Help with Snort

arkamir · 02-03-2004, 08:27 PM

I just set up snort and have a few questions. First of all I'm using it on a Fedora 1 box, source install into /usr/local/lib/snort*. I'm using the default rules.

I ran it like this as a NIDS:
snort -d -h 192.168.0.0/24 -l /var/log/snort/ -c /usr/local/lib/snort-2.1.0/etc/snort.conf

Then I did a Syn/Stealth port scan like this:

nmap -sS 192.168.0.12

on the machine, from the machine. The problem is when I checked the alert file in /var/log/snort there was nothing in there. In the nmap documentation in says that this scan will be detected and logged by snort and even shows an example.

Also was is the -dev option, I cant find it in the man page, and its on several examples.

Thanks a lot

di11rod · 02-04-2004, 12:10 AM

I am using snort and logging to a mysql db. That is determined by my settings in the config file... Here is the syntax I used to start snort

/usr/sbin/snort -U -d -D -c /etc/snort/snort.conf

When you start yours, do you see any info reported back saying it's started? Is it in the process table if you do a ps -ef |grep snort ?

di11rod

Skunk_Face · 02-04-2004, 12:54 AM

like dil1rod said..try checking if snort is up and runnig first. I'm not sure on this but u could also check the snort config file to see which ethernet card u placed ur snort sensors on and the local address. If u have 2 nic's (one for LAN and another for internet) sensor might be on internet nic ...in which case if u used anoter comp on LAN to scan...snort prolly wont detect it.
Again im not sure on this.

arkamir · 02-04-2004, 05:27 PM

I'm using it on my ath0 card (wireless). I know it is running since my screen gets a huge message. I can attach my config file or at least the first part if that would help.

di11rod · 02-04-2004, 11:58 PM

Post the message that appears when it starts.

Do you really get any wireless traffic to your box? Try using a browser on another computer and request a web page that doesn't exist. Snort should flag a 403 alert. Request a nonexistent page that ends with admin.php.

di11rod

arkamir · 02-05-2004, 06:26 PM

ahh thanks a lot it works now!
I think the problem is that I tried doing it from the localhost. Is there anyway I can so it so that it also alerts me when suspicous activity is taken from localhost?

di11rod · 02-06-2004, 05:00 AM

It should flag stuff sourced from local host pointing at other hosts. Like if your box is comprimised and it's doing network scans or something, Snort will pick it up. The rules are probably lenient on requesting admin.php from localhost.

Good luck,

di11rod