LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-19-2004, 05:18 AM   #1
xyyz
LQ Newbie
 
Registered: Mar 2004
Posts: 2

Rep: Reputation: 0
problems getting snort to work on a fedora box


i followed Patrick Harper's excellent documentation on internetguru.com in setting up a snort IDS on a fedore core 1 box. i'm pretty new to linux, so i don't know how to fine tweak things to get them working when they aren't working.

anways, i followed all the directions, but i can't seem to get the snort to identify any sensors.

in the documentation they cover some things that i'm not understanding.

first they have a "HOME_NET" variable. what exactly is this variable? does it set the network for the nic that will be the sensor, or the network that the houses the nic you will use to administer the IDS?

then they have another variable in the startup script, S99snort that i was told to copy to /etc/init.d/snort. "IFACE" what does this variable do, again does it assign the control nic or the sensor nic?

when i try to manaually run snort my typing "snort -i eth3" after i place eth3 in promisc mode, i get the following error:

<...snip...>
Uh, you need to tell me to do something...

: No such file or directory



any any all help will be appreciated.
 
Old 03-19-2004, 08:10 AM   #2
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
Why don't you try psad? it's a more simple IDS like snort.
 
Old 03-19-2004, 12:42 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
first they have a "HOME_NET" variable. what exactly is this variable? does it set the network for the nic that will be the sensor, or the network that the houses the nic you will use to administer the IDS?
It's the snort.conf variable that tells Snort how to make the difference between what's local and what's remote. If you check the Snort rules, you'll see lines something like "alert ANY ANY -> HOME_NET tcp 80" which would tell Snort to trip on anything from a remote location to the local port 80. If you're using this on a single box setup set it to the public IP address the NIC listens on.

then they have another variable in the startup script, S99snort that i was told to copy to /etc/init.d/snort. "IFACE" what does this variable do, again does it assign the control nic or the sensor nic?
Other way around. The initscript lives in /etc/init.d and is symlinked manually or with chksysconf in the runlevels it should start/stop in. I don't know the script (post link?) but "IFACE" usually will mean the interface Snort should listen on.


when i try to manaually run snort my typing "snort -i eth3" after i place eth3 in promisc mode, i get the following error:

<...snip...>
Uh, you need to tell me to do something...

: No such file or directory

Post a link to the script.



Why don't you try psad? it's a more simple IDS like snort.
Snort and PSAD are not alike.
PSAD is a portscan detector, like portsentry, ippl etc etc.
Snort is an IDS, like Predule, Firestorm, Pakemon etc etc.
Check out the LQ FAQ: Security references, look for "Snort vs portsentry" if you want to read about differences.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
problems jumpstarting Solaris from a fedora core 2 box coontie Linux - General 0 11-09-2004 12:26 AM
Connect to work box from home box slackist Linux - Networking 4 09-18-2004 06:34 AM
Having problems getting updates on my Fedora Core 1 box with up2date Hockeyfan Linux - General 0 06-29-2004 04:27 PM
DHCP server problems -- can't get my box to work as a router KingofBLASH Linux - Networking 1 03-21-2004 07:19 AM
One box, two snort sensors jamesstaylor Linux - Security 3 09-15-2003 01:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration