Snort mailing list archives

Re: Trouble with Snort --enable-inline

From: Oscar Mauricio Benavidez Suarez <obenavidez () gmail com>
Date: Wed, 10 Jun 2009 09:53:51 -0500

thank's for your answers well y want to do a normal snort inline setup.

well i make a resume of my installation

first install debian lenny
then
i install all the prerequisites

*#apt-get install apache2
*
*#apt-get install mysql-server*

*#apt-get install php5

**#apt-get install php5-mysql

**#apt-get install build-essential

**#apt-get install libpcre3-dev

**#apt-get install iptables-dev

**#apt-get install libnet0-dev

**#apt-get install libmysqlclient12-dev

**#apt-get install checkinstall

i go to http://libdnet.sourceforge.net/ and download  the file *
libdnet-1.11.tar.gz<http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download>

*#tar -xvf libdnet-1.11.tar.gz

**#cd libdnet-1.11
#./configure
#make
#checkinstall

*then i make the folders for the snort,

# mkdir /etc/snort
# mkdir /etc/snort/rules
#mkdir /var/log/snort


after building the database
*mysqladmin -u root password new_root_password*

*#mysql -u root -p*
*>create database snort;

**>grant all on snort.* to snort@localhost identified by 'password'; *

*>flush privileges;*
*>exit;

**#mysql -u root -p snort < snort-2.8.4.1/schemas/create_mysql*

*#vim /etc/snort/snort.conf

**var RULE_PATH /etc/snort_inline/rules**
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET !$HOME_NET

output database: log, mysql, user=snort password=omb123456 dbname=snort
host=localhost sensor_name=espec

*then i save this changes*

**#cd snort**-2.8.4.1
**#./configure --enable-inline --with-mysql*
*#make
#checkinstall

*and everything works fine*


*don't show any error,

*iptables -A INPUT -j QUEUE

iptables -I INPUT -i lo -j ACCEPT loopback traffic*

before i execute this two comands, my vmachine ethernet interface don't
answer,
if i make ping to another machine this is the repsonse


#ping 192.168.0.254
PING 192.168.0.254 (192.168.0.254) 56(84) bytes of data.

From 192.168.0.191 icmp_seq=2 Destination Host Unreachable
From 192.168.0.191 icmp_seq=3 Destination Host Unreachable
From 192.168.0.191 icmp_seq=4 Destination Host Unreachable
From 192.168.0.191 icmp_seq=5 Destination Host Unreachable
From 192.168.0.191 icmp_seq=6 Destination Host Unreachable
From 192.168.0.191 icmp_seq=7 Destination Host Unreachable

^C
--- 192.168.0.254 ping statistics ---
265 packets transmitted, 0 received, +6 errors, 100% packet loss, time
264708ms
, pipe 3

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
QUEUE      all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

y have to restart the vmachine to can get again access to the network or
internet, anyway i execute this two commands to add rules on the iptables
and then

#snort -Q -v -c /etc/snort/snort.conf -l /var/log/snort



for tha BASE, i download the
base-1.3.9.tar.gz<http://sourceforge.net/project/downloading.php?group_id=103348&filename=base-1.3.9.tar.gz&a=83319268>

*#tar -xvf base-1.3.9.tar.gz*
*#mv /home/user/Desktop/base-1.3.9 /var/www/base*

download the adodb5
*#tar -xvf adodb5.tgz *
*#mv /home/user/Desktop/adodb /var/www/base/*

*#chown -R www-data /var/www/base/

*then i configured the base_config.php.dist
*
*$DBlib_path="/var/www/base//adodb";

$DBtype="mysql";

$alert_dbname = snort;
$alert_host = localhost;
$alert_port = "";
$alert_user = snort;
$alert_password = my_password;

$archive_dbname = snort;
$archive_host = localhost;
$archive_port = "";
$archive_user = snort;
$archive_password = my_password;


#*mv /var/www/base/base_conf.php.dist /var/www/base/base_conf.php
**
# mysql -u root -p snort < /var/www/base/sql/create_base_tbls_mysql.sql*
*
*and after i connect to the http://localhost/base and it shows me the main
page of BASE, evertithing was ok, but the sensor don't send info to BASE o
the sensor is not working properly.

*NOTE: if i run snort before or after i put the rules at the iptables it
dont shows like be sniffing nothing, i wanto to run the snort in a normal
mode inline, thank's for your time.

i apologize for my english i'm from colombia and speak spanish, thank's.
*

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 09)
- Re: Trouble with Snort --enable-inline Ryan Jordan (Jun 09)
- Re: Trouble with Snort --enable-inline Will Metcalf (Jun 09)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 09)
  - Re: Trouble with Snort --enable-inline Will Metcalf (Jun 09)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 09)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 10)
  - Re: Trouble with Snort --enable-inline Will Metcalf (Jun 10)
- Re: Trouble with Snort --enable-inline Oscar Mauricio Benavidez Suarez (Jun 10)