Snort mailing list archives
Re: Regarding the Snort 2.9.1 on CentOS 5.6 (Snort Setup Guide)
From: Nick Moore <nmoore () sourcefire com>
Date: Mon, 25 Jun 2012 20:48:04 -0500
Mike, I've put some answers inline below, but you'll generally have more success asking the snort-users list rather than just me directly. I haven't updated the guide in some time (mea culpa, mea maxima culpa). On Mon, Jun 25, 2012 at 4:13 PM, Mike Henderson <mhenderson () fwforestry com>wrote:
** ** http://www.snort.org/assets/159/Snort_2.9.1_CentOS_5.pdf**** ** ** ** ** Do you have an updated version of this guide?**** ** ** ** ** ** ** I’m primarily a Windows user and only have a very limited “working” knowledge of Linux.**** ** ** I’ve tried using the guide above many times as a step by step install method but I just can’t get it to work.**** I get a little farther each time but…..**** ** ** My roadblocks so far have been:**** -No mention of development tools needing to be installed for some of the “make install” processes.
Actually the big yum statement on page 5 covers the dev tools you need. I tested that one over several earlier iterations of the paper and this list worked. It is important that you then run the yum -y update and reboot. If you are still having errors when compiling stuff, post the errors you have seeing to this list. Generally, you can see these at the bottom dozen or so lines in the output of your "./configure && make && make install" output.
**** -Typos like this line on page 9: *tar zxvf /home/bubba/nbtscan-1-3-1.tar.gz *(if it’s not a typo I’m unable to locate that file….)
My apologies - it is a typo. In the paper, I referenced downloading version 1.0.35 of the code, but 1.5.1 is now available. ****
-A great lack of understanding of what kind of entries and output I’m supposed to be looking at.
Can't really help much there, other than encouraging you to keep at it, use Google extensively and post questions to the list. A lack of understanding is a temporary condition if you just keep plugging away. If your company will spring for it, I'd recommend Snort training from Sourcefire or taking the Intrusion Analysis class from SANS. The latter will give you lots of other skills helpful in network analysis.
**** ** ** Example of not knowing what I’m supposed to be looking at:**** Should this line:**** /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo**** Look like this:**** /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort*/ *-f snort.log -w /var/log/snort/barnyard.waldo
Nope, the trailing / is not necessary.
**** ** ** ** ** Currently – I have Snort and Barnyard2 running but I’m unable to see any of the SID 100001 events in snortreport-1.3.1 on page 13
There could be all sorts of reasons for this. First, try doing a tcpdump on your sensing interface and see if you are getting real traffic there. Is the traffic coming from a SPAN off a switch or a tap? I'm assuming that you are not inline. Make sure that you are seeing more than just broadcast traffic. On a normal network, you should see lots of web traffic and NetBIOS traffic (not just the broadcasts). If all you are seeing are broadcasts, you are not on SPAN port, but a normal switchport. If you are doing this in VMWare rather than a native OS, how are you getting packets to VMWare? Are you sure you are on a bridged interface and not a NAT or internal only interface? Again, tcpdump will tell you lots.
**** When I stop barnyard – all the values for packets and protocols are 0. The alert file and the snort.log.(number string) files do contain data.
Chances are something is messed up with one of your configuration files. Reply all to the list and include your snort.conf and barnyard.conf files as attachments.
**** ** ** ** ** If you do not have an updated version of the guide - **** Would it be possible to walk through your guide step by step to see if any entries are missing or correct any that are mistyped?
I've started a new version, but haven't had time to work on it. I'll probably get to it sometime in July, as this is the last week of the quarter and I have some serious plane time in July - good time to get things done. Sorry it's not more immediate, but responding to the snort-users list as specified in some of the steps above will probably get you answers faster.
**** ** ** ** ** Any help would be greatly appreciated.**** ** ** Thank you**** ** ** ** ** ** ** PS **** My apologies for the email **** I know it is “noob” stuff that I’m asking about - but I am trying….
** **
** ** *Mike Henderson Network Administrator *F&W Forestry Services, Inc. 1310 West Oakridge Drive Albany, GA 31707 o: 229.883.0505 ext 142 f: 229.883.0515 MHenderson () fwforestry com www.fwforestry.com ****
-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org www.immunet.com
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Regarding the Snort 2.9.1 on CentOS 5.6 (Snort Setup Guide) Nick Moore (Jun 25)