[Snort-users] Re:Newbie install on OpenBSD 3.2

Jobs applications at ...7582...
Tue Jan 28 06:46:18 EST 2003


  From: "Siobahn Hotaling" <siobahn at ...8109...>
> To: <snort-users at lists.sourceforge.net>
> Date: Mon, 27 Jan 2003 19:49:21 -0800
> Subject: [Snort-users] Newbie Install on OpenBSD Question
>
> I've been scouring the Snort FAQ and README's all day, but I still have a
> few unsolved questions and I was hoping that someone could help.
> (installing from ports on OpenBSD 3.2)
Keep in mind the ports version is 1.8.6 , not that this is bad but just
remember that.

> 1.  The machine I am installing on is a web server that is also configured
> as a firewall to an internal network, but I am more interested in the
> traffic that comes into the server (not into the internal network).  If
this
> is so, do I configure the $HOME_NET and $EXTERNAL_NET IP addresses both to
> be the IP address of the server?
No. The external net means machines that dont belong to your network, that
are not friends, that you want to activate snort signature matching for.
so in your case $HOME_NET will be <visible external ip address>
 $EXTERNAL_NET will be ! $HOME_NET.
one thing you would want to know here is packets from your internal network
destined to the machine external IP ( which should not happen) will be
processed by snort.
if you want to monitor your internal users then $HOME_NET should have both
IP's

there is a sample snort.conf file, you should find it in
/usr/local/share/examples/snort
there is also a collection of rules
pkg_info snort | more should help

>
> 2.  I can't find the sql statements to create the tables snort needs to
put
> the logs into a mysql database anywhere - nothing showed up in the install
> directory.
>
read the README file for flags to compile the port with SQL Support.
in any case, if you dont find a file called snortdb.sql or such then get it
from snort's website for the same version to insure DB schema did not
change, and then execute it.
for MySQL
mysql -u user -p
mysql>create database snort
mysql>quit
#mysql -u user -p snort < snortdb.sql
make sure you give permissions to the snort user to connect, write to the
DB.

if you are thinking about logging to a DB because you want to run ACID, that
is excellent choice. but I would like to promote a software I wrote
(currently win32) that can read snort XML Logs screen shot is @
http://www.maximumunix.org/images/ScreenShotSnort.jpg
I am almost done porting it to Unix, my test environment is openBSD 3.2 so
you will feel right at home.
get snort working and try logging to XML while i am finishing up :-)

> Any help would be much appreciated!
>
> Thanks






More information about the Snort-users mailing list