Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort newbie

From: Joe McAlerney <joey () SiliconDefense com>
Date: Thu, 10 May 2001 09:35:47 -0700
Hello Matthew,

You need to define the SMTP variable used by the rule at line 20 of
exploit.rules.  You may want to set it to "any".

-Joe M.

-- 
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

"Bunter, Matthew" wrote:


Gurus,

Apologies for asking basics but I couldn't find these answers on snort.org,
the FAQs or any documentation that I have.

Very basic snort.conf file, smtp, web, dns all commented out (I'm on a small
testing segment) :

var HOME_NET $eth_ADDRESS
var EXTERNAL_NET any
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan : $HOME_NET 4 3 /var/log/snort/portscan.log
output alert_syslog: LOG_AUTH LOG_ALERT
include exploit.rules
include etc (from latest snort rules on snort.org)

Snort is version 1.7 running on Suse 7.1 with 2.4 kernel
The rules files are in the same directory as the snort executable.

I get the following :
# snort -c /etc/Snort/snort.conf
Initializing Snort
Initializing Network Interface eth0
Kernel filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializing Output Plug-ins!

+++++++++++++++++++++++
Initializing rule chains...
[!] ERROR exploit.rules(20) => Bad port number: "msg:"EXPLOIT"
#

All I basically want is to get snort running to produce text files under
var/log/snort which will then be put through snortsnarf for browsing. But I
can't even get it to start - any help would be greatly appreciated.

BTW I want to convince management how easy it is to set up Snort so help me
avoid the 'egg-on-face' scenario please !!!

Regards,

Matt Bunter

**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.

**********************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: