[Snort-users] Newbie needs help!!

Matt Kettler mkettler at ...4108...
Mon Mar 18 10:32:04 EST 2002


Personally I set up snortsnarf to run as a cron job at daily intervals 
right before I rotate my snort logfiles. My setup isn't exactly "clean" in 
that I've got snortsnarf.pl installed into my snort log directory, but it 
is sufficient for my needs. This causes the snortsnarf output to be in a 
snfout.alert subdirectory under my snortlogs.

To add some level of security to this "not very clean" setup I've got snort 
running in a chroot home directory, and I'm using thttpd as my webserver 
and it is chdired/chrooted into the snortsnarf output directory directory. 
You could also install snortsnarf someplace completely different, specify 
full paths to your snort alert files, and use snortsnarf's -d option to set 
where the output goes (it would be a much cleaner thing to do and much 
safer if the idea of chrooting daemons confuses you).

I run the following bash script as a cron job:

cd /home/snort/var/log/snort/
nice ./snortsnarf.pl alert alert.1 portscan.log portscan.log.1

and my thttpd startup looks like this:
/usr/local/sbin/thttpd -d /home/snort/var/log/snort/snfout.alert -r

I really should also be using the -rulesfile -rulesdir options to 
snortsnarf, my setup works well enough for the moment, but it is on my 
"todo" list.

At 08:32 PM 3/17/2002 -0800, lsd kuyeh wrote:
>Dear all Snort-User,
>
>I downloaded SnortSnarf and I am not expert in Snort.
>I am confused because I don't know how to run
>SnortSnarf although my Apache is ready.
>
>Can anyone tell me the procedure and commands to
>enable my SnortSnarf to run? I already tried for weeks
>but no result too.
>
>
>Confused,
>Sean





More information about the Snort-users mailing list