Hi

I`ve just started useing snort. I got version 2.0.2 on RH9.

I use snort -c /root/snort-2.0.2/etc/snort.conf

And it log`s to /var/log/snort folders. But it only logs snmp alerts.

What`s wrong?



Thanks in advance!

Hey, I think it's a great move on your part to install snort. I don't know exactly why you're only seeing SNMP alerts in the log as I don't have a huge amount of experience with snort....

For starters, though, I'd recommend shutting it down and starting it with this syntax-

/usr/sbin/snort -U -d -D -c /etc/snort/snort.conf

Those are the arguments that webmin starts it with for me. If you depend on Webmin like me, you might want to download the Snort webmin module from www.snort.org... it's in the downloads section of their site.

Also, I don't know how recent your rules sets are because you didn't say where you got snort from. I'd recommend downloading the most current rules sets and untar them in /usr/lib/snort/rules or wherever your install has the rules sets. They update these things several times a day.

Make sure the snort.conf file is pointing to your rules directory. I don't think it starts, though, if it doesn't.

Initially, you'll find a lot of bullcrap alerts for stuff that doesn't relate to your install. Like I'm on a Mandrake box and snort was telling me about every Nimda attack. You will be able to suppress these annoyances by examining the ID number of the attack type, then editing the matching rules set and commenting out that line.

I hope I'm not bogging you down with stuff you already know... But before I finish, I'd also recommend that you look at installing ACID. It's a VERY useful reporting tool for Snort. It allows you to have Snort send all alerts to a mysql database and then gives you a php-driven web app that can display the alert info in every useful view you'll need. Like I mostly just check the 15 most recent attack types on there. You can find out about ACID over at www.freshmeat.net

good luck,

di11rod

Thanks

I`ll try to update the rules (I got mine with the program at snort.org), however I don`t think that it`ll help. Where are the best place to download rules from?

I tryed:
/usr/local/bin/snort -U -d -D -c /root/snort-2.0.2/etc/snort.conf

Thanks for good pointers

Gummimman,

If you downloaded snort from the snort website, I think you'll probably want to download newer rules from their seperate rule download section--

http://www.snort.org/dl/rules/snortrules-stable.tar.gz

They update that file every day, but I don't know how much it really changes on a daily basis. I can't see how I'd download it every day as I've commented out my current rules sets by hand to minimize the false positives. I'd have to hand-edit the rules every day if I was that up-to-date... Perhaps someone else knows a more efficient method of keeping the rules updating regularly without undoing your own edits...

Getting snort to output its alerts into a mysql db is a snap. You just edit the snort.conf file to change the DB pointers to be appropriate for your DB. Then you have to run a sql script in mysql and then you just untar the ACID php files onto your webserver's docroot and you're in business.

good luck,

di11rod

Thnx

However it didn`t work. I still get just snmp alerts.

Do you have iptables blocking any kind of tcp traffic?

Also, how are you testing? Perhaps you have a firewall externally blocking this box from tcp attacks?

di11rod