Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am not gifted at all, and don't know to much about nids's or networking, still in a learning phase. I am looking for a easy to read newbie howto, to understanding and setting up snort. All the howto's I have come across have been very technical, and haven't been explained very thorough, would anyone know of any easy to read howto's to snort, for a beginner?
Well I have just installed it; installed libpcap, and snort. And also installed a gui front end too, think it was razorhog, or something like that, to view alerts. But anything more than that I don't know what to do, or what i need to do to get the benefits of snort. All in all I am clueless.
Yeah, Razorback you mean, it's a "tail" kinda app, but then in GTK.
Snort is an IDS, short for Intrusion Detection System.
What you basically will use it for is to monitor traffic, usually towards your systems, for malicious activity like people trying to use an exploit against a service you run to illegally gain access to your systems.
Unlike other "scan detectors" Snort inspects a packet in full, that is the headers plus the contents of the packet. It does this by trying to match any packet attributes to a signature. Signatures are grouped per service in rule files. These rule files are updated regularly, you can download them from Snort.org. If you've read the Snort docs, it mentions commenting out rules in snort.conf for which you have no service running, which will be good for performance.
The minimal way to benefit from running Snort would be to have regular reporting available so you can react to hostilities (or not). For this you could set up a cronjob to mail you the output of helper apps like snort_stat, or you could use Snortsnarf which has a webbased interface for looking at alerts.
Some people use Snort also to actively block traffic from addresses that try to access your system. Snort can do this by itself but it is not recommended. If you want to block traffic based on alerts, have a look at the third party apps in the contrib dir of the Snort tarball, for instance Guardian.
I have another question, it should be a simple one. When I activate ppp0 how would have snort start automatically, what file would I need to edit? Right now I am running snort every time i dial up from the command line.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.