Snort mailing list archives
Problem snort 9.3.3 - SNORT REPORT show NO DATA
From: "Sans, Ruben" <rsans () simon es>
Date: Fri, 26 Oct 2012 14:05:48 +0200
Hi all, I installed snort with the following versions: sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz sudo wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz sudo tar zxvf sudo wget wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz sudo wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz sudo wget http://www.snort.org/dl/snort-current/snort-2.9.3.tar.gz FTP snortrules-snapshot-2930.tar.gz I've installed following the procedure of snort default Ubuntu 12.04 http://www.snort.org/assets/158/snortinstallguide293.pdf The Network configuration is as follows: 2 network intefaces: Eth0 --> IP LAN Eth1 --> Snort auto eth0 iface eth0 inet static address 192.168.252.62 netmask 255.255.255.0 network 192.168.252.0 broadcast 192.168.252.255 gateway 192.168.252.254 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 172.16.14.30 auto eth1 iface eth1 inet manual up ifconfig eth1 0.0.0.0 up up ip link set eth1 promisc on * I configured the ethernet previously not in promiscuous mode Config int he Cisco Catalyst 3750 monitor session 1 source interface Gi0/1 , Gi0/11 , Gi0/24 , Gi0/27 , Gi0/41 , Gi0/43 monitor session 1 destination interface Gi0/44 I tested with tcpdump, and see traffic on eth1, I have also connected a wireshark and I see traffic. Just install the snort, snort Report works properly, but I get "NO DATA". Can you Help me, please? Thanks in advance!!!!!!!!!!! ANNEX WITH THE DETAIL/STEPS OF CONFIGURATION Then I show all the Snort configuration: sudo apt-get install nmap sudo apt-get install nbtscan sudo apt-get install apache2 sudo apt-get install php5 sudo apt-get install php5-mysql sudo apt-get install php5-gd sudo apt-get install libpcap0.8-dev sudo apt-get install libpcre3-dev sudo apt-get install g++ sudo apt-get install bison sudo apt-get install flex sudo apt-get install libpcap-ruby sudo apt-get install make sudo apt-get install autoconf sudo apt-get install libtool pass root mysql = YOURPASSWORD sudo apt-get install mysql-server sudo apt-get install libmysqlclient-dev sudo apt-get update sudo apt-get upgrade SNORT REPORT Download and install JpGraph (Optional) sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz sudo mkdir /var/www/jpgraph sudo tar zxvf jpgraph-1.27.1.tar.gz sudo cp -r jpgraph-1.27.1/src /var/www/jpgraph/ Download and Set up Snort Report wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz sudo tar zxvf snortreport-1.3.3.tar.gz -C /var/www/ sudo nano /var/www/snortreport-1.3.3/srconf.php Change this: $pass = "YOURPASS"; For this: $pass = "YOURPASSWORD"; SNORT Download and install the DATA Acquisition API Sudo wget wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz sudo tar zxvf daq-1.1.1.tar.gz cd daq-1.1.1 sudo ./configure sudo make sudo make install Download and install libdnet wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz sudo tar zxvf libdnet-1.12.tgz cd libdnet-1.12/ sudo ./configure sudo make sudo make install sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 Download and install snort sudo wget http://www.snort.org/dl/snort-current/snort-2.9.3.tar.gz sudo tar zxvf snort-2.9.3.tar.gz cd snort-2.9.3 sudo ./configure --prefix=/usr/local/snort --enable-sourcefire sudo make sudo make install sudo mkdir /var/log/snort sudo mkdir /var/snort sudo groupadd snort sudo useradd -g snort snort sudo chown snort:snort /var/log/snort Download snort Rules FTP snortrules-snapshot-2930.tar.gz sudo tar zxvf snortrules-snapshot-2930.tar.gz -C /usr/local/snort sudo mkdir /usr/local/snort/lib/snort_dynamicrules sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.3.0/* \ /usr/local/snort/lib/snort_dynamicrules sudo touch /usr/local/snort/rules/white_list.rules sudo touch /usr/local/snort/rules/black_list.rules sudo ldconfig Configure Snort sudo nano /usr/local/snort/etc/snort.conf Change this: var WHITE_LIST_PATH ../rules var BLACK_LIST_PATH ../rules For this: var WHITE_LIST_PATH /usr/local/snort/rules var BLACK_LIST_PATH /usr/local/snort/rules Change this: dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/lib/snort_dynamicrules For this: dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules After this line: #output unified2: filename merged.log, limit 128, nostamp, \ mpls_event_types, vlan_event_types Put this line: output unified2: filename snort.u2, limit 128 Download and install Barnyard2 wget https://nodeload.github.com/firnsy/barnyard2/tarball/master \ -O barnyard2-2.10.tar.gz sudo tar zxvf barnyard2-2.10.tar.gz cd firnsy-barnyard2* sudo autoreconf -fvi -I ./m4 sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu sudo make sudo make install sudo cp etc/barnyard2.conf /usr/local/snort/etc sudo mkdir /var/log/barnyard2 sudo chmod 666 /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo echo "create database snort;" | mysql -u root -p mysql -u root -p -D snort < ./schemas/create_mysql echo "grant create, insert, select, delete, update on snort.* to snort@localhost \ identified by 'YOURPASSWORD'" | mysql -u root -p sudo nano /usr/local/snort/etc/barnyard2.conf Change this lines: config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map #config hostname: thor #config interface: eth0 #output database: log, mysql, user=root password=test dbname=db host=localhost For this: config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config hostname: localhost config interface: eth1 output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort \ host=localhost Testing Snort sudo /usr/local/snort/bin/snort -u snort -g snort \ -c /usr/local/snort/etc/snort.conf -i eth1 Snort Start automatically sudo nano /etc/rc.local After exit0: ifconfig eth1 up /usr/local/snort/bin/snort -D -u snort -g snort \ -c /usr/local/snort/etc/snort.conf -i eth1 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \ -G /usr/local/snort/etc/gen-msg.map \ -S /usr/local/snort/etc/sid-msg.map \ -d /var/log/snort \ -f snort.u2 \ -w /var/log/snort/barnyard2.waldo \ -D sudo /etc/init.d/rc.local start http://192.168.252.62/snortreport-1.3.3/alerts.php Rubén Sans Dpto. de Sistemas de Información [cid:image001.jpg@01CDB382.64A24950] Diputación, 390-392 08013 Barcelona Tel. 933 440 800, Ext. 408 e-mail: rsans () simon es<mailto:rsans@rsans () simon es> www.simon.es ________________________________ *************** AVISO LEGAL *************** Este mensaje se dirige exclusivamente a su destinatario y puede contener información privilegiada o confidencial. Si no es vd. el destinatario indicado, queda notificado de que la utilización divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is confidential and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error please immediately notify us via e-mail and delete it. Aquest missatge es dirigeix exclusivament al seu destinatari i pot contenir informació privilegiada o confidencial. Si vostè no és el destinatari indicat, queda notificat que la utilització divulgació i/o copia sense autorització està prohibida segons la llei vigent. Si vostè ha rebut aquest missatge per error, li agrairem que ens ho comuniqui immediatament per aquesta mateixa via i procedeixi a la seva destrucció. ________________________________ PROTEGE EL MEDIO AMBIENTE Antes de imprimir este e-mail piense bien si es necesario hacerlo: EL MEDIOAMBIENTE ES COSA DE TODOS
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem snort 9.3.3 - SNORT REPORT show NO DATA Sans, Ruben (Oct 26)