LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-28-2004, 01:29 PM   #1
turbo_acura
Member
 
Registered: Sep 2004
Location: London, UK
Posts: 95

Rep: Reputation: 15
Snort setup


ACID won't display Snort statistics. Everything is running
ps -ef|grep httpd
ps -ef|grep mysql
ps -ef|grep snort

I have the ACID page up and running.

I tried http://IPaddress/etc/passwd
in hoping that it will generated an alert, but it didn't come up with anything.
I'm running snort as '#/usr/local/bin/snort -b -D -A full' so I'm not sure if I'm missing something or whether I just haven't put a potential attack on it. Its in our network, so its behind many layers of subnets. I'm gonna put down what i compiled below. Only reason I'm including this is maybe I missed something out during compiling which effects display the statistics from the snort database to the web page. This is what i compiled Apache 1.3.31 with

CFLAGS='-DEAPI' \
SSL_BASE=../openssl-0.9.7d \
./configure \
--prefix=/usr/local/apache
--enable-module=ssl \
--enable-shared=ssl \
--enable-module=rewrite \
--enabled-shared=max \
--enable-module=so \
--activate-module=src/modules/perl/libperl.a \
--enable-module=perl

and this is what i compiled PHP 4.3.9 with..

CFLAGS='-02 -I/usr/local/src/openssl-0.9.7d -DEAPI' \
./configure \
--with-apxs=/usr/local/apache/bin/apxs \
--disable-debug
--enable-ftp \
--enable-inline-optimization
--enable-magic-quotes
--enable-mbstring \
--enable-mm=shared \
--enable-safe-mode \
--enable-track-vars \
--enable-trans-sid \
--enable-wddx=shared \
--enable-xml \
--with-dom \
--with-gd \
--with-gettext \
--with-mysql=/usr/local/mysql \
--with-regex=system \
--with-xml \
--with-zlib-dir=/usr/lib


ANY IDEAS?!?!?

Cheers!!
 
Old 10-28-2004, 02:39 PM   #2
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
If I'm not misstaken there are some tests shipped with SNORT, to test it's function.
Have a closer look at the documentation.
Also try to download the latest rule sets to see if you can catch any port 445 attacks, they are very common these days.
 
Old 11-29-2004, 08:37 AM   #3
monroetech
Member
 
Registered: Nov 2004
Location: Toledo, OH
Distribution: SuSE 9.2 Pro
Posts: 53

Rep: Reputation: 15
First, where is your snort.conf file? Is it /etc/snort/snort.conf?

Do this at your command prompt..

snort -T
This will start snort in test mode... If it starts running with no errors your in good shape.... If you do get an error it will tell you what the error is, go and fix it.... or post it here....

Second, Make sure that you uncommented the line that starts with:

output database:
Which ever one cooralates with the database your using...ie; MySQL

Third, Once everything looks good start snort like this if you have it sitting on eth0 or whatever /dev you have it sitting on...

Mine is on eth0 , so I start my snort like this.....

snort -y -c /etc/snort/snort.conf -i eth0 -D

Basically this tells snort to log timestamp w/ year then, -c load the rule sets I have in snort.conf , then -i listen on interface eth0, and last -D run as a daemon in the Background....

If you want to test it yourself, use a second machine to ping your box w/ snort..... If you dont have a second machine go to http://www.grc.com and run sheildsup - It will produce multiple ICMP alerts on your system......

trying to pull up http://ipaddress/etc/passwd will never produce an alert... cause there is NO way that you can pull up the /etc dir from your webserver...... imagine the chaos if someone could do that....heh....

Cheers!
Hope this helps
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
Snort/ACID setup q TruckStuff Linux - Security 3 09-14-2004 01:20 PM
[SUSE 9.1 PROF] How can I copy the setup files to my harddisk and start the setup? TheRealFalcon Linux - Distributions 1 08-07-2004 11:49 PM
snort snort.conf help crealkiller175 Linux - Software 1 03-08-2003 05:58 PM


All times are GMT -5. The time now is 07:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration