portsentry
hello:)
ive installed portsentry and after typing 'make install' got this: Creating psionic directory /usr/local/psionic Setting directory permissions Creating portsentry directory /usr/local/psionic/portsentry Setting directory permissions chmod 700 /usr/local/psionic/portsentry Copying files cp ./portsentry.conf /usr/local/psionic/portsentry cp ./portsentry.ignore /usr/local/psionic/portsentry cp ./portsentry /usr/local/psionic/portsentry cp: cannot stat `./portsentry': No such file or directory make: *** [install] Error 1 when i try 'portsentry -stcp' i get: -bash: portsentry: command not found please help or at least tell me how to uninstall portsentry! :) (some of its config files where placed correctly in all my directories despite the error) also, is there no built in program in linux for fulfilling portsentries task? |
First of all please DITCH Portsentry and install Snort. Unlike Portsentry Snort is actively developed, maintained, performs better way and is backed by a huge community.
when i try 'portsentry -stcp' i get: -bash: portsentry: command not found Thats because portsentry resides in /usr/local/psionic/portsentry, which is not in your path, so either do "PATH=$PATH:/usr/local/psionic/portsentry" or "/usr/local/psionic/portsentry/portsentry (args)". please help or at least tell me how to uninstall portsentry If "make uninstall" doesnt work (I doubt it) do "make -n install | less" to see where the script tries to put stuff. |
snort
i have snort now but upon './configure' i got:
ERROR! Libpcre header not found, go get it from http://www.pcre.org nothing hard here i hear you say. pcre.org sais this of libpcre: The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. once downloaded where should i save library functions to? (ie. what directory). also, i would love to know what the above sentence means:) |
Well, in your profile you show "FC3" as distribution of choice, so that means you could install the rpm of snort. If it's not in the FC3 repo, then Google DAG for Snort. Installing the rpm *should* pick up any dependencies to install as well.
If you persist in building from source (laudable, even if only for the experience) then you must make sure you have installed pcre before you build Snort. Unpack, cd into the dir and follow the instructions in the README and INSTALL textfiles. |
your advice doesnt seem to have fared me well; i now have even more needed dependancies now that i downloaded the rpm.
i get; [root@localhost snort]# rpm -ihv snort-2.3.3-1.1.fc3.rf.x86_64.rpm warning: snort-2.3.3-1.1.fc3.rf.x86_64.rpm: V3 DSA signature: NOKEY, key ID 6b8d79e6 error: Failed dependencies: libc.so.6()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 libc.so.6(GLIBC_2.2.5)(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 libc.so.6(GLIBC_2.3)(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 libm.so.6()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 libnsl.so.1()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 libpcap.so.0.8.3()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 libpcre.so.0()(64bit) is needed by snort-2.3.3-1.1.fc3.rf.x86_64 snort somehow doesnt feel impressive anymore. i want a smooth installation. what can i do to make this work!? |
your advice doesnt seem to have fared me well; i now have even more needed dependancies now that i downloaded the rpm.
If you have a 64-bit box then it makes sense to install the 64bit version of Snort, and to install Snort you must satisfy dependencies. Doesn't come any easier. |
snort
oops! sorry!! 64-bit !
i have 64bit processor but not 64bit linux - i guess i should snort a 32bit :) |
snort
okay, i got the .tar.gz of (supposedly 32bit) snort and got
ERROR! Libpcre header not found, go get it from http://www.pcre.org once downloaded, where should i save the Libpcre header file to?? |
Like I said 2 posts ago: unpack pcre archive, cd into the dir and follow the instructions in the README and INSTALL texts.
|
wow; cool! it works!!
thank you very much for you help. i am confused about one thing in the instructions on the running of snort; the need to specify the home network ip (eg. snort -dev -l <ip.ip.ip.ip> -c snort.conf it sais this effects the name of the directories that messages are logged to. does this mean each individual event gets logged to its own file?? if so, how do i change it to one static file? also; is my home ip the one my isp gives me each time i connect? |
wow; cool! it works!!
Ahhh... finally. it sais this effects the name of the directories that messages are logged to. does this mean each individual event gets logged to its own file?? Yes. Check the "-l" (logdir) option and you should see something like /var/log/snort/IPs/logfiles. how do i change it to one static file? Go for binary logging (see snort.conf for details). Way faster compared to text logging because it doesn't need to parse out all details. You will need to install Barnyard to parse binary Snort logs though. It's at Snort.org in the contrib section. also; is my home ip the one my isp gives me each time i connect? If you're not on a LAN: yes. |
OK.
cant snort and tcpdump also convert the binaries? |
LOL. I'll go into WayBack Archive Mode and serve you my answer from 2003 at whitehats.com :-] Logtopcap.c is here.
|
'the connection was refused when attempting to contact whitehats.com'
the above link cant be followed; aaaargh. |
Oh well, bottom line is you *will* need Barnyard to turn Snort's unified logging into human readable ones and logtopcap to convert to packet captures (pcap) readable by "tcpdump -r".
|
All times are GMT -5. The time now is 03:01 PM. |