Re: Snort :newbie:
Thanks to UnSpawn I decided to give Snort a shot. I installed the Snort tarball. Now I'm reading the online documentation and I want snort to run in Network Intrusion Detection Mode. I have no idea where to begin.
A journey begins with the first step...
Do I have to write my own rules or are there default Snort rules already?
No. Your first rules came with the tarball and have the *.rules extension. Put them wherever you like, like /etc/snort-rules or /var/snort. Just make sure you reference them in the Snort config.
Update your rules with the CVS version available at the snort.org site. (make a wget cronjob out of it). I say CVS because on the snort mailinglist it seems we've discovered the "regular" rules tarball isn't current.
How do I get Snort to run at startup and how will I know if there has been an attempted break in?
Verify if you have a SYSV startscript in /etc/rc.d/init.d, edit the options if necessary. It's in the tarball contrib/redhat dir IIRC.
Make a link from /etc/rc.d/init.d/snort to /etc/rc.d/rcX.d/SYYsnort where X is the runlevel you want to run it in, and YY is the place in the startup sequence you want to start it as. You don't have to specify a /etc/rc.d/rc(0|6).d/K01snort because of libpcap Snort will die anyway when the link goes down.
I also installed Barnyard even though I have no idea what it does. When I type barnyard in a shell I get this error:
Failed to open config file "/etc/snort/barnyard.conf"
If your barnyard config isn't in that loc, use barnyard -c and specify location. If it isn't nowhere at all, check the tarball.
There is no /etc/snort directory.
Guess you gotta make it. Now I'm wondering how the hell did you manage to install a partial tarball? :-] If unsure, configure and make again, then run "make -n install > INSTALLER.LOG". This won't touch anything, just go tru the motions and spit out all it's sposed to do into the file for your perusal. Read and check where it goes wrong.
What does baryard do anyway?
Snort has many logging options, from ASCII (slow) to tcpdump and unified binary type logs (fast). To parse unified binary type logs into other formats (tcpdump, alert, db entries, csv) you run Barnyard.
Last edited by unSpawn; 01-29-2003 at 07:03 PM.
|