[Snort-users] newbie snort user on windows xp needs help please
surfer at ...6173...
Fri Jun 28 12:40:03 EDT 2002
Hopefully useful info for the other newbie users of IDS and Snort... I
had downloaded the program from snort.org, but the documentation I was
looking for is located at www.packx.net. It explains a lot of the
questions that I was having. Thanks to Michael for his help and to the
list members for your time and mailbox space... :-)
On Wed, 26 Jun 2002, Michael Steele wrote:
: The way you are running Snort will not allow Snort to generate alerts to
: the screen.
: The rules are correct and you should be generating an enormous amount of
: traffic. Use your browser to generate the traffic. Make sure you have
: activated your custom rules in your Snort.conf. Also, when you add
: rules, be sure to restart snort.
: After you run snort and generate some traffic, stop snort and use a text
: editor to check your alert.ids file and see if there are alerts being
: entered. They will be time stamped.
: If you really want to get the feel of Snort and have a better
: understanding of how things work, you might want to do a manual install.
: All the programs you are using are available outside of the installer.
: There is a LOT of documentation out there for Snort and Windows, but not
: nearly as much as there are for *nix. Try doing a search on google for
: some key words or phrases.
: Also, I have never used that installer so some of the above may not
: Michael Steele | System Engineer / Support Technician
: mailto:michaels at ...155...
: Silicon Defense: IDS solutions - http://www.silicondefense.com
: Snort: Open Source Network IDS - http://www.snort.org
: -----Original Message-----
: From: Scott Weeks [mailto:surfer at ...6173...]
: Sent: June 26, 2002 8:22 PM
: To: Michael Steele
: Cc: snort-users at lists.sourceforge.net
: Subject: RE: [Snort-users] newbie snort user on windows xp needs help
: On Wed, 26 Jun 2002, Michael Steele wrote:
: : Scott,
: : There are a multitude of new people visiting this list every day, or I
: : would hope. The information, no matter how trivial will help someone.
: : will also help people to better understand Snort and what works and
: : doesn't work and hopefully that knowledge will better the Snort
: : community.
: : How I usually, and I'm sure most of the tech's that monitor this list
: : deal with posting is; not only to reply back to the list but to CC the
: : poster so he or she can get the required information the quickest
: : possible way.
: Hello list members,
: Here's the gist of my problem...
: I am finding documentation for windows lacking. I'm using XP Home
: (unfortunately) and IDScenter 1.09 Beta 1.3. (Beta. Maybe that's my
: problem?) on my home computer, so I can get used to using SNORT in
: preparation for an interview I have coming up. Just to get some traffic
: generated I put in the following rules:
: log tcp any any <> any any (msg: "test";)
: alert tcp any any <> any any (msg: "test";)
: These are in the "IDS rules" part of the GUI interface. In the
: "Logs/Alerts" section I left the path unchanged:
: C:\Program Files\IDS_systems\Sourcefire\log\alert.ids
: In the "General Setup" window I click on "Create Script" and
: OK. For the IP I use the "Select" button and check with the "Command
: Prompt" (DOS screen) using the ipconfig command, so I know it's the
: correct one. (My ISP uses DHCP) I also used the "Test Configuration"
: button for sanity's sake. All is good.
: When I click "Start Snort" a DOS window opens up and remains open. I'm
: assuming that the "alert" rule should cause things to show up in that
: window and the "log" rule should cause the same entries to show up in
: "alert.ids" file and those should be able to be seen when clicking on
: "View Alerts" button. However nothing shows up on the DOS screen nor
: anything show up in the "View Alerts" window when I put the path to the
: file "C:\Program Files\IDS_systems\Sourcefire\log\alert.ids" in the
: "Search alert log" box.
More information about the Snort-users