-
November 24th, 2005, 10:17 AM
#1
Snort problems
I have a FreeBSD 5.3 machine configured as a firewall. I also want to add snort on it. I pretty much managed to install snort and prelude but every time i try and run it i get this error:
"No ident configured for sensor snort.
Basic file configuration does not exist. Please run :
sensor-adduser --sensorname snort --uid 0
program on the sensor host to create an account for this sensor.
Be aware that you should also pass the "--manager-addr" option with the
manager address as argument. "sensor-adduser" should be called for
each configured manager address."
Now i googled for it quite a lot and only found two pages with possible solutions but none of them work for me. Any help on this would be great.
-
November 24th, 2005, 10:59 AM
#2
Basic file configuration does not exist.
Did you mv the sample configuration file to snort.conf and edited it ?
-
November 24th, 2005, 11:26 AM
#3
I have done that i have a /etc/snort/snort.conf file but it seems to me i need to register snortprofile with prelude which is done by running a command like this:
$ prelude-adduser register snort "idmef:w admin:r" <manager address> --uid X --gid X
Problem is i don't have prelude-adduser command. So i run this:
sensor-adduser --sensorname snort --manager-addr 192.168.0.1 "idmef:w admin:r" --uid 1002
After that i get error like this and i have no idea where to from there:
Enter registration one shot password :*******
Please confirm one shot password :*******
connecting to Manager host (localhost:5553)... couldn't connect to localhost.
Thing is what runs on localhst port 5553??!?!
This is all very confusing.
-
November 24th, 2005, 01:37 PM
#4
Prelude is a tool that analyses the logfiles generated by another tool, for.ex. snort.
This prelude seems to have a daemon-mode where the snort-tool has to authenticate again.
I'm no expert on prelude, but it seems that you have installed snort with that exact prelude-support. Try to start that prelude-engine first. Make a user-entry for the snort-engine, and then try to start snort.
From what i can see this quickly, that should be the setup. Anyway maybe i can look into it deeper later, not right now.
Maybe this is a good reference towards your problem. Just think away the specific gentoo-commands/install references.
http://gentoo-wiki.com/HOWTO_IDS#Configuring_Prelude
Cheers.
-
November 24th, 2005, 03:51 PM
#5
I installed snort with prelude support. That was a plan all along. I'll have a look about that prelude engine but i'm pretty sure its running, if you think of something let me know i'v been stuck with this for like three days now. Thanks for your help.
-
November 24th, 2005, 06:24 PM
#6
connecting to Manager host (localhost:5553)... couldn't connect to localhost.
This error suggests that prelude is not listening locally for connections.
Do a netstat -an and look for something like this (simplified view):
Code:
Proto Local Address Foriegn Address State
TCP 127.0.0.1:5553 0.0.0.0:* LISTENING
or
Proto Local Address Foriegn Address State
TCP 127.0.0.1:5553 127.0.0.1:* LISTENING
If you don't see one of the above, then this is why you're getting the error. To solve this, check the prelude conf file and see what it's set at for accepting connections.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 25th, 2005, 02:28 AM
#7
How did you install snort on FreeBSD? /etc/snort/* shouldn't exist.. It should be in /usr/local/etc/snort/*
I think you installed snort and prelude by hand.. Use the ports Luke!
cd /usr/ports/security/snort && make all install clean
cd /usr/port/security/prelude-lml && make all install clean
cd /usr/ports/security/prelude-manager && make all install clean
Everything should get fetched, build and installed in order, and more importantly, in the correct place..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 25th, 2005, 02:59 PM
#8
I installed snort using ports. This is a funny problem. I'm sure i'll get it going as soon as i get prelude sorted out. Problem is i only found like two pages on google regarding this and one of them was recommended by Raiden. I'll play this weekend with it and hopefully i'll get it going. Thanks.
-
November 25th, 2005, 03:18 PM
#9
Have a look through /usr/local/etc/rc.d/. If the port uses the new startup scheme you'll find the startup scripts there.. You might need to add a prelude_enable="YES" (or something like it, I don't use prelude) to rc.conf..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 6th, 2005, 10:24 AM
#10
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|