[Snort-users] Regarding the Snort 2.9.1 on CentOS 5.6 (Snort Setup Guide)

Nick Moore nmoore at ...1935...
Mon Jun 25 21:48:04 EDT 2012


Mike,

I've put some answers inline below, but you'll generally have more success
asking the snort-users list rather than just me directly. I haven't updated
the guide in some time (mea culpa, mea maxima culpa).

On Mon, Jun 25, 2012 at 4:13 PM, Mike Henderson
<mhenderson at ...15683...>wrote:

> ** **
>
> http://www.snort.org/assets/159/Snort_2.9.1_CentOS_5.pdf****
>
> ** **
>
> ** **
>
> Do you have an updated version of this guide?****
>
> ** **
>
> ** **
>
> ** **
>
> I’m primarily a Windows user and only have a very limited “working”
> knowledge of Linux.****
>
> ** **
>
> I’ve tried using the guide above many times as a step by step install
> method but I just can’t get it to work.****
>
> I get a little farther each time but…..****
>
> ** **
>
> My roadblocks so far have been:****
>
> -No mention of development tools needing to be installed for some of the
> “make install” processes.
>

Actually the big yum statement on page 5 covers the dev tools you need. I
tested that one over several earlier iterations of the paper and this list
worked. It is important that you then run the yum -y update and reboot. If
you are still having errors when compiling stuff, post the errors you have
seeing to this list. Generally, you can see these at the bottom dozen or so
lines in the output of your "./configure && make && make install" output.



> ****
>
> -Typos like this line on page 9:  *tar zxvf
> /home/bubba/nbtscan-1-3-1.tar.gz   *(if it’s not a typo I’m unable to
> locate that file….)
>

My apologies - it is a typo. In the paper, I referenced downloading version
1.0.35 of the code, but 1.5.1 is now available.

****
>
> -A great lack of understanding of what kind of entries and output I’m
> supposed to be looking at.
>

Can't really help much there, other than encouraging you to keep at it, use
Google extensively and post questions to the list. A lack of understanding
is a temporary condition if you just keep plugging away. If your company
will spring for it, I'd recommend Snort training from Sourcefire or taking
the Intrusion Analysis class from SANS. The latter will give you lots of
other skills helpful in network analysis.

>
> ****
>
> ** **
>
> Example of not knowing what I’m supposed to be looking at:****
>
> Should this line:****
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> snort.log -w /var/log/snort/barnyard.waldo****
>
> Look like this:****
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort*/
> *-f snort.log -w /var/log/snort/barnyard.waldo
>

Nope, the trailing / is not necessary.

> ****
>
> ** **
>
> ** **
>
> Currently – I have Snort and Barnyard2 running but I’m unable to see any
> of the SID 100001 events in snortreport-1.3.1 on page 13
>

There could be all sorts of reasons for this. First, try doing a tcpdump on
your sensing interface and see if you are getting real traffic there. Is
the traffic coming from a SPAN off a switch or a tap? I'm assuming that you
are not inline.

Make sure that you are seeing more than just broadcast traffic. On a normal
network, you should see lots of web traffic and NetBIOS traffic (not just
the broadcasts). If all you are seeing are broadcasts, you are not on SPAN
port, but a normal switchport.

If you are doing this in VMWare rather than a native OS, how are you
getting packets to VMWare? Are you sure you are on a bridged interface and
not a NAT or internal only interface? Again, tcpdump will tell you lots.


> ****
>
> When I stop barnyard – all the values for packets and protocols are 0.
> The alert file and the snort.log.(number string) files do contain data.
>

Chances are something is messed up with one of your configuration files.
Reply all to the list and include your snort.conf and barnyard.conf files
as attachments.

> ****
>
> ** **
>
> ** **
>
> If you do not have an updated version of the guide - ****
>
> Would it be possible to walk through your guide step by step to see if any
> entries are missing or correct any that are mistyped?
>

I've started a new version, but haven't had time to work on it. I'll
probably get to it sometime in July, as this is the last week of the
quarter and I have some serious plane time in July - good time to get
things done. Sorry it's not more immediate, but responding to the
snort-users list as specified in some of the steps above will probably get
you answers faster.

> ****
>
> ** **
>
> ** **
>
> Any help would be greatly appreciated.****
>
> ** **
>
> Thank you****
>
> ** **
>
> ** **
>
> ** **
>
> PS ****
>
> My apologies for the email ****
>
> I know it is “noob” stuff that I’m asking about - but I am trying….
>
** **
>
> ** **
>
> *Mike Henderson
> Network Administrator
> *F&W Forestry Services, Inc.
> 1310 West Oakridge Drive
> Albany, GA 31707
> o: 229.883.0505 ext 142    f: 229.883.0515
> MHenderson at ...15683...
> www.fwforestry.com
> ****
>



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore at ...1935...
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120625/3b91d378/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 27302 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120625/3b91d378/attachment.jpg>


More information about the Snort-users mailing list