[Snort-users] snortnet???

Sten Kalenda sten at ...6...
Thu Aug 24 18:42:38 EDT 2000


Dave,
It is good to see that there is more interrest in the IAP

Recently I played a while with snortnet.
The following is my short "HowTo" (linux redhat 6.2)

HowHowHowToooooooooooooooooooo>>>
Get snortxxx.tar.gz from Marty (http://www.snort.org/)
untar it

copy from the contrib dir the snortnet.tar.gz to the snort dir
untar the snortnet

cd snortnet
get the iaplib-01.tar.gz from Fyodor (http://snortnet.scorpions.net/)
and untar here

cd libiap
make

cd ..
(you are in the snortnet directory now)
make
If you get the following error:
  "hosts_access.o(.text+0x400): undefined reference to
`yp_get_default_domain'"
  add -DBROKEN_LINUX_WRAPPERS to the CFLAGS in the Makefile
  It should show: CFLAGS= -ggdb -Wall -DHAVE_NCURSES -DTCPWRAPPERS
-DBROKEN_LINUX_WRAPPERS $(INCLUDE)
  rm *.o
  make

Ok now we have to add the plugin into snort and regreate the Makkefile
follow the description
for the sp_xxx plugin it well described in the file README.PLUGINS in
the snort directory
  The specific section starts at: "Adding New Plugins to Snort as a
User:"
  The following files in the snort directory must be changed manually
following the step 1 thru 3::
    Makefile.am
    plugbase.h
    plugbase.c

step 3 automake did not worked for me... just run ./configure

After step 3 before recompiling you have to add the libiap into the LIBS
variable in the Makkefile
  It should show: LIBS = -lpq -lpcap -lnsl  -lnet -liap

Now change the snort configuration files look in the
snortnet/sample-rule to see how
Run the sncon program before you start the snort sensors
restart snort
HowHowHowTooooooooooooooooooooooooo <<<<<

Thes are some "features"... when the detector (snort) restarts and the
monitor does not... 
the IAP is not reporting any more. 
It could be caused by the different log file Open()
approach in the new snort version... in a previous message in the
newlist
>>>>>
Subject: 
        RE: [Snort-users] snort "alert" file is not shown...
   Date: 
        Wed, 23 Aug 2000 11:19:49 -0400
   From: 
        "Sean C Doherty" <seand at ...232...>
     To: 
        "Snort-Users" <snort-users at lists.sourceforge.net>
Hi,

I ran into a similar problem.  It appears that snort 1.6.3 acts
differently
than earlier versions when writing the log file.  The older versions
opened,
wrote and then closed the log file on each alert, while 1.6.3 appears to
open the file when run/started, then it keeps it open.  (Older version
did
this when using the -A FAST option) This can cause sharing violations
etc
when doing "stuff" to the log file.

Sean D
<<<<<
but this is just a wild guess.


Dave Keener wrote:
> 
> I downloaded the files from snort.org but am not sure how to apply the patch
> to the snort source.  Can you provide me with a quick-hit list of
> instructions to make this work?  Anything would be great.  Thanks.
> 
> -----Original Message-----
> From: Fyodor [mailto:fygrave at ...121...]
> Sent: Thursday, August 24, 2000 3:35 PM
> To: Dave Keener
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snortnet???
> 
> ~ :Has anyone had any luck getting snortnet to work?  I am trying to log
> alerts
> ~ :to a central server but am having a difficult time understanding how to
> get
> ~ :snortnet to work.  I understand the basics of how it works.  Just can't
> ~ :figure out how to configure it with snort.
> ~ :
> 
>  What exactly is your problem? :)
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 

Cheers,
Sten

-= Use tcpdump to follow the "conversation" =-



More information about the Snort-users mailing list