Snort mailing list archives
Bleeding Edge Win32 Snort and Cerebus Win32
From: Dragos Ruiu <dr () dursec com>
Date: Sat, 14 Sep 2002 03:42:31 +0000
Well I finished porting the Cerebus Alert Analyzer and Correlator to a bare-metal Win32 API GUI application for browsing Snort IDS alerts much much faster than SQL databases without the need for a installing a database... Cerebus Win32 V1.4L is now available at: http://dragos.com/cerebus I also felt energetic (and it's cheaper to stay at home on a Friday and code instead of going out :-) so I packaged it up in a "Bleeding Edge Cerebus/Snort/WinPcap Installer" which is also available at that URL as well as the standalone data viewer .EXE binary. In the "Bleeding Edge" installer: I compiled up Snort CVS 1.9beta on Win32, loaded in WinPcap 3.0beta and bundled that all together with two shortcuts and some doc files in the installer. The Snort shortcuts are: Snort Sniffer Mode: A snortcut that executes "Program Files\Cerebus\snort -evi 2" in the same dir. Snort IDS Mode A shortcut that executes "Program Files\Cerebus\snort -i 2 -c snort.conf" in the same dir and I fudged up a snort.conf file with the appropriate output so that you can use Cerebus to read and analyse the alert files that will accumulate in Program Files\Cerebus\logs. There is a readme file that will tell you more. If you have problems with the above defaults (you'll notice if the shortcuts flash and quit instead of staying open and giving you data) try using 1 or 3 or another number for the numeric interface parameter as it may vary from system to system (but 2 seemed the most likely default). Find where the installer put the shortcuts on your system by using Find Files, and right click on their properties tab to adjust them. Now please keep in mind this is the latest beta stuff and it may just (:-) have some bugs.... It seems to work just fine on Win2k and WinXP but it looks like Pcap3.0 has some problems on my WinME systems.... Get rid of the System32\WinPcap.dll, System32\packet.dll, and System32\drivers\npf.sys files and reinstall an older pcap if you have problems. I would appreaciate knowing if anyone can get it to work on their ME or 98 with WinPcap3.0 (I'll poke more at it tomorrow). But over all this seems like a nice solution for a speedy Win32 IDS and data analysis system without installing or waiting for a web-gui and database queries. More aardvark toys coming soon... Enjoy, --dr As usual, I will answer e-mail queries, but preference _will_ be given to those who choose to pay for the commercial version of Cerebus. -- dr () dursec com pgp: http://dragos.com/dr-dursec.asc Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bleeding Edge Win32 Snort and Cerebus Win32 Dragos Ruiu (Sep 14)