[Snort-users] (no subject)

snortlst snortlst snortlst at ...125...
Tue Nov 6 11:33:06 EST 2001


1.Search the web and install libpcap
 - unpack it
Then run:
  - ./configure
 - make
 - make install
2. download snort (www.snort.org)
 - unpack it (gzip -d <snort file.tar.gzip>, then tar -xvf <snortfile.tar>
Then run
 - ./configure
 - make
 - make install
3. Make sure when you run snort it sets your nic to promiscuous mode. If it doesn't then do the followingt manually before starting snort: ifconfig <yournic> promisc
4. In the installation directory find the snort.conf file and edit the following values:
 - set $home_net to your lan
 - set external_net to !$home_net
 - set the logging to /var/snort/log
 - include your dns server addresses in the list of ignored hosts
 - in the bottom of the file (where you see a lot of 'include rules' provide a path to the rules. You'll have to download the rules from snort.org)

5. Create a 'snort' directory in the /var/log. Here IDS logs things.
6. Download snort_stat.pl from snort.org. This perl script will parse alert and portscan files and present it to you in nice html format.
7. Connect snort machine to internet or to internal lan (depends what you wanna sniff exactly)
8. On the switch or hub mirror firewall (or whatever you want to sniff)  port to port where snort machine is connected.
9.start snort like : snort -c /snort.conf 
(it will automatically use full loggong feature and and will use default log directory /var/log/snort)
10. after a while run:
cat /var/log/snort | /snort_stat.pl -f -h > /alert.html (this one will create and alert.html file in the / , you can open it later with browser)

That's what I remember from the top of my head.This is a very basic setup, you can do much more complicated things, especially regarding representation of alert files.
hope this helps.
P.S. don't disregard reading FAQ on snort.org, though I think it misses quite a lot of things for newbies and can't be very useful for the bigginer.

  ----- Original Message ----- 
  From: Wells, Kenneth L 
  To: snort-users at lists.sourceforge.net 
  Sent: Tuesday, November 06, 2001 1:56 PM
  Subject: [Snort-users] (no subject)





    Help! 

    Is there any instruction on how to install Snort on Linux? 

    I'm a newbee and I need help!!! 

    Please respond to kw151002 at ...4012... 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011106/f629ea94/attachment.html>


More information about the Snort-users mailing list