Snort install

Printable View

February 6th, 2003, 04:57 PM
Penguin

Snort install

Hi,
i hav been trying to install snort into my linux, i read the installation manual, it seems very confusing to me, can someone explain why do i need to install and setup so many program to get Snort up? What is the relationship between Webadmin and ACID to Snort?
February 6th, 2003, 06:05 PM
Tiger Shark

My experience is with the Win32 version of Snort but it's pretty similar in the way they all interact I think.

Snort is the data collector. It picks up everything on the wire and passes it through the rules. If the packet matches a rule it passes an alert to wherever you tell it in the output section of snort.conf. In your case you should have installed MySQL so that snort has somewhere to log it's alerts. MySQL is the data repository which holds all the alerts. But unless you are accomplished at MySQL you can't see much so you would use a program to show you the data in a nice readble format..... That's ACID..... a php based web application for reading snort logs on a MySQL server.

That's why it seems you are adding so many programs. You need to bring up webadmin because the machine itself has to act as a server so that ACID can read the database and present the information you request.

You could have snort simply dump everything to text files but, IME, have fun scooting around a dozen text files on a busy network to find out what is going on...... ;)
February 6th, 2003, 07:13 PM
IchNiSan

you should only need to install snort and libpcap in order for snort to "work".

However, it will not have the ACID management console, and without mysql it will only be storing alerts to a file.

So, to answer your question, if you do not install all of those things, they won't work together. If all you want is snort command line interface, don't install them. Just do libpcap and snort, and have fun.
February 8th, 2003, 06:07 PM
Penguin

Quote:

Originally posted here by Tiger Shark
My experience is with the Win32 version of Snort but it's pretty similar in the way they all interact I think.

Snort is the data collector. It picks up everything on the wire and passes it through the rules. If the packet matches a rule it passes an alert to wherever you tell it in the output section of snort.conf. In your case you should have installed MySQL so that snort has somewhere to log it's alerts. MySQL is the data repository which holds all the alerts. But unless you are accomplished at MySQL you can't see much so you would use a program to show you the data in a nice readble format..... That's ACID..... a php based web application for reading snort logs on a MySQL server.

That's why it seems you are adding so many programs. You need to bring up webadmin because the machine itself has to act as a server so that ACID can read the database and present the information you request.

You could have snort simply dump everything to text files but, IME, have fun scooting around a dozen text files on a busy network to find out what is going on...... ;)

what is a webadmin?can i install apache?

Quote:

Originally posted here by IchNiSan
you should only need to install snort and libpcap in order for snort to "work".

However, it will not have the ACID management console, and without mysql it will only be storing alerts to a file.

So, to answer your question, if you do not install all of those things, they won't work together. If all you want is snort command line interface, don't install them. Just do libpcap and snort, and have fun.

can u explain more about libpcap?

i tried to install mysql and snort into my windows machine and tried to run it...but i encounter this error msg saying "A required .DLL file, WPCAP.DLL, was not found.
what should i do?
February 8th, 2003, 06:56 PM
phishphreek

MsMittens has written a nice little tutorial on how to install it in the AO newsletter #6!

I have yet to try it as it is still on my todo list. I look forward to installing and playing with it though!

I have read though it and she make it very easy. Have a look at it. I think it is the last section of the newsletter.
February 8th, 2003, 07:25 PM
Penguin

i figured out what happened already...i din instaill the WPCAP.DLL
i downloaded the program and installed...the snort can run now but when i type "snort -v",
i dont seems to see any special log appear on the screen...somebody help...
February 8th, 2003, 08:13 PM
MrLinus

Penguin,

It sounds like you installed it on your Windows box. WebMin is just a tool to administer the Snort interface a little better. If you are comfortable with command line it should work fine. ACID is a nice PHP interface to read the results of Snort. I personally don't install WebMin but do install ACID. It's effective to show ISPs and Managers the kinds of attacks that occur. I've noticed with my recent setup that some schmuck on my ISPs network is infected with Code Red and Code Red II. Like, he had to have BOTH! (*ARGGH*)

To test your configuration, scan the snort box with nmap or some other scanning tool. It should result in some alerts happening. If nothing happens then snort is not configured correctly and there may be something missing or out of place.
February 9th, 2003, 02:17 AM
Penguin

Quote:

Originally posted here by MsMittens
Penguin,

It sounds like you installed it on your Windows box. WebMin is just a tool to administer the Snort interface a little better. If you are comfortable with command line it should work fine. ACID is a nice PHP interface to read the results of Snort. I personally don't install WebMin but do install ACID. It's effective to show ISPs and Managers the kinds of attacks that occur. I've noticed with my recent setup that some schmuck on my ISPs network is infected with Code Red and Code Red II. Like, he had to have BOTH! (*ARGGH*)

To test your configuration, scan the snort box with nmap or some other scanning tool. It should result in some alerts happening. If nothing happens then snort is not configured correctly and there may be something missing or out of place.

btw is 'snort -v' a command for packet log?if it is then something is wrong...because it did not print to the screen nor it is printing anything into a log file...or 'snort -v' is a command that listens to suspicious packet?
February 9th, 2003, 01:50 PM
MrLinus

You need to spend some time reading your man pages. -v is verbose. Just sends the packet it collects to the screen.

Before I can help you I need a little more information.

On what OS have you installed Snort? And what version of Snort?

What were the commands you ran to install snort (compile or rpm binary)?

What was the rule set you downloaded?

What directories did you make for snort?
February 9th, 2003, 10:49 PM
SittingDuck

I had massive probelms with snort running on XP, yes I got to, the setup was fine, but while it was it stoped all my internet traffic! Has anyone else had this problem?

SittingDuck
February 10th, 2003, 12:08 AM
MrLinus

I haven't run it on a Win32 platform so I cannot say that is an experience I've had. While running it under *nix platforms (FreeBSD and RH Linux) I barely notice it's existence. Could it be the libpcap causing the problem? Have you tried Windump to see if you get the same effect?
February 10th, 2003, 01:09 AM
mvcrash

Check out the web site www.silicondefense.com. They have a great site about SNORT, Snort On Linux and Snort Ported to Win2K. They also discuss IIs and apache for ACID

MC
February 10th, 2003, 01:42 AM
SittingDuck

Cheers MsMittens I will look into it

SittingDuck
February 10th, 2003, 02:57 PM
Tiger Shark

I run Snort on several Win2000 boxes and it seems to run just fine. They have been up about 4 months and have a relatively small, (7-15%), CPU usage on average. Two in particular are "snorting" all the traffic inside and all the traffic outside a firewall that protects some 650 workstations and servers so, as you can imagine, that's a lot of traffic and the two machines are not really anything special, (1G AMD, 256 RAM and a PII 266 128Mb RAM).

I use Demarc's Puresecure, (www.demarc.com), and use all it's features. This installs the current version of Snort, WinPCap and Puresecure itself. The install is quick and easy and only requires a reboot if WinPCap was not previously installed. It can run numerous sensors all logging to a central console, (which I like a lot). I also contains Host-based IDS that report to the main console and service monitoring that I use to check my routers, web sites, DNS and mail servers every 5 minutes.

Try it..... you'll like it, (and for personal or non-commercial use the price is bang on - free.... :D )
February 12th, 2003, 02:20 AM
Penguin

Quote:

Originally posted here by Tiger Shark
My experience is with the Win32 version of Snort but it's pretty similar in the way they all interact I think.

Snort is the data collector. It picks up everything on the wire and passes it through the rules. If the packet matches a rule it passes an alert to wherever you tell it in the output section of snort.conf. In your case you should have installed MySQL so that snort has somewhere to log it's alerts. MySQL is the data repository which holds all the alerts. But unless you are accomplished at MySQL you can't see much so you would use a program to show you the data in a nice readble format..... That's ACID..... a php based web application for reading snort logs on a MySQL server.

That's why it seems you are adding so many programs. You need to bring up webadmin because the machine itself has to act as a server so that ACID can read the database and present the information you request.

You could have snort simply dump everything to text files but, IME, have fun scooting around a dozen text files on a busy network to find out what is going on...... ;)

so i oso need to install php into my linux box?
February 12th, 2003, 02:51 AM
MrLinus

If you want to use ACID, you will need PHP as it's built entirely using PHP.