Snort mailing list archives

(no subject)

From: "Wells, Kenneth L" <kw151002 () exchange DAYTONOH NCR com>
Date: Tue, 6 Nov 2001 15:05:02 -0500

Thanks to whoever sent this to me.......Can anyone tell me if I'm missing
anything?

How can I tell if I have libpcap already installed?

Kenny




1.Search the web and install libpcap 
- unpack it 
Then run: 
- ./configure 
- make 
- make install 
2. download snort (www.snort.org <http://www.snort.org> ) 
- unpack it (gzip -d <snort file.tar.gzip>, then tar -xvf <snortfile.tar> 
Then run 
- ./configure 
- make 
- make install 
3. Make sure when you run snort it sets your nic to promiscuous mode. If it
doesn't then do the followingt manually before starting snort: ifconfig
<yournic> promisc 
4. In the installation directory find the snort.conf file and edit the
following values: 
- set $home_net to your lan 
- set external_net to !$home_net 
- set the logging to /var/snort/log 
- include your dns server addresses in the list of ignored hosts 
- in the bottom of the file (where you see a lot of 'include rules' provide
a path to the rules. You'll have to download the rules from snort.org) 
5. Create a 'snort' directory in the /var/log. Here IDS logs things. 
6. Download snort_stat.pl from snort.org. This perl script will parse alert
and portscan files and present it to you in nice html format. 
7. Connect snort machine to internet or to internal lan (depends what you
wanna sniff exactly) 
8. On the switch or hub mirror firewall (or whatever you want to sniff) port
to port where snort machine is connected. 
9.start snort like : snort -c /snort.conf 
(it will automatically use full loggong feature and and will use default log
directory /var/log/snort) 
10. after a while run: 
cat /var/log/snort | /snort_stat.pl -f -h > /alert.html (this one will
create and alert.html file in the / , you can open it later with browser) 
That's what I remember from the top of my head.This is a very basic setup,
you can do much more complicated things, especially regarding representation
of alert files. 
hope this helps. 
P.S. don't disregard reading FAQ on snort.org, though I think it misses
quite a lot of things for newbies and can't be very useful for the bigginer.

Current thread:

(no subject) szilagyi (Oct 02)
- <Possible follow-ups>
- (no subject) NOC (Oct 03)
- (no subject) Raphael DAvila (Oct 11)
- (no subject) Rodrigues, Phil (Oct 16)
- (no subject) Wayne Bornall (Oct 24)
- (no subject) Wells, Kenneth L (Nov 06)
  - Re: (no subject) snortlst snortlst (Nov 06)
- (no subject) Wells, Kenneth L (Nov 06)
  - Re: (no subject) james (Nov 06)
  - Re: (no subject) Byron York (Nov 06)
- (no subject) jmgraham (Nov 13)
  - Re: (no subject) Guillaume (Nov 14)
- RE: (no subject) Kevin Brown (Nov 14)
- Re: (no subject) Lsalas (Nov 20)
- (no subject) Don Dowling (Nov 22)
  - Re: (no subject) Chris Green (Nov 23)
    - Re: (no subject) Don Dowling (Nov 25)
  - RE: (no subject) Michael Steele (Nov 23)

(Thread continues...)