Snort mailing list archives
Re: new install rules question - solaris
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 5 Nov 2002 14:39:14 -0800 (PST)
On Tue, 5 Nov 2002, Dan Gahlinger wrote:
snort -h 192.168.1.0/24 -s blame_cmg net 192.168.1 doesn't work, cant find .snortrc
Upon startup snort looks for a few files.
$HOME/.snortrc
$HOME/snort.conf
/etc/snort.conf
./snort.conf
./.snortrc
If you want your command line to work, create a snort.conf or .snortrc in
one of those locations. I would suggest copying the snort.conf from the
<snort_source_dir>/etc/ into /etc/ and editing it to reflect your local
net. The file is well commented, and should be fairly self-explanatory.
Be sure to change your $HOME_NET and $EXTERNAL_NET, and check any listing
of IP's in the file.
Now, if you do _only_ that, it's going to fail. :) You also need rules
for it to alert off of. I suggest the following:
mkdir /etc/snort
mkdir /etc/snort/rules
cp <snort_dir>/etc/snort.conf /etc/snort/snort.conf
ln -s /etc/snort/snort.conf /etc/snort.conf
cp <snort_dir>/rules/* /etc/snort/rules/
vi /etc/snort.conf (make whatever changes needed)
And then you should be good to go with something like:
snort -s blame_cmg "net 192.168.1.0/24"
The -h is not really needed since it deals with the way packets are logged
to disk using text logging and not syslog.
And if you're clever, you can configure the syslog output plugin in the
.conf file so that your command line would drop to:
snort "net 192.168.1.0/24"
Cheers!
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net
-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Chris Green (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Andrew R. Baker (Nov 05)
- Re: new install rules question - solaris Chris Green (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Erek Adams (Nov 05)
- Re: new install rules question - solaris Dan Gahlinger (Nov 06)
- Re: new install rules question - solaris Erek Adams (Nov 06)
- Re: new install rules question - solaris Dan Gahlinger (Nov 05)
- Re: new install rules question - solaris Chris Green (Nov 05)
- <Possible follow-ups>
- RE: new install rules question - solaris larosa, vjay (Nov 06)
- RE: new install rules question - solaris Dan Gahlinger (Nov 06)