[Snort-users] Problem snort 9.3.3 - SNORT REPORT show NO DATA

Sans, Ruben rsans at ...15899...
Fri Oct 26 08:05:48 EDT 2012


Hi all,

I installed snort with the following versions:
sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
sudo wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz sudo tar zxvf
sudo wget  wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz
sudo wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
sudo  wget http://www.snort.org/dl/snort-current/snort-2.9.3.tar.gz
FTP     snortrules-snapshot-2930.tar.gz

I've installed following the procedure of snort default Ubuntu 12.04
http://www.snort.org/assets/158/snortinstallguide293.pdf

The Network configuration is as follows:
2 network intefaces:
Eth0 --> IP LAN
Eth1 --> Snort

auto eth0
iface eth0 inet static
        address 192.168.252.62
        netmask 255.255.255.0
        network 192.168.252.0
        broadcast 192.168.252.255
        gateway 192.168.252.254
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 172.16.14.30

auto eth1
iface eth1 inet manual
        up ifconfig eth1 0.0.0.0 up
        up ip link set eth1 promisc on
* I configured the ethernet previously not in promiscuous mode

Config int he Cisco Catalyst 3750
monitor session 1 source interface Gi0/1 , Gi0/11 , Gi0/24 , Gi0/27 , Gi0/41 , Gi0/43
monitor session 1 destination interface Gi0/44

I tested with tcpdump, and see traffic on eth1, I have also connected a wireshark and I see traffic.

Just install the snort, snort Report works properly, but I get "NO DATA".

Can you Help me, please?

Thanks in advance!!!!!!!!!!!



ANNEX WITH THE DETAIL/STEPS OF CONFIGURATION
Then I show all the Snort configuration:

sudo apt-get install nmap
sudo apt-get install nbtscan
sudo apt-get install apache2
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install php5-gd
sudo apt-get install libpcap0.8-dev
sudo apt-get install libpcre3-dev
sudo apt-get install g++
sudo apt-get install bison
sudo apt-get install flex
sudo apt-get install libpcap-ruby
sudo apt-get install make
sudo apt-get install autoconf
sudo apt-get install libtool

pass root mysql = YOURPASSWORD
sudo apt-get install mysql-server
sudo apt-get install libmysqlclient-dev

sudo apt-get update
sudo apt-get upgrade

SNORT REPORT

Download and install JpGraph (Optional)

sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
sudo mkdir /var/www/jpgraph
sudo tar zxvf jpgraph-1.27.1.tar.gz
sudo cp -r jpgraph-1.27.1/src /var/www/jpgraph/

Download and Set up Snort Report

wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz sudo tar zxvf snortreport-1.3.3.tar.gz -C /var/www/

sudo nano /var/www/snortreport-1.3.3/srconf.php

Change this:
$pass = "YOURPASS";

For this:
$pass = "YOURPASSWORD";

SNORT

Download and install the DATA Acquisition API

Sudo wget  wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz
sudo tar zxvf daq-1.1.1.tar.gz
cd daq-1.1.1
sudo ./configure
sudo make
sudo make install

Download and install libdnet

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
sudo tar zxvf libdnet-1.12.tgz
cd libdnet-1.12/
sudo ./configure
sudo make
sudo make install
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Download and install snort

sudo  wget http://www.snort.org/dl/snort-current/snort-2.9.3.tar.gz
sudo tar zxvf snort-2.9.3.tar.gz
cd snort-2.9.3
sudo ./configure --prefix=/usr/local/snort --enable-sourcefire
sudo make
sudo make install
sudo mkdir /var/log/snort
sudo mkdir /var/snort
sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort

Download snort Rules

FTP     snortrules-snapshot-2930.tar.gz
sudo tar zxvf snortrules-snapshot-2930.tar.gz -C /usr/local/snort
sudo mkdir /usr/local/snort/lib/snort_dynamicrules
sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.3.0/* \
/usr/local/snort/lib/snort_dynamicrules
sudo touch /usr/local/snort/rules/white_list.rules
sudo touch /usr/local/snort/rules/black_list.rules
sudo ldconfig

Configure Snort

sudo nano /usr/local/snort/etc/snort.conf

Change this:
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules

For this:
var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

Change this:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules

For this:
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

After this line:
#output unified2: filename merged.log, limit 128, nostamp, \
mpls_event_types, vlan_event_types

Put this line:
output unified2: filename snort.u2, limit 128


Download and install Barnyard2

wget https://nodeload.github.com/firnsy/barnyard2/tarball/master \
-O barnyard2-2.10.tar.gz
sudo tar zxvf barnyard2-2.10.tar.gz
cd firnsy-barnyard2*
sudo autoreconf -fvi -I ./m4
sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
sudo make
sudo make install
sudo cp etc/barnyard2.conf /usr/local/snort/etc
sudo mkdir /var/log/barnyard2
sudo chmod 666 /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ./schemas/create_mysql

echo "grant create, insert, select, delete, update on snort.* to snort at ...2093...74... \
identified by 'YOURPASSWORD'" | mysql -u root -p

sudo nano /usr/local/snort/etc/barnyard2.conf

Change this lines:
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map

#config hostname: thor
#config interface: eth0

#output database: log, mysql, user=root password=test dbname=db host=localhost

For this:
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map

config hostname: localhost
config interface: eth1

output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort \
host=localhost


Testing Snort

sudo /usr/local/snort/bin/snort -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1

Snort Start automatically

sudo nano /etc/rc.local

After exit0:
ifconfig eth1 up
/usr/local/snort/bin/snort -D -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
-G /usr/local/snort/etc/gen-msg.map \
-S /usr/local/snort/etc/sid-msg.map \
-d /var/log/snort \
-f snort.u2 \
-w /var/log/snort/barnyard2.waldo \
-D

sudo /etc/init.d/rc.local start

http://192.168.252.62/snortreport-1.3.3/alerts.php



Rubén Sans
Dpto. de Sistemas de Información

[cid:image001.jpg at ...15900...]

Diputación, 390-392
08013 Barcelona
Tel. 933 440 800, Ext. 408
e-mail: rsans at ...15899...<mailto:rsans at ...15901...@simon.es>
www.simon.es


________________________________
*************** AVISO LEGAL ***************

Este mensaje se dirige exclusivamente a su destinatario y puede contener información privilegiada o confidencial.
Si no es vd. el destinatario indicado, queda notificado de que la utilización divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente.
Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

This message is intended exclusively for its addressee and may contain information that is confidential and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any dissemination copy or disclosure of this communication is strictly prohibited by law.
If this message has been received in error please immediately notify us via e-mail and delete it.

Aquest missatge es dirigeix exclusivament al seu destinatari i pot contenir informació privilegiada o confidencial.
Si vostè no és el destinatari indicat, queda notificat que la utilització divulgació i/o copia sense autorització està prohibida segons la llei vigent.
Si vostè ha rebut aquest missatge per error, li agrairem que ens ho comuniqui immediatament per aquesta mateixa via i procedeixi a la seva destrucció.

________________________________
PROTEGE EL MEDIO AMBIENTE
Antes de imprimir este e-mail piense bien si es necesario hacerlo: EL MEDIOAMBIENTE ES COSA DE TODOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121026/441cd7d2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2402 bytes
Desc: image001.jpg
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121026/441cd7d2/attachment.jpg>


More information about the Snort-users mailing list