Snort mailing list archives

Previous By Date Next
Previous By Thread Next

newbie question

From: Alex Samad <alex () samad com au>
Date: Mon, 23 Nov 2015 08:17:54 +1100
Hi

I am testing out snort. running it on centos 6.x. I have installed the
packages from https://forensics.cert.org/. Seems like the snort.org
only has centos/rhel 7 packages :(

I installed snort-openappid-2.9.7.6-1.el6.x86_64

So I have it installed and it seems to be running as in i can run
snort -c /etc/snort/snort.conf -N -s -i eth1.207

I did register and downloaded the  snort rules, placed them in
/usr/local/lib/snort

updated my /etc/snort/snort.conf file to point there
create empty white_list.rules and black_list.rules to satisfy

preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules


My snort box is not in the path of all the traffic, its a VM on a
VMWare host. I have 2 nic's 1 is management with an IP that I can ssh
to.

The other nic is setup on VLAN 4095 (VMWare special vlan ID to get all
packets, with tagging).

I have created eth1.<vlanid> for all the interested vlans I want to
watch. For example users and guest network.

currently I have screen running and I start 2 processes like this
snort -c /etc/snort/snort.conf -N -s -i eth1.145

I don't really want to log any packets, just want to check out the
alerting. I believe this will send any alerts to syslog.


I have been keeping track of /var/log/message /var/log/secure

nothing as yet.

How can I set this up so I run it as a deamon and can 1 process watch
2 or more interfaces ?

or am I going about this all wrong :)

thanks

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: