[Snort-users] Bleeding Edge Win32 Snort and Cerebus Win32

Dragos Ruiu dr at ...50...
Sat Sep 14 03:44:01 EDT 2002


Well I finished porting the Cerebus Alert Analyzer and Correlator
to a bare-metal Win32 API GUI application for browsing Snort IDS
alerts much much faster than SQL databases without the need 
for a installing a database...  

Cerebus Win32 V1.4L is now available at:
	 http://dragos.com/cerebus

I also felt energetic (and it's cheaper to stay at home on a Friday and 
code instead of going out :-) so I packaged it up in a "Bleeding Edge
Cerebus/Snort/WinPcap Installer" which is also available at that
URL as well as the standalone data viewer .EXE binary.

In the "Bleeding Edge" installer: 
I compiled up Snort CVS 1.9beta on Win32, loaded in 
WinPcap 3.0beta and bundled that all together with two 
shortcuts and some doc files in the installer. The Snort
shortcuts are:

Snort Sniffer Mode: 
  A snortcut that executes "Program Files\Cerebus\snort -evi 2"
  in the same dir.

Snort IDS Mode
  A shortcut that executes "Program Files\Cerebus\snort -i 2 -c snort.conf"
  in the same dir and I fudged up a snort.conf file with the appropriate
  output so that you can use Cerebus to read and analyse the alert files
  that will accumulate in Program Files\Cerebus\logs.

There is a readme file that will tell you more.

If you have problems with the above defaults (you'll notice if the shortcuts
flash and quit instead of staying open and giving you data) try using 1 or 
3 or another number for the numeric interface parameter as it may vary 
from system to system (but 2 seemed the most likely default). Find where
the installer put the shortcuts on your system by using Find Files, and 
right click on their properties tab to adjust them.

Now please keep in mind this is the latest beta stuff and it may just (:-)
have some bugs.... It seems to work just fine on Win2k and WinXP
but it looks like Pcap3.0 has some problems on my WinME systems....
Get rid of the System32\WinPcap.dll, System32\packet.dll, and
System32\drivers\npf.sys files and reinstall an older pcap if you
have problems. I would appreaciate knowing if anyone can get it 
to work on their ME or 98 with WinPcap3.0 (I'll poke more at it 
tomorrow).

But over all this seems like a nice solution for a speedy Win32 IDS 
and data analysis system without installing or waiting for a web-gui 
and database queries. More aardvark toys coming soon...

Enjoy,
--dr
 
As usual, I will answer e-mail queries, but preference _will_ be given
to those who choose to pay for the commercial version of Cerebus.

-- 
dr at ...50...  pgp: http://dragos.com/dr-dursec.asc
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002





More information about the Snort-users mailing list