[Snort-users] Snort newbie

Bunter, Matthew Matthew.Bunter at ...2008...
Thu May 10 08:01:28 EDT 2001


Gurus,

Apologies for asking basics but I couldn't find these answers on snort.org,
the FAQs or any documentation that I have.

Very basic snort.conf file, smtp, web, dns all commented out (I'm on a small
testing segment) :

var HOME_NET $eth_ADDRESS
var EXTERNAL_NET any
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan : $HOME_NET 4 3 /var/log/snort/portscan.log
output alert_syslog: LOG_AUTH LOG_ALERT
include exploit.rules
include etc (from latest snort rules on snort.org)

Snort is version 1.7 running on Suse 7.1 with 2.4 kernel
The rules files are in the same directory as the snort executable.

I get the following :
# snort -c /etc/Snort/snort.conf
Initializing Snort
Initializing Network Interface eth0
Kernel filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializing Output Plug-ins!

+++++++++++++++++++++++
Initializing rule chains...
[!] ERROR exploit.rules(20) => Bad port number: "msg:"EXPLOIT"
#

All I basically want is to get snort running to produce text files under
var/log/snort which will then be put through snortsnarf for browsing. But I
can't even get it to start - any help would be greatly appreciated.

BTW I want to convince management how easy it is to set up Snort so help me
avoid the 'egg-on-face' scenario please !!!


Regards,

Matt Bunter


**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.  

**********************************************************************




More information about the Snort-users mailing list