[Snort-users] Newbie - how to extract any info from snort -ved?

Martin Roesch roesch at ...421...
Wed Sep 20 10:43:16 EDT 2000


Ok, you defintely don't want to run "snort -ved" to detect intrusion.  To set
yourself up in an intrusion detection mode, do these steps:

1) Edit the snort-lib file.  Locate the line that starts with "var HOME_NET"
and set the IP address to that of your host/network.  Be aware that /24 is a
class C subnet indicator and /32 is a single host indicator, so if you're just
trying to watch your own host for intrusion and its IP address is 192.168.1.55
you should set the variable to 192.168.1.55/32.  If you're trying to watch
your entire class C network, you should specify 192.168.1.0/24.

2) Set up a logging directory.  You don't need to do this explicitly because
Snort will log to /var/log/snort if not assigned a log directory.  If you
don't want to use /var/log/snort, you need to create a directory where Snort
can send alerts and log output.

3) Run Snort.  Here's a good command line:

snort -d -c snort-lib -A fast

This will run the snort-lib rules file and send alerts and packet logs to
/var/log/snort, as well as alerting to a file called "alert" in the logging
directory.  

FYI, Snort *will* fill up your entire hard drive if you let it.  It needs to
be tuned so that it will only record significant events such as intrusion
attempts.  Using the rules system is one way to achieve this.  


"Eduardo M. A. M. Mendes" wrote:
> 
> Hello
>     Thanks a lot.
>     I don't want to bother you far too much but I am yet to figure out what to do
> with snort.
>     I read all docs you've mentioned but still didn't get the picture.
>     For instance, issuing the command snort -ved sends me loads of info on the
> screen (it seems that they
> take forever - I had to use control C to stop them).  In the USAGE it is
> mentioned the log directory.  Because the command snort -ved has like filled
> my screen for ages I am afraid of using the option -l ./log because of hd
> space.   Would snort fill out
> the whole disk?
>     There is a file of the rules in the web site 8(something).  What to do with
> it? How to call it with snort?
> 
>     Mnay thanks
> 
> Regards
> 
> Eduardo
> 
> > Check out the USAGE file that comes with the distribution, it's got some good
> > quick start information.  Once you've read that, check out
> > http://www.snort.org and look in the forums and read the "Writing Snort Rules"
> > document.  Snort can do the things you've listed, it's just a matter of
> > configuring it properly.
> >
> >      -Marty
> >
> > "Eduardo M. A. M. Mendes" wrote:
> > >
> > > Hello
> > >     I've just installed snort on my linux box.  Although I read all docs
> > > (really!) I couldn't figure out
> > > what to do with snort (I must be pretty dumb!).
> > >     Before downloading and installing snort, I had the following
> > > questions in mind:
> > > a) Can I find a free software that sends a warning (sound, email or
> > > whatever) that someone has tried to
> > > break into my server?
> > > b) Can the soft detect and block the intrusion?
> > >
> > >     I run snort -ved and got loads of info which I don't know about with
> > > (that is, extract useful information
> > > from it, telnets, spams etc.).
> > >
> > >     I hope I am not bothering you guys far too much.
> > >
> > >     Any/all help would be most appreciated.
> > >
> > > Thanks a lot.
> > >
> > > Eduardo
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> > --
> > Martin Roesch
> > roesch at ...421...
> > http://www.snort.org

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list