LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-07-2010, 12:26 PM   #1
communication
LQ Newbie
 
Registered: Apr 2010
Posts: 14

Rep: Reputation: 0
How to use Snort?


plz help me ..........
i am beginar but i search on google about using snort but i am
failed to get obvious and brive discussion on snort is there any one
use it can help me..............
thanks advanced
 
Old 04-07-2010, 12:58 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by communication View Post
i am beginar (..) i search on google about using snort (..) brive discussion on snort (..)
What are you interested in?
- Installing Snort? If that's the case then depending on your distribution you can install a package or compile and install Snort from source. If you compile and install Snort from source then download the latest archive from snort.org and unpack it. The directory contains plain text files to read, start with the ones called "README" and "INSTALL". If compiling and installing does not work for you then after reading those text files you will be able to ask more specific questions.
- Running Snort? Once you've installed Snort you should configure snort.conf to use the settings of your network and the detection rules you are interested in. The snort.conf configuration file has lots of comments so after reading it, same here, you will be able to ask more specific questions.

* BTW, I changed your thread title to something more descriptive. Also being a beginner is no reason to avoid using the spelling checker, especially if English is not your native tongue. Forming proper sentences makes this whole problem solving thing a wee bit more satisfactory and efficient, TIA.
 
Old 04-07-2010, 01:14 PM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,944

Rep: Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693
Quote:
Originally Posted by communication View Post
plz help me ..........
i am beginar but i search on google about using snort but i am
failed to get obvious and brive discussion on snort is there any one
use it can help me..............
thanks advanced
Please spell your words out. And did you check the Snort website??
Complete documentation, user guides, FAQs, and a users forum, one even dedicated to new users.

http://www.snort.org/docs
 
Old 04-07-2010, 06:18 PM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,053

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
IIRC, Snort has about four modes and they work differently and applicable in different circumstances. You don't say anything about what you want to achieve (although you have seemingly decided that Snort is the right tool to use) so it is difficult to offer much in the way of advice.
 
Old 04-08-2010, 04:33 AM   #5
communication
LQ Newbie
 
Registered: Apr 2010
Posts: 14

Original Poster
Rep: Reputation: 0
thanks for all

now i will read snort manual

i am a beginner in snort when i type
snort vd -覧覧覧覧覧>the result was

UDP TTL:128 TOS:0ラ0 ID:23 IpLen:20 DgmLen:96
Len: 68
DA 69 28 10 00 01 00 00 00 00 00 01 20 46 48 45 .i( FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 ACACACACACAAA..
00 01 C0 0C 00 20 00 01 00 04 93 E0 00 06 80 00 .. .
C0 A8 00 12 .

=====================================+

04/08-00:36:55.999354 192.168.0.18:137 -> 192.168.0.255:137
UDP TTL:128 TOS:0ラ0 ID:24 IpLen:20 DgmLen:96
Len: 68
DA 68 28 10 00 01 00 00 00 00 00 01 20 46 41 45 .h( FAE
42 45 4D 46 44 43 41 43 41 43 41 43 41 43 41 43 BEMFDCACACACACAC
41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 ACACACACACAAA..
00 01 C0 0C 00 20 00 01 00 04 93 E0 00 06 00 00 .. .
C0 A8 00 12 .

..etc
any one can help me what each number and symbol mean
i know this is a UDP protocol between my ip and the site ip
and 04/8-00:36:55 -覧覧覧覧覧->date and time
but what is TTL:128 TOS:0ラ0 ID:24 IpLen:20 DgmLen:96
Len: 68 ?
and what is this all numbers mean
thanks advanced
 
Old 04-08-2010, 04:42 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
For IP protocol suite TCP and UDP header information read for instance:
http://linux-ip.net/gl/tcng/node36.html
http://www.tcpipguide.com/free/t_IPD...eralFormat.htm
http://www.sans.org/security-resources/tcpip.pdf
http://www.protocols.com/pbook/tcpip2.htm
 
Old 04-08-2010, 11:07 AM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,053

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Quote:
Originally Posted by communication View Post
now i will read snort manual
Not sure what we said that caused that reaction, but it is certainly a constructive step, and one that we'd have normally expected you to take before posting.

You might want to read this, but it may not help you much unless you have read the materials here first.
 
Old 04-08-2010, 11:50 AM   #8
communication
LQ Newbie
 
Registered: Apr 2010
Posts: 14

Original Poster
Rep: Reputation: 0
thanks for all

i face another problem
and it is
snort -c snort.conf -l ./log -h 192.168.1.0/24 -s
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf
ERROR: Unable to open rules file: snort.conf or ./snort.conf


............................................thanks alot
 
Old 04-08-2010, 12:54 PM   #9
mik-krob
LQ Newbie
 
Registered: Mar 2010
Location: CT,USA
Distribution: ARCH
Posts: 1

Rep: Reputation: 0
You should find where your snort.conf is and tell that to snort. It may be something like -c /etc/snort/snort.conf. It depends where your snort.conf resides.
 
1 members found this post helpful.
Old 04-08-2010, 02:16 PM   #10
communication
LQ Newbie
 
Registered: Apr 2010
Posts: 14

Original Poster
Rep: Reputation: 0
/etc/snort/snort.conf
bash: /etc/snort/snort.conf: Permission denied
help me again plz
 
Old 04-08-2010, 02:56 PM   #11
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,944

Rep: Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693
Quote:
Originally Posted by communication View Post
/etc/snort/snort.conf
bash: /etc/snort/snort.conf: Permission denied
help me again plz
Again, SPELL YOUR WORDS OUT and write clearly, you are very difficult to understand.

And what are you doing? You don't execute the config file. You specify it on the command line, when you run Snort. So:
Code:
snort -c /etc/snort/snort.conf -l ./log -h 192.168.1.0/24 -s
 
Old 04-08-2010, 03:30 PM   #12
communication
LQ Newbie
 
Registered: Apr 2010
Posts: 14

Original Poster
Rep: Reputation: 0
sorry for my bad spelling
.....................thank you for your fast reply
 
Old 04-08-2010, 06:04 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Moved: This thread is more suitable in the Newbie (as it doesn't include any Linux Security questions) and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 04-08-2010, 07:06 PM   #14
communication
LQ Newbie
 
Registered: Apr 2010
Posts: 14

Original Poster
Rep: Reputation: 0
I still reading snort manual and in it
--alert-before-pass option forces alert rules to take affect in favor of a pass rule.
the problem is how to write it in terminal
..................thanks in advanced
 
Old 04-08-2010, 09:44 PM   #15
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,944

Rep: Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693
Quote:
Originally Posted by communication View Post
I still reading snort manual and in it
--alert-before-pass option forces alert rules to take affect in favor of a pass rule.
the problem is how to write it in terminal
..................thanks in advanced
You type it in when you run snort, like you did with the OTHER options.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[snort] Understanding Snort Rules Fracker Linux - Security 3 04-13-2009 10:34 AM
[HELP]SNORT PROBLEMS(IDS)-service snort start JayCool Linux - Software 5 03-15-2009 01:34 PM
Snort - no portscan and tcp alerts in snort av.dubey Linux - Software 6 07-11-2008 10:56 PM
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 03:59 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 11:29 AM


All times are GMT -5. The time now is 01:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration