[Snort-users] Clueless in Toronto

Rich Stryker rstryker at ...7794...
Thu Dec 19 09:51:04 EST 2002

Is there any reason that you can think of as to why my SNORT, when set to log to a binary file, would die after a few seconds or a minute or two? And why the binary file that is created can't be read by SNORT afterwards like the SNORT document says it can?



-----Original Message-----
From: Joel Healy [mailto:Joel.Healy at ...7405...]
Sent: Wednesday, December 18, 2002 2:48 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto

Hi Rich,

Ok... When you run snort you will need to tell it where it's configuration
file is unless you have it in the default location and i don't know where
that is on a W2K box.  Have a read what command line options (check out
http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.1) you can pass
to it as it sounds like you are using the -l command to create packets logs
which is in affect creating the IP address subfolders, but for a fairly
vanilla installation you could run it as "snort -c C:\mypath\snort.conf",
your snort.conf should be where your rules are.

So the next step is to edit your snort.conf file (check out
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5) and configure
one of the output plugins.. for example for your alert.ids file..
	output alert_fast: alert.ids

A best practise configurtion is to configure snort to use the unified output
	output alert_unified: snort.alert

which writes out the alerts in a binary format that is much quicker than any
of the other plugins.. then use barnyard to read the file and output the
alert.. it can output in any of ways snort can.  That allows snort (or
hogwash) to keep up with quite high traffic throughput.

anyway hope that helps.



-----Original Message-----
From: Rich Stryker [mailto:rstryker at ...7794...]
Sent: Thursday, December 19, 2002 7:43 AM
To: SnortUsers (E-mail)
Subject: RE: [Snort-users] Clueless in Toronto

Great Thanks Keith!

Got it. I understand now why that is. Switches will broadcast only once
until they know which port to send traffic out of. 
This would mean I would miss just about everything except for the broadcasts
and multicasts. Whereas a hub is in constant broadcast mode since it
shouldn't have the ability to have a MAC table...right?

Assuming I am correct can you or anyone else now help me with SNORTSNARF?
When I followed the instructions from Silicon Defense, for installing SNORT
on a W2K machine with IIS, SNORT created an alert.ids file. I setup SNORT to
run as a service but I didn't get anything, no logs etc. When SNORT runs
from the command line it doesn't write to the alert.ids but creates sub
folders for every IP address it finds, which I have read to mean that is the
default setting.

Any suggestions on how I can get the logs to be put into the alert.ids and
thereby allowing me to get SNORTSNARF to work?

-----Original Message-----
From: Knight, Ric [mailto:RKnight at ...7145...]
Sent: Wednesday, December 18, 2002 1:28 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto
Importance: Low


If you only have dumb switches, then get a hub. Force all traffic you want
to monitor through the hub. You only need one interface on the SNORT box to
monitor traffic. If you want to use switches, you need to enable port
spanning so that one switch port receives att the traffic on the switch and
then plug snort into that port.

Crude text diagram...
Router <----> Hub <-------> firewall

Ric Knight
Network Engineer
TransUnion Canada
170 Jackson St. E. 
Hamilton Ontario, L8N 1L4
(905) 525-9013 x6212

-----Original Message-----
From: Rich Stryker [mailto:rstryker at ...7794...]
Sent: December 18, 2002 11:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Clueless in Toronto


I have installed SNORT 1.8x on a W2K Server. No service packs as yet because
i am just testing the waters with it. There are 2 NICs. 

I can seem to figure out how to implement it now that it is running. I
figure I will put it behind my firewall. But how do i force traffic to go
through one NIC on the server and out through the other? Do i even need to
do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing but
it only tracked the local computer's traffic and nothing else. 

I have SNORTSNARF installed to see the reports but when I seem to have SNORT
running I can't find the log files. I want SNORT setup for NIDS.

All help is greatly appreciated.



This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
(This e-mail message and any accompanying attachments may contain
information that is confidential and subject to legal privilege. If you are
not the intended recipient, do not read, use, disseminate, distribute or
copy this message or attachments.  If you have received this message in
error, please delete the message and, if convenient, inform the sender as
soon as possible.)

More information about the Snort-users mailing list