Re: Regarding the Snort 2.9.1 on CentOS 5.6 (Snort Setup Guide)

[Nick Moore <nmoore () sourcefire com>]

Mike,

I've put some answers inline below, but you'll generally have more success
asking the snort-users list rather than just me directly. I haven't updated
the guide in some time (mea culpa, mea maxima culpa).

On Mon, Jun 25, 2012 at 4:13 PM, Mike Henderson
<mhenderson () fwforestry com>wrote:

> ** **
>
> http://www.snort.org/assets/159/Snort_2.9.1_CentOS_5.pdf****
>
> ** **
>
> ** **
>
> Do you have an updated version of this guide?****
>
> ** **
>
> ** **
>
> ** **
>
> I’m primarily a Windows user and only have a very limited “working”
> knowledge of Linux.****
>
> ** **
>
> I’ve tried using the guide above many times as a step by step install
> method but I just can’t get it to work.****
>
> I get a little farther each time but…..****
>
> ** **
>
> My roadblocks so far have been:****
>
> -No mention of development tools needing to be installed for some of the
> “make install” processes.

Actually the big yum statement on page 5 covers the dev tools you need. I
tested that one over several earlier iterations of the paper and this list
worked. It is important that you then run the yum -y update and reboot. If
you are still having errors when compiling stuff, post the errors you have
seeing to this list. Generally, you can see these at the bottom dozen or so
lines in the output of your "./configure && make && make install" output.



> ****
>
> -Typos like this line on page 9:  *tar zxvf
> /home/bubba/nbtscan-1-3-1.tar.gz   *(if it’s not a typo I’m unable to
> locate that file….)

My apologies - it is a typo. In the paper, I referenced downloading version
1.0.35 of the code, but 1.5.1 is now available.

****
> -A great lack of understanding of what kind of entries and output I’m
> supposed to be looking at.

Can't really help much there, other than encouraging you to keep at it, use
Google extensively and post questions to the list. A lack of understanding
is a temporary condition if you just keep plugging away. If your company
will spring for it, I'd recommend Snort training from Sourcefire or taking
the Intrusion Analysis class from SANS. The latter will give you lots of
other skills helpful in network analysis.

> ****
>
> ** **
>
> Example of not knowing what I’m supposed to be looking at:****
>
> Should this line:****
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> snort.log -w /var/log/snort/barnyard.waldo****
>
> Look like this:****
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort*/
> *-f snort.log -w /var/log/snort/barnyard.waldo

Nope, the trailing / is not necessary.

> ****
>
> ** **
>
> ** **
>
> Currently – I have Snort and Barnyard2 running but I’m unable to see any
> of the SID 100001 events in snortreport-1.3.1 on page 13

There could be all sorts of reasons for this. First, try doing a tcpdump on
your sensing interface and see if you are getting real traffic there. Is
the traffic coming from a SPAN off a switch or a tap? I'm assuming that you
are not inline.

Make sure that you are seeing more than just broadcast traffic. On a normal
network, you should see lots of web traffic and NetBIOS traffic (not just
the broadcasts). If all you are seeing are broadcasts, you are not on SPAN
port, but a normal switchport.

If you are doing this in VMWare rather than a native OS, how are you
getting packets to VMWare? Are you sure you are on a bridged interface and
not a NAT or internal only interface? Again, tcpdump will tell you lots.


> ****
>
> When I stop barnyard – all the values for packets and protocols are 0.
> The alert file and the snort.log.(number string) files do contain data.

Chances are something is messed up with one of your configuration files.
Reply all to the list and include your snort.conf and barnyard.conf files
as attachments.

> ****
>
> ** **
>
> ** **
>
> If you do not have an updated version of the guide - ****
>
> Would it be possible to walk through your guide step by step to see if any
> entries are missing or correct any that are mistyped?

I've started a new version, but haven't had time to work on it. I'll
probably get to it sometime in July, as this is the last week of the
quarter and I have some serious plane time in July - good time to get
things done. Sorry it's not more immediate, but responding to the
snort-users list as specified in some of the steps above will probably get
you answers faster.

> ****
>
> ** **
>
> ** **
>
> Any help would be greatly appreciated.****
>
> ** **
>
> Thank you****
>
> ** **
>
> ** **
>
> ** **
>
> PS ****
>
> My apologies for the email ****
>
> I know it is “noob” stuff that I’m asking about - but I am trying….
** **
> ** **
>
> *Mike Henderson
> Network Administrator
> *F&W Forestry Services, Inc.
> 1310 West Oakridge Drive
> Albany, GA 31707
> o: 229.883.0505 ext 142    f: 229.883.0515
> MHenderson () fwforestry com
> www.fwforestry.com
> ****



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!