Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problem snort 9.3.3 - SNORT REPORT show NO DATA

From: "Sans, Ruben" <rsans () simon es>
Date: Fri, 26 Oct 2012 14:05:48 +0200
Hi all,

I installed snort with the following versions:
sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
sudo wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz sudo tar zxvf
sudo wget  wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz
sudo wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
sudo  wget http://www.snort.org/dl/snort-current/snort-2.9.3.tar.gz
FTP     snortrules-snapshot-2930.tar.gz

I've installed following the procedure of snort default Ubuntu 12.04
http://www.snort.org/assets/158/snortinstallguide293.pdf

The Network configuration is as follows:
2 network intefaces:
Eth0 --> IP LAN
Eth1 --> Snort

auto eth0
iface eth0 inet static
        address 192.168.252.62
        netmask 255.255.255.0
        network 192.168.252.0
        broadcast 192.168.252.255
        gateway 192.168.252.254
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 172.16.14.30

auto eth1
iface eth1 inet manual
        up ifconfig eth1 0.0.0.0 up
        up ip link set eth1 promisc on
* I configured the ethernet previously not in promiscuous mode

Config int he Cisco Catalyst 3750
monitor session 1 source interface Gi0/1 , Gi0/11 , Gi0/24 , Gi0/27 , Gi0/41 , Gi0/43
monitor session 1 destination interface Gi0/44

I tested with tcpdump, and see traffic on eth1, I have also connected a wireshark and I see traffic.

Just install the snort, snort Report works properly, but I get "NO DATA".

Can you Help me, please?

Thanks in advance!!!!!!!!!!!



ANNEX WITH THE DETAIL/STEPS OF CONFIGURATION
Then I show all the Snort configuration:

sudo apt-get install nmap
sudo apt-get install nbtscan
sudo apt-get install apache2
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install php5-gd
sudo apt-get install libpcap0.8-dev
sudo apt-get install libpcre3-dev
sudo apt-get install g++
sudo apt-get install bison
sudo apt-get install flex
sudo apt-get install libpcap-ruby
sudo apt-get install make
sudo apt-get install autoconf
sudo apt-get install libtool

pass root mysql = YOURPASSWORD
sudo apt-get install mysql-server
sudo apt-get install libmysqlclient-dev

sudo apt-get update
sudo apt-get upgrade

SNORT REPORT

Download and install JpGraph (Optional)

sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
sudo mkdir /var/www/jpgraph
sudo tar zxvf jpgraph-1.27.1.tar.gz
sudo cp -r jpgraph-1.27.1/src /var/www/jpgraph/

Download and Set up Snort Report

wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz sudo tar zxvf snortreport-1.3.3.tar.gz -C /var/www/

sudo nano /var/www/snortreport-1.3.3/srconf.php

Change this:
$pass = "YOURPASS";

For this:
$pass = "YOURPASSWORD";

SNORT

Download and install the DATA Acquisition API

Sudo wget  wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz
sudo tar zxvf daq-1.1.1.tar.gz
cd daq-1.1.1
sudo ./configure
sudo make
sudo make install

Download and install libdnet

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
sudo tar zxvf libdnet-1.12.tgz
cd libdnet-1.12/
sudo ./configure
sudo make
sudo make install
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Download and install snort

sudo  wget http://www.snort.org/dl/snort-current/snort-2.9.3.tar.gz
sudo tar zxvf snort-2.9.3.tar.gz
cd snort-2.9.3
sudo ./configure --prefix=/usr/local/snort --enable-sourcefire
sudo make
sudo make install
sudo mkdir /var/log/snort
sudo mkdir /var/snort
sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort

Download snort Rules

FTP     snortrules-snapshot-2930.tar.gz
sudo tar zxvf snortrules-snapshot-2930.tar.gz -C /usr/local/snort
sudo mkdir /usr/local/snort/lib/snort_dynamicrules
sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.3.0/* \
/usr/local/snort/lib/snort_dynamicrules
sudo touch /usr/local/snort/rules/white_list.rules
sudo touch /usr/local/snort/rules/black_list.rules
sudo ldconfig

Configure Snort

sudo nano /usr/local/snort/etc/snort.conf

Change this:
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules

For this:
var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

Change this:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules

For this:
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

After this line:
#output unified2: filename merged.log, limit 128, nostamp, \
mpls_event_types, vlan_event_types

Put this line:
output unified2: filename snort.u2, limit 128


Download and install Barnyard2

wget https://nodeload.github.com/firnsy/barnyard2/tarball/master \
-O barnyard2-2.10.tar.gz
sudo tar zxvf barnyard2-2.10.tar.gz
cd firnsy-barnyard2*
sudo autoreconf -fvi -I ./m4
sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
sudo make
sudo make install
sudo cp etc/barnyard2.conf /usr/local/snort/etc
sudo mkdir /var/log/barnyard2
sudo chmod 666 /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ./schemas/create_mysql

echo "grant create, insert, select, delete, update on snort.* to snort@localhost \
identified by 'YOURPASSWORD'" | mysql -u root -p

sudo nano /usr/local/snort/etc/barnyard2.conf

Change this lines:
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map

#config hostname: thor
#config interface: eth0

#output database: log, mysql, user=root password=test dbname=db host=localhost

For this:
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map

config hostname: localhost
config interface: eth1

output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort \
host=localhost


Testing Snort

sudo /usr/local/snort/bin/snort -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1

Snort Start automatically

sudo nano /etc/rc.local

After exit0:
ifconfig eth1 up
/usr/local/snort/bin/snort -D -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
-G /usr/local/snort/etc/gen-msg.map \
-S /usr/local/snort/etc/sid-msg.map \
-d /var/log/snort \
-f snort.u2 \
-w /var/log/snort/barnyard2.waldo \
-D

sudo /etc/init.d/rc.local start

http://192.168.252.62/snortreport-1.3.3/alerts.php



Rubén Sans
Dpto. de Sistemas de Información

[cid:image001.jpg@01CDB382.64A24950]

Diputación, 390-392
08013 Barcelona
Tel. 933 440 800, Ext. 408
e-mail: rsans () simon es<mailto:rsans@rsans () simon es>
www.simon.es


________________________________
*************** AVISO LEGAL ***************

Este mensaje se dirige exclusivamente a su destinatario y puede contener información privilegiada o confidencial.
Si no es vd. el destinatario indicado, queda notificado de que la utilización divulgación y/o copia sin autorización 
está prohibida en virtud de la legislación vigente.
Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su 
destrucción.

This message is intended exclusively for its addressee and may contain information that is confidential and protected 
by professional privilege.
If you are not the intended recipient you are hereby notified that any dissemination copy or disclosure of this 
communication is strictly prohibited by law.
If this message has been received in error please immediately notify us via e-mail and delete it.

Aquest missatge es dirigeix exclusivament al seu destinatari i pot contenir informació privilegiada o confidencial.
Si vostè no és el destinatari indicat, queda notificat que la utilització divulgació i/o copia sense autorització està 
prohibida segons la llei vigent.
Si vostè ha rebut aquest missatge per error, li agrairem que ens ho comuniqui immediatament per aquesta mateixa via i 
procedeixi a la seva destrucció.

________________________________
PROTEGE EL MEDIO AMBIENTE
Antes de imprimir este e-mail piense bien si es necesario hacerlo: EL MEDIOAMBIENTE ES COSA DE TODOS


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: