Snort mailing list archives
Re: snort on OSSIM
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Tue, 16 Mar 2010 16:32:53 -0400
Exactly, OSSIM will start an instance of Snort for each interface you feed to OSSIM. I in no way wanted to lead people to believe that you can run snort -I eth1,eth2,eth3...ethX and go to town, because that would be wrong. Thanks for clearing that up. -Parker -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, March 16, 2010 4:30 PM To: Crook, Parker Cc: Kaushal Shriyan; snort-users () lists sourceforge net Subject: Re: [Snort-users] snort on OSSIM Okay, so OSSIM will start two instances of Snort, one for each interface? Is that what you are saying? The reason I am asking is because I don't want people reading the list thinking "oh, I can just run (non-OSSIM) Snort with -i eth1,eth2 and it'll work!" J On Mar 16, 2010, at 4:16 PM, Crook, Parker wrote:
Joel, You are correct in that I made an error (no commas), it should look like: DEBIAN_SNORT_INTERFACE="eth1 eth2" Then you have to run ossim-reconfig, and ossim will run two instances of Snort (on OSSIM 2.1 this would create two binaries, snort_eth1 and snort_eth2, but I have not tested on OSSIM 2.2). I posted up my findings on this thread a while back: https://www.alienvault.com/forum/index.php?t=msg&goto=5566&S=b8d60b94e6c1d460ebf808dfc78343a5#msg_5566 -Parker -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, March 16, 2010 4:01 PM To: Crook, Parker Cc: Kaushal Shriyan; snort-users () lists sourceforge net Subject: Re: [Snort-users] snort on OSSIM Have you tested to make sure that Snort is listening on all three interfaces that you describe below? Or does Snort only accept the first one in this list? I don't think you can do that "eth1,eth2,eth3" specification, I've never tested it, and have no way to do it right now... J On Mar 16, 2010, at 2:41 PM, Crook, Parker wrote:Kaushal, Ray is correct - I was using Snort on OSSIM for a quite a while and the snort files are located in /etc/snort. As far as tuning snort, you would still need to define your variables in the snort.ethX.conf file, where ethX is the configuration file Snort will use for the respective interface. As far as configuring goes, there is a snort.debian.conf file that you can use to set some of your options (example contents below): #this sets $HOME_NET in command-line call - leave empty if $HOME_NET is set #in you config file, else, define here. DEBIAN_SNORT_HOME_NET="192.168.0.0/16,1.2.3.0/24" #listen on eth1, eth2, and eth3 - starts multiple instances of snort, using #their respective config files DEBIAN_SNORT_INTERFACE="eth1,eth2,eth3" #use Berkley Packet Filter file DEBIAN_SNORT_OPTIONS="-F bpf.filt" DEBIAN_SNORT_SEND_STATS="true" DEBIAN_SNORT_STARTUP="boot" DEBIAN_SNORT_STATS_RCPT="root" DEBIAN_SNORT_STATS_THRESHOLD="1" Now, stepping outside of talking about Snort, if you are using OSSIM in all-in-one mode, then your output module for Snort should already be configured and logging to your database out of the box (otherwise you will need to setup the sensor->server communication channel in the OSSIM configs). You can view alerts from Snort on the webpage under Events->Alerts I believe... Hope this helps, Parker Crook -----Original Message----- From: Ray Caparros [mailto:arcy24 () gmail com] Sent: Tuesday, March 16, 2010 12:19 PM To: Kaushal Shriyan Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort on OSSIM Kaushal, I believe the snort instance in OSSIM is located at /etc/snort. Here's the link on their forum https://www.alienvault.com/forum/ -Ray On Tue, Mar 16, 2010 at 11:29 AM, Kaushal Shriyan <kaushalshriyan () gmail com> wrote:Hi I am newbie to snort. On what parameters or basis do i need to configure ruleset in snort. I am using snort under OSSIM Application. Please suggest/guide. Thanks and Regards, Kaushal ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler
-- Joel Esler ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort on OSSIM Kaushal Shriyan (Mar 16)
- Re: snort on OSSIM Ray Caparros (Mar 16)
- Re: snort on OSSIM Crook, Parker (Mar 16)
- Re: snort on OSSIM Joel Esler (Mar 16)
- Re: snort on OSSIM Crook, Parker (Mar 16)
- Re: snort on OSSIM Crook, Parker (Mar 16)
- Re: snort on OSSIM Joel Esler (Mar 16)
- Re: snort on OSSIM Crook, Parker (Mar 16)
- Re: snort on OSSIM Crook, Parker (Mar 16)
- Re: snort on OSSIM Ray Caparros (Mar 16)
- Re: snort on OSSIM Kaushal Shriyan (Mar 17)
- Re: snort on OSSIM Crook, Parker (Mar 17)
- Re: snort on OSSIM Kaushal Shriyan (Mar 17)
- Re: snort on OSSIM Crook, Parker (Mar 17)