[Snort-users] Newbie - how to extract any info from snort -ved?

Eduardo M. A. M. Mendes eduardo at ...477...
Wed Sep 20 12:52:45 EDT 2000


Hello
    Thanks a lot.
    I will try what youe suggested.
    Before receiving your message, someone on the list sent me the following command:

/usr/local/bin/snort -A FULL -c /temp/snortlog/08292k.rules -C -h
xxx.xxx.xxx.x/32 -a -N -l /temp/snortlog/ -D

    In order to use it, I did as follows:

1) mkdir /temp/snortlog and cp 08292k.rules /temp/snortlog
2) I modified  two lines on 08292k.rules to


preprocessor portscan: 200.17.67.130/32 3 5 /var/log/snort_portscan.log

and

var HOME_NET 200.17.67.130/32

3) I issued the command

/usr/local/bin/snort -A FULL -c /temp/snortlog/08292k.rules -C -h
200.17.67.130/32 -a -N -l /temp/snortlog/ -D

4) Two files were created on /temp/snortlog (empty files)

5) ps aux | grep snort showed only

root       948  0.0  1.6  1240  500 pts/0    S    12:19   0:00 grep snort

    Snort is not running, is it?


    What have I done wrong now?

Many thanks for the patience and help.

Regards

Eduardo




> Ok, you defintely don't want to run "snort -ved" to detect intrusion.  To set
> yourself up in an intrusion detection mode, do these steps:
>
> 1) Edit the snort-lib file.  Locate the line that starts with "var HOME_NET"
> and set the IP address to that of your host/network.  Be aware that /24 is a
> class C subnet indicator and /32 is a single host indicator, so if you're just
> trying to watch your own host for intrusion and its IP address is 192.168.1.55
> you should set the variable to 192.168.1.55/32.  If you're trying to watch
> your entire class C network, you should specify 192.168.1.0/24.
>
> 2) Set up a logging directory.  You don't need to do this explicitly because
> Snort will log to /var/log/snort if not assigned a log directory.  If you
> don't want to use /var/log/snort, you need to create a directory where Snort
> can send alerts and log output.
>
> 3) Run Snort.  Here's a good command line:
>
> snort -d -c snort-lib -A fast
>
> This will run the snort-lib rules file and send alerts and packet logs to
> /var/log/snort, as well as alerting to a file called "alert" in the logging
> directory.
>
> FYI, Snort *will* fill up your entire hard drive if you let it.  It needs to
> be tuned so that it will only record significant events such as intrusion
> attempts.  Using the rules system is one way to achieve this.
>
> "Eduardo M. A. M. Mendes" wrote:
> >
> > Hello
> >     Thanks a lot.
> >     I don't want to bother you far too much but I am yet to figure out what to do
> > with snort.
> >     I read all docs you've mentioned but still didn't get the picture.
> >     For instance, issuing the command snort -ved sends me loads of info on the
> > screen (it seems that they
> > take forever - I had to use control C to stop them).  In the USAGE it is
> > mentioned the log directory.  Because the command snort -ved has like filled
> > my screen for ages I am afraid of using the option -l ./log because of hd
> > space.   Would snort fill out
> > the whole disk?
> >     There is a file of the rules in the web site 8(something).  What to do with
> > it? How to call it with snort?
> >
> >     Mnay thanks
> >
> > Regards
> >
> > Eduardo
> >
> > > Check out the USAGE file that comes with the distribution, it's got some good
> > > quick start information.  Once you've read that, check out
> > > http://www.snort.org and look in the forums and read the "Writing Snort Rules"
> > > document.  Snort can do the things you've listed, it's just a matter of
> > > configuring it properly.
> > >
> > >      -Marty
> > >
> > > "Eduardo M. A. M. Mendes" wrote:
> > > >
> > > > Hello
> > > >     I've just installed snort on my linux box.  Although I read all docs
> > > > (really!) I couldn't figure out
> > > > what to do with snort (I must be pretty dumb!).
> > > >     Before downloading and installing snort, I had the following
> > > > questions in mind:
> > > > a) Can I find a free software that sends a warning (sound, email or
> > > > whatever) that someone has tried to
> > > > break into my server?
> > > > b) Can the soft detect and block the intrusion?
> > > >
> > > >     I run snort -ved and got loads of info which I don't know about with
> > > > (that is, extract useful information
> > > > from it, telnets, spams etc.).
> > > >
> > > >     I hope I am not bothering you guys far too much.
> > > >
> > > >     Any/all help would be most appreciated.
> > > >
> > > > Thanks a lot.
> > > >
> > > > Eduardo
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> > >
> > > --
> > > Martin Roesch
> > > roesch at ...421...
> > > http://www.snort.org
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org




More information about the Snort-users mailing list