LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-30-2004, 02:51 AM   #1
gummimann
Member
 
Registered: Nov 2003
Distribution: redhat
Posts: 57

Rep: Reputation: 15
Unhappy Snort only alerts snmp


Hi

I`ve just started useing snort. I got version 2.0.2 on RH9.

I use snort -c /root/snort-2.0.2/etc/snort.conf

And it log`s to /var/log/snort folders. But it only logs snmp alerts.

What`s wrong?



Thanks in advance!
 
Old 01-30-2004, 03:34 AM   #2
di11rod
Member
 
Registered: Jan 2004
Location: Austin, TEXAS
Distribution: CentOS 6.5
Posts: 211

Rep: Reputation: 32
good move

Hey, I think it's a great move on your part to install snort. I don't know exactly why you're only seeing SNMP alerts in the log as I don't have a huge amount of experience with snort....

For starters, though, I'd recommend shutting it down and starting it with this syntax-

/usr/sbin/snort -U -d -D -c /etc/snort/snort.conf

Those are the arguments that webmin starts it with for me. If you depend on Webmin like me, you might want to download the Snort webmin module from www.snort.org... it's in the downloads section of their site.

Also, I don't know how recent your rules sets are because you didn't say where you got snort from. I'd recommend downloading the most current rules sets and untar them in /usr/lib/snort/rules or wherever your install has the rules sets. They update these things several times a day.

Make sure the snort.conf file is pointing to your rules directory. I don't think it starts, though, if it doesn't.

Initially, you'll find a lot of bullcrap alerts for stuff that doesn't relate to your install. Like I'm on a Mandrake box and snort was telling me about every Nimda attack. You will be able to suppress these annoyances by examining the ID number of the attack type, then editing the matching rules set and commenting out that line.

I hope I'm not bogging you down with stuff you already know... But before I finish, I'd also recommend that you look at installing ACID. It's a VERY useful reporting tool for Snort. It allows you to have Snort send all alerts to a mysql database and then gives you a php-driven web app that can display the alert info in every useful view you'll need. Like I mostly just check the 15 most recent attack types on there. You can find out about ACID over at www.freshmeat.net

good luck,

di11rod
 
Old 01-30-2004, 04:20 AM   #3
gummimann
Member
 
Registered: Nov 2003
Distribution: redhat
Posts: 57

Original Poster
Rep: Reputation: 15
Thanks

I`ll try to update the rules (I got mine with the program at snort.org), however I don`t think that it`ll help. Where are the best place to download rules from?

I tryed:
/usr/local/bin/snort -U -d -D -c /root/snort-2.0.2/etc/snort.conf

Thanks for good pointers

Last edited by gummimann; 01-30-2004 at 04:25 AM.
 
Old 01-30-2004, 06:08 AM   #4
di11rod
Member
 
Registered: Jan 2004
Location: Austin, TEXAS
Distribution: CentOS 6.5
Posts: 211

Rep: Reputation: 32
here are the rules

Gummimman,

If you downloaded snort from the snort website, I think you'll probably want to download newer rules from their seperate rule download section--

http://www.snort.org/dl/rules/snortrules-stable.tar.gz

They update that file every day, but I don't know how much it really changes on a daily basis. I can't see how I'd download it every day as I've commented out my current rules sets by hand to minimize the false positives. I'd have to hand-edit the rules every day if I was that up-to-date... Perhaps someone else knows a more efficient method of keeping the rules updating regularly without undoing your own edits...

Getting snort to output its alerts into a mysql db is a snap. You just edit the snort.conf file to change the DB pointers to be appropriate for your DB. Then you have to run a sql script in mysql and then you just untar the ACID php files onto your webserver's docroot and you're in business.

good luck,

di11rod
 
Old 01-30-2004, 06:31 AM   #5
gummimann
Member
 
Registered: Nov 2003
Distribution: redhat
Posts: 57

Original Poster
Rep: Reputation: 15
Thnx

However it didn`t work. I still get just snmp alerts.
 
Old 02-04-2004, 01:03 PM   #6
di11rod
Member
 
Registered: Jan 2004
Location: Austin, TEXAS
Distribution: CentOS 6.5
Posts: 211

Rep: Reputation: 32
Do you have iptables blocking any kind of tcp traffic?

Also, how are you testing? Perhaps you have a firewall externally blocking this box from tcp attacks?

di11rod
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort alerts lord-fu Linux - Security 1 11-25-2005 03:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 05:11 AM
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 06:35 AM
Suggestions for best way to get snort alerts zuessh Linux - Security 9 08-29-2004 09:40 PM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 04:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration