the 32 making up an ip address, leaving the last 8(last integer in the dotted format) open to be addressed. So check ifconfig to find your subnet mask. If it is listed as 255.255.255.0, then use /24, otherwise go to the below link for more specific info on netmask calculations.
So, simply put, the example configuration may not work for your machine, so don't trust snort's sanity checking. As far as the snort.conf error goes, set the argument "-c /etc/snort.conf" in the commandline. Make sure you edit snort.conf to your liking. you can even set the env variable $HOME_NET to the -h argument and you won't have to include that anymore in the commandline.
Netmask calculations: http://www.ralphb.net/IPSubnet/subnet.html
May 2nd, 2003, 12:10 AM
I was curious to know if there was snort that would work in windows.
May 2nd, 2003, 12:13 AM
Get Snort-win here. It is an installer binary built from the actual SourceFire code and distributed by the official snort.org. It uses traditional snort configuration and rules files and allows you to send alerts to the Event Log on NT machines.
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
May 2nd, 2003, 02:11 AM
Alright, this should be the last question for a while. I've been able to get everything running, and after some heavy reading, I believe I have a decent understanding of ips, what they mean, etc. Snort is up and running. My question is:
When I set my home network in my command, does snort then only monitor traffic heading for that ip? In other words, when snort is started does it monitor all traffic that comes through my line, and just log relative to the home network? Or does it not worry about anything that doesn't have the home network as its destination? The reason I ask is that it seems to run with both the non-routable 18.104.22.168/24 and my actual ip xx.xx.xxx.xxx/24.
May 20th, 2003, 03:38 AM
If you are refering to the HOME_NET variable set in your conf file, then just simply know that the variables that you define in your snorf.conf file are used by the snort rulesets. So if you define $HOME_NET or $DNS_SERVERS (or whatever), then they will only be applied if one of the rulesets in your rules directory calls upon that variable as either a source or destination address range. Open up a text editor and start looking at the syntax of the snort rules and you will catch my drift.
Now if you are refering to the -h option executed from the command line, as in -h 192.168.0.0/24, then it refers to the structure of your log directories, not what traffic snort actually monitors. This is ripped from the snort manual. Hopefully it helps explain things:
Once you get past the snort basics, my suggestion is to install a web-based front-end like ACID or Demarc (Demarc is unfortunately now a commercial product) and to log to a MySQL database instead of using the default snort logging. Using a front end will make your appreciation of snort much greater. The default logging kind of rots and is not very easy to work with or read.
./snort -dev -l ./log -h 192.168.1.0/24
This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host. Note that if both hosts are on the home network, then they are recorded based upon the higher of the two's port numbers, or in the case of a tie, the source address.