Its giving me two problems which i can't figure out to fix because theres no consistency in either of the problems.

Problem 1
This script won't execute on bootup and even though i'm not changing the script at all sometimes it will work if i manually execute it, others it will seem to execute fine but a #ps -ef | grep snort doesn't turn up anything.

root@localhost:# ls -l /etc/rc.d/rc.snort -rwxr-xr-x 1 root root 1045 Nov 20 00:12 rc.snort*

Problem 2
I've only gotten it to log portscans once by changing the 3 to 1 in the snort.conf line below. After that i decided to see what happens when i use option 2. When i changed it to 2 it stoped logging again but i figured thats cool i'll just change it back to 1. I did and it still wouldn't log the portscans despite the switching of the numbers being the only changes i made.

What in the hell is with snort? It can't be me!

I am certainly no expert on Snort, which is why I use Webmin for certain things. I rarely have to reboot but often tweak rules and settings within Snort so running a startup script for the Snort daemon(s) seemed useless and I never tried it. I start Snort in Webmin like so (this is always changing):

/usr/local/bin/snort -Ddeyz -c /etc/snort/snort.conf

I know you can put snort.conf pretty much anywhere, but mine is /etc/snort/snort.conf by default.

? - Are you attempting to initialize snort on an interface that isn't up yet?
?? - Are you sniffing int or ext -i?
??? - Did you enable portscan2 and conversation? This will produce so many alerts you'll want to set some 'preprocessor portscan2-ignorehosts'
???? - Did you try setting var EXTERNAL_NET !$HOME_NET ?


! - I use Snort/ACID/MySql combo and Webmin for administrating. I can be more specific about this arrangement but would need more info on your setup to be of any further assistance.

Get the pig's config fine tuned before putting it in RC.

Well the script problem sort of fixed itself. Although it won't execute on reboot i can now execute it manually and it will work. I don't get it. I've got a dual boot and rebooted numerous times while trying to get snort to detect portscans and since i rebooted today it has worked if i execute it manually. Hell who knows maybe it will spontaneously start to execute on bootup tomorrow even though i didn't change the script in anyway.

Unfortunately it still isn't detecting port scans. I edited one of the porn rules to alert for website traffic of microsoft and that works fine. Hopefully the other rules work and the portscan detection is the only one that isn't. Could my firewall rules be blocking port scans? I have tryed nmap -sS my local, external, and loopback IP's and even used grc.com and its not detecting anything.

I don't know why snort didn't create a /etc/snort.conf. I ./configured make make install or however the readme suggested. Where did it put your snort rules? Did it create any snort directory?

I dont reccomend running snort. I know a couple of guys who run a small webhosting company and together we tried to get snort to report accuratly for quite some time but you can never really count on it.

I forgot i had some iptables rules to block different types of scans I deleted them and snort was able to detect *some* of them. I'm making progress...

//Apologies to Jiggy for an OT remark, but I feel it's necessary to step in.
Nrunge, IMNSHO you can't spread FUD like that. Please explain what Snort can't do, where you people failed or retract your statement.
TIA.

FWIW -- I get zilch from snorts original portscan preprocessor. I guess this is because I'm not sniffing the ext wire. I do get numerous int spp_portscan2 alerts however. As an example of what to expect from this; I get alerts from my NTP server, MSN messanger and really, really busy webpages. It's default is to report 6 hosts 6 ports and I've seen thresholds ranging from 1 to thousands of seconds.

It is possible to have snort running ill configured where you'll see nada. I seen that movie and its sequel. Use Nmap on one of your hostas to see. Generate an icmp alert. Start and stop that pig with different options until it's right. Don't even sniff around outside until you're 100% configd inside. Try using ACID with Snort to view and manipulate results.

BTW -- Since you are attempting to run snort at bootup and maybe think you can leave it alone as you tweak it, you should be aware that you must restart the daemon for any changes to take affect. I used Webmin to install and configure the Pig and its MySQL pen. I don't how your syslog can handle all the mkdir/date stuff cause I ain't a real guru...jus a farmer. Maybe using a database structure is the better way to go...werks 4 me. Don't forget to ./configure --with-mysql. I have to keep it simple, so I depend initially on the Webmin GUI, then migrate to the shell as I become more acquainted with the software. Plus it is a time saver if you can find no better reason to use it. No one has to know if you don't tell and you can even use SSL with Webmin...

Snort-It is not a bitch, it's a fertile sow.

Thanks, yeah i'm having the same problem with having ot use spp_portscan2 to detect any port scans. I'm not getting to many logs though... I dunno if thats a good or bad thing cause i could be missing some.

ACID seems very cool but since i'm not getting many logs i don't think i need something like that now. Is there a lighter alternative to ACID? I remember hearing something about "colorlogs", maybe that would work?

Edit: Ahhhhh i forgot about SnortSnarf

I'm not saying that snort is not good work in progress. I had snort setup logging to ACID, it seemed to work really nice but I seemed to have the problem of either too many reports or not enough. It was very present when I started running Nessus and I knew what the attacks were. I found Snort to be very innacurate. Eventually we opted for a commercial product and although I admit it is less versatile than Snort it is far more accurate. I was not trying to bash on what it can't do, just what is seems to do poorly. One thing I have been curious about however (considering that I have not really messed with snort for quite a few months) is if Snort has the ability to examine encapsulated SQL data, and if it canno't is there an open source solution out there will.

I can relate to the "work-in-progress" statement. I used snort 1.8.6 for a year and a half because it took this farmer quite awhile to get it right. I left it alone cuz I didn't want to screw it up. Then a few weeks back I decided to update. I went with 2.0.2, then along came 2.0.3 with core dump issues so I moved to 2.0.4 (current) and now 2.0.5 is just out.

About SQL rules in snort, I only see a few rules in my install and both look for connection attempts in an established stream. I guess it all depends on what you really want to sniff, what is important to your network. I'm no expert but the more deeply you inspect a packet, the higher the overhead required.

Snort fulfills all my expectations and more (cuz I only use half of the pigs features) for a small home network. I am alerted to rogue web sites the family is browseing, unacceptable content and vain attempts to remotely infiltrate network services through inside clients. What more could a farmer ask for? I believe my tractor is safe in the barn, snort will tell me if someone's sneaking around peeking in the windows or toying with the locks.

This farmer has many more tools in the shed besides the alert pigs in the pen. You have to find what works for you. I find that by keeping 'Tripwires' and a 'pot-o-honey' on the 'Bastille', I can be better informed/protected. If only I could get that scarecrow werking....

Thread recap:

I believe it's best to log alerts to a databse - i.e. MySQL
I have had no problems viewing/manipulating alerts through ACID - requires Apache or other server
More Rules = Greater system resources required
Less Resources = More Dropped Packets and Less Alerts

I thought about using it on my home network but I run an openBSD firewall with 3 ports open. Not much risk there.