[Snort-users] Newbie - how to extract any info from snort -ved?

Martin Roesch roesch at ...421...
Wed Sep 20 16:47:05 EDT 2000


It doesn't look like it is, try running it without the -D switch and see if it
gives you an error message.

     -Marty

"Eduardo M. A. M. Mendes" wrote:
> 
> Hello
>     Thanks a lot.
>     I will try what youe suggested.
>     Before receiving your message, someone on the list sent me the following command:
> 
> /usr/local/bin/snort -A FULL -c /temp/snortlog/08292k.rules -C -h
> xxx.xxx.xxx.x/32 -a -N -l /temp/snortlog/ -D
> 
>     In order to use it, I did as follows:
> 
> 1) mkdir /temp/snortlog and cp 08292k.rules /temp/snortlog
> 2) I modified  two lines on 08292k.rules to
> 
> preprocessor portscan: 200.17.67.130/32 3 5 /var/log/snort_portscan.log
> 
> and
> 
> var HOME_NET 200.17.67.130/32
> 
> 3) I issued the command
> 
> /usr/local/bin/snort -A FULL -c /temp/snortlog/08292k.rules -C -h
> 200.17.67.130/32 -a -N -l /temp/snortlog/ -D
> 
> 4) Two files were created on /temp/snortlog (empty files)
> 
> 5) ps aux | grep snort showed only
> 
> root       948  0.0  1.6  1240  500 pts/0    S    12:19   0:00 grep snort
> 
>     Snort is not running, is it?
> 
>     What have I done wrong now?
> 
> Many thanks for the patience and help.
> 
> Regards
> 
> Eduardo
> 
> > Ok, you defintely don't want to run "snort -ved" to detect intrusion.  To set
> > yourself up in an intrusion detection mode, do these steps:
> >
> > 1) Edit the snort-lib file.  Locate the line that starts with "var HOME_NET"
> > and set the IP address to that of your host/network.  Be aware that /24 is a
> > class C subnet indicator and /32 is a single host indicator, so if you're just
> > trying to watch your own host for intrusion and its IP address is 192.168.1.55
> > you should set the variable to 192.168.1.55/32.  If you're trying to watch
> > your entire class C network, you should specify 192.168.1.0/24.
> >
> > 2) Set up a logging directory.  You don't need to do this explicitly because
> > Snort will log to /var/log/snort if not assigned a log directory.  If you
> > don't want to use /var/log/snort, you need to create a directory where Snort
> > can send alerts and log output.
> >
> > 3) Run Snort.  Here's a good command line:
> >
> > snort -d -c snort-lib -A fast
> >
> > This will run the snort-lib rules file and send alerts and packet logs to
> > /var/log/snort, as well as alerting to a file called "alert" in the logging
> > directory.
> >
> > FYI, Snort *will* fill up your entire hard drive if you let it.  It needs to
> > be tuned so that it will only record significant events such as intrusion
> > attempts.  Using the rules system is one way to achieve this.
> >
> > "Eduardo M. A. M. Mendes" wrote:
> > >
> > > Hello
> > >     Thanks a lot.
> > >     I don't want to bother you far too much but I am yet to figure out what to do
> > > with snort.
> > >     I read all docs you've mentioned but still didn't get the picture.
> > >     For instance, issuing the command snort -ved sends me loads of info on the
> > > screen (it seems that they
> > > take forever - I had to use control C to stop them).  In the USAGE it is
> > > mentioned the log directory.  Because the command snort -ved has like filled
> > > my screen for ages I am afraid of using the option -l ./log because of hd
> > > space.   Would snort fill out
> > > the whole disk?
> > >     There is a file of the rules in the web site 8(something).  What to do with
> > > it? How to call it with snort?
> > >
> > >     Mnay thanks
> > >
> > > Regards
> > >
> > > Eduardo
> > >
> > > > Check out the USAGE file that comes with the distribution, it's got some good
> > > > quick start information.  Once you've read that, check out
> > > > http://www.snort.org and look in the forums and read the "Writing Snort Rules"
> > > > document.  Snort can do the things you've listed, it's just a matter of
> > > > configuring it properly.
> > > >
> > > >      -Marty
> > > >
> > > > "Eduardo M. A. M. Mendes" wrote:
> > > > >
> > > > > Hello
> > > > >     I've just installed snort on my linux box.  Although I read all docs
> > > > > (really!) I couldn't figure out
> > > > > what to do with snort (I must be pretty dumb!).
> > > > >     Before downloading and installing snort, I had the following
> > > > > questions in mind:
> > > > > a) Can I find a free software that sends a warning (sound, email or
> > > > > whatever) that someone has tried to
> > > > > break into my server?
> > > > > b) Can the soft detect and block the intrusion?
> > > > >
> > > > >     I run snort -ved and got loads of info which I don't know about with
> > > > > (that is, extract useful information
> > > > > from it, telnets, spams etc.).
> > > > >
> > > > >     I hope I am not bothering you guys far too much.
> > > > >
> > > > >     Any/all help would be most appreciated.
> > > > >
> > > > > Thanks a lot.
> > > > >
> > > > > Eduardo
> > > > >
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users at lists.sourceforge.net
> > > > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> > > >
> > > > --
> > > > Martin Roesch
> > > > roesch at ...421...
> > > > http://www.snort.org
> >
> > --
> > Martin Roesch
> > roesch at ...421...
> > http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list