Results 1 to 10 of 10

Thread: Snort problems

  1. #1
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206

    Snort problems

    I have a FreeBSD 5.3 machine configured as a firewall. I also want to add snort on it. I pretty much managed to install snort and prelude but every time i try and run it i get this error:

    "No ident configured for sensor snort.

    Basic file configuration does not exist. Please run :
    sensor-adduser --sensorname snort --uid 0
    program on the sensor host to create an account for this sensor.

    Be aware that you should also pass the "--manager-addr" option with the
    manager address as argument. "sensor-adduser" should be called for
    each configured manager address."

    Now i googled for it quite a lot and only found two pages with possible solutions but none of them work for me. Any help on this would be great.

  2. #2
    Shrekkie Reloaded Raiden's Avatar
    Join Date
    Oct 2005
    Posts
    1,115
    Basic file configuration does not exist.
    Did you mv the sample configuration file to snort.conf and edited it ?

  3. #3
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    I have done that i have a /etc/snort/snort.conf file but it seems to me i need to register snortprofile with prelude which is done by running a command like this:
    $ prelude-adduser register snort "idmef:w admin:r" <manager address> --uid X --gid X
    Problem is i don't have prelude-adduser command. So i run this:
    sensor-adduser --sensorname snort --manager-addr 192.168.0.1 "idmef:w admin:r" --uid 1002
    After that i get error like this and i have no idea where to from there:
    Enter registration one shot password :*******
    Please confirm one shot password :*******
    connecting to Manager host (localhost:5553)... couldn't connect to localhost.
    Thing is what runs on localhst port 5553??!?!
    This is all very confusing.

  4. #4
    Shrekkie Reloaded Raiden's Avatar
    Join Date
    Oct 2005
    Posts
    1,115
    Prelude is a tool that analyses the logfiles generated by another tool, for.ex. snort.
    This prelude seems to have a daemon-mode where the snort-tool has to authenticate again.

    I'm no expert on prelude, but it seems that you have installed snort with that exact prelude-support. Try to start that prelude-engine first. Make a user-entry for the snort-engine, and then try to start snort.

    From what i can see this quickly, that should be the setup. Anyway maybe i can look into it deeper later, not right now.

    Maybe this is a good reference towards your problem. Just think away the specific gentoo-commands/install references.

    http://gentoo-wiki.com/HOWTO_IDS#Configuring_Prelude

    Cheers.

  5. #5
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    I installed snort with prelude support. That was a plan all along. I'll have a look about that prelude engine but i'm pretty sure its running, if you think of something let me know i'v been stuck with this for like three days now. Thanks for your help.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    connecting to Manager host (localhost:5553)... couldn't connect to localhost.
    This error suggests that prelude is not listening locally for connections.

    Do a netstat -an and look for something like this (simplified view):
    Code:
    Proto   Local Address      Foriegn Address   State
    TCP      127.0.0.1:5553   0.0.0.0:*              LISTENING
    
    or
    
    Proto   Local Address      Foriegn Address   State
    TCP      127.0.0.1:5553   127.0.0.1:*              LISTENING
    If you don't see one of the above, then this is why you're getting the error. To solve this, check the prelude conf file and see what it's set at for accepting connections.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    How did you install snort on FreeBSD? /etc/snort/* shouldn't exist.. It should be in /usr/local/etc/snort/*
    I think you installed snort and prelude by hand.. Use the ports Luke!

    cd /usr/ports/security/snort && make all install clean
    cd /usr/port/security/prelude-lml && make all install clean
    cd /usr/ports/security/prelude-manager && make all install clean

    Everything should get fetched, build and installed in order, and more importantly, in the correct place..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    I installed snort using ports. This is a funny problem. I'm sure i'll get it going as soon as i get prelude sorted out. Problem is i only found like two pages on google regarding this and one of them was recommended by Raiden. I'll play this weekend with it and hopefully i'll get it going. Thanks.

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Have a look through /usr/local/etc/rc.d/. If the port uses the new startup scheme you'll find the startup scripts there.. You might need to add a prelude_enable="YES" (or something like it, I don't use prelude) to rc.conf..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    bumped

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •