[Snort-users] Re: Request help

Phil Wood cpw at ...440...
Tue Feb 5 08:50:08 EST 2002

On Mon, Feb 04, 2002 at 05:18:31PM -0800, lsd kuyeh wrote:
> Dear Mr. Phil Wood,
Why me!
> I am Sean from Malaysia and I am interested to try out
> Snort. I am a new learner in LINUX and Intrusion
> Detection System. 
> My problem is as following, hope you are willing to
> help me:

Join the snort users list:

  a. http://www.snort.org/lists.html
  b. join the General discussion about snort list called

     Snort Users.
> 1. I just install Snort in my PC which is running on
> Red Hat 7.2. But there is few program like Barnyard
> and Libpnet provided in the downloadsite. Do I need to
> download these programmes to run Snort? If yes, why I
> need that?

Barnyard is in pre-release.  I suggest you wait, while you learn more about
You will need libnet if you have plans to actively respond to some perceived
threat. (I'm still on the upward slope of the learning curve, and don't feel
ready to let snort drive in the piton.)

> 2.I had installed Snort-1.8.3, Libpcap, and rules. Is
> it enough? How may I proceed with my installation? I
> am stucked here.

That could be enough.  It depends on how you installed snort.  If you got an
rpm, you might be missing FAQ's, README's, and INSTALL files.  You need to
bone up on snort by reading those files.  If you have done your homework, you
have first read the README and understand Sniffer Mode, Packet Logger Mode, and
Intrusion Detection Mode.  Then you installed the package according to the 
INSTALL file.  Then, you put the USAGE file up in one xterm and got
root in another xterm, and started "playing" with snort using to see how the
different switches affect its operation.  Then, you probably asked yourself
questions like: "what's in 'snort.conf'?, "how can I use snort variables?",
"how hard is it to make a snort 'rule'?", "If I don't have an address on
my network interface, will snort still work?", and so on.
So, it's time to turn to the FAQ.  What happens when you can't find the answer
to your question?  Well, first try to re-phrase it in a more specific manner.

If you get stumped:

Record everything you have done, including relevant "snippits" from snort.conf,
*.rules, classification.config, the 'switches' on your snort incantation,
the error messages, and in particular what values you have for your home and
external network, as well as what pre and post processors you have selected
(and why).

Still no luck, scrub the deck, start simple again.  Put just one rule in your
snort.conf (comment out all others).  Here is one to try:

  alert tcp $HOME_NET any $EXTERNAL_NET 31337 (msg: "Just saw attemp to connect to the eleet port"; flags: S;)

Start up your snort using your modified snort.conf file.
  telnet 31337
which should say something like:


Then break out.  And look at your snort logs or your screen, where ever you
decided to post the alerts.  The packet could be in a pcap file if you used
the '-b' switch.  Or, it could be in your /var/log/daemon.log if you used
set up the following in your snort.conf file:

   ruletype redalert
     type alert
   redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg: "Just saw attemp to connect to the eleet port"; flags: S;)

I've got to go.  Please post join snort-users at lists.sourceforge.net and enjoy
your journey.

> 3. How to operate Snort? I am still not clear about
> Snort. Do you know any website that give the most
> complete information about Snort? Espeacially in
> setiing up Snort.

See answer to 2.

> Thank you. Hope for your speedy reply.
> Regards,
> Sean.
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions! 
> http://auctions.yahoo.com

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list