Snort mailing list archives
newbie question
From: Alex Samad <alex () samad com au>
Date: Mon, 23 Nov 2015 08:17:54 +1100
Hi I am testing out snort. running it on centos 6.x. I have installed the packages from https://forensics.cert.org/. Seems like the snort.org only has centos/rhel 7 packages :( I installed snort-openappid-2.9.7.6-1.el6.x86_64 So I have it installed and it seems to be running as in i can run snort -c /etc/snort/snort.conf -N -s -i eth1.207 I did register and downloaded the snort rules, placed them in /usr/local/lib/snort updated my /etc/snort/snort.conf file to point there create empty white_list.rules and black_list.rules to satisfy preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules My snort box is not in the path of all the traffic, its a VM on a VMWare host. I have 2 nic's 1 is management with an IP that I can ssh to. The other nic is setup on VLAN 4095 (VMWare special vlan ID to get all packets, with tagging). I have created eth1.<vlanid> for all the interested vlans I want to watch. For example users and guest network. currently I have screen running and I start 2 processes like this snort -c /etc/snort/snort.conf -N -s -i eth1.145 I don't really want to log any packets, just want to check out the alerting. I believe this will send any alerts to syslog. I have been keeping track of /var/log/message /var/log/secure nothing as yet. How can I set this up so I run it as a deamon and can 1 process watch 2 or more interfaces ? or am I going about this all wrong :) thanks ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbie question Alex Samad (Nov 22)
- Re: newbie question Al Lewis (allewi) (Nov 23)