Snort mailing list archives
Re: Trouble with Snort --enable-inline
From: Oscar Mauricio Benavidez Suarez <obenavidez () gmail com>
Date: Wed, 10 Jun 2009 09:53:51 -0500
thank's for your answers well y want to do a normal snort inline setup. well i make a resume of my installation first install debian lenny then i install all the prerequisites *#apt-get install apache2 * *#apt-get install mysql-server* *#apt-get install php5 **#apt-get install php5-mysql **#apt-get install build-essential **#apt-get install libpcre3-dev **#apt-get install iptables-dev **#apt-get install libnet0-dev **#apt-get install libmysqlclient12-dev **#apt-get install checkinstall i go to http://libdnet.sourceforge.net/ and download the file * libdnet-1.11.tar.gz<http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download> *#tar -xvf libdnet-1.11.tar.gz **#cd libdnet-1.11 #./configure #make #checkinstall *then i make the folders for the snort, # mkdir /etc/snort # mkdir /etc/snort/rules #mkdir /var/log/snort after building the database *mysqladmin -u root password new_root_password* *#mysql -u root -p* *>create database snort; **>grant all on snort.* to snort@localhost identified by 'password'; * *>flush privileges;* *>exit; **#mysql -u root -p snort < snort-2.8.4.1/schemas/create_mysql* *#vim /etc/snort/snort.conf **var RULE_PATH /etc/snort_inline/rules** var HOME_NET 192.168.0.0/24 var EXTERNAL_NET !$HOME_NET output database: log, mysql, user=snort password=omb123456 dbname=snort host=localhost sensor_name=espec *then i save this changes* **#cd snort**-2.8.4.1 **#./configure --enable-inline --with-mysql* *#make #checkinstall *and everything works fine* *don't show any error, *iptables -A INPUT -j QUEUE iptables -I INPUT -i lo -j ACCEPT loopback traffic* before i execute this two comands, my vmachine ethernet interface don't answer, if i make ping to another machine this is the repsonse #ping 192.168.0.254 PING 192.168.0.254 (192.168.0.254) 56(84) bytes of data.
From 192.168.0.191 icmp_seq=2 Destination Host Unreachable From 192.168.0.191 icmp_seq=3 Destination Host Unreachable From 192.168.0.191 icmp_seq=4 Destination Host Unreachable From 192.168.0.191 icmp_seq=5 Destination Host Unreachable From 192.168.0.191 icmp_seq=6 Destination Host Unreachable From 192.168.0.191 icmp_seq=7 Destination Host Unreachable
^C --- 192.168.0.254 ping statistics --- 265 packets transmitted, 0 received, +6 errors, 100% packet loss, time 264708ms , pipe 3 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere QUEUE all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination y have to restart the vmachine to can get again access to the network or internet, anyway i execute this two commands to add rules on the iptables and then #snort -Q -v -c /etc/snort/snort.conf -l /var/log/snort for tha BASE, i download the base-1.3.9.tar.gz<http://sourceforge.net/project/downloading.php?group_id=103348&filename=base-1.3.9.tar.gz&a=83319268> *#tar -xvf base-1.3.9.tar.gz* *#mv /home/user/Desktop/base-1.3.9 /var/www/base* download the adodb5 *#tar -xvf adodb5.tgz * *#mv /home/user/Desktop/adodb /var/www/base/* *#chown -R www-data /var/www/base/ *then i configured the base_config.php.dist * *$DBlib_path="/var/www/base//adodb"; $DBtype="mysql"; $alert_dbname = snort; $alert_host = localhost; $alert_port = ""; $alert_user = snort; $alert_password = my_password; $archive_dbname = snort; $archive_host = localhost; $archive_port = ""; $archive_user = snort; $archive_password = my_password; #*mv /var/www/base/base_conf.php.dist /var/www/base/base_conf.php ** # mysql -u root -p snort < /var/www/base/sql/create_base_tbls_mysql.sql* * *and after i connect to the http://localhost/base and it shows me the main page of BASE, evertithing was ok, but the sensor don't send info to BASE o the sensor is not working properly. *NOTE: if i run snort before or after i put the rules at the iptables it dont shows like be sniffing nothing, i wanto to run the snort in a normal mode inline, thank's for your time. i apologize for my english i'm from colombia and speak spanish, thank's. *
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 09)
- Re: Trouble with Snort --enable-inline Ryan Jordan (Jun 09)
- Re: Trouble with Snort --enable-inline Will Metcalf (Jun 09)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 09)
- Re: Trouble with Snort --enable-inline Will Metcalf (Jun 09)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 09)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 10)
- Re: Trouble with Snort --enable-inline Will Metcalf (Jun 10)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 10)