Snort mailing list archives

RE: SnortSnarf in Windows

From: "Michael Steele" <michaels () winsnort com>
Date: Fri, 3 Oct 2003 21:18:31 -0700
The alert.ids file is created in the log folder that you specified in your
config line for running Snort.

Snortsnarf relies on that file to do its thing, so you need to make sure you
have the 'output database log ...' in your snort.conf config file. The
alert.ids file should be created the log folder when Snort is activated.
Snortsnarf reads that file.

Create a script (.bat) using that long run line and have your scheduler run
it every so often. 

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-ml
Sent: Friday, October 03, 2003 9:46 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SnortSnarf in Windows


Ok I copied the alert.ids to wwwroot\log and it worked.
But as you mentioned in the paper, it's not real time and I have to set up a
script.
I have 2 questions:

1- Does this mean I have to keep copying the alert.ids to wwwroot\log 
   or the alert.ids in wwwroot\log would get updated automatically?
2- What kind of script would I be able to use?



-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Thursday, October 02, 2003 4:35 PM
To: 'snort-ml'
Subject: RE: [Snort-users] SnortSnarf in Windows


Is Snort running?

do you have an 'output database log ...' in your snort.conf?

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-ml
Sent: Thursday, October 02, 2003 10:48 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SnortSnarf in Windows


Well I used to have alert.ids in snort\log folder, but not anymore. What
could've happened?

-----Original Message-----
From: snort-ml [mailto:snort-ml () faceit com] 
Sent: Thursday, October 02, 2003 10:50 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SnortSnarf in Windows


Yes but it was under "Installing and configuring ActivePerl" which I had
skipped because I had already installed ActivePerl.

Ok I got everything working ok, but when I got to "Starting the IDS
SnortSnarf alert console" and ran the command from the command prompt, it
gave me the following error:

"SnortFileInput: input file d:\inetpub\wwwroot\log\alert.ids does not exist;
skipping it"

Do I need to copy the alert.ids to this folder?


-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Wednesday, October 01, 2003 5:00 PM
To: 'snort-ml'
Subject: RE: [Snort-users] SnortSnarf in Windows


You need to create the folder. Does the guide tell you too?

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-ml [mailto:snort-ml () faceit com] 
Sent: Wednesday, October 01, 2003 1:14 PM
To: 'Michael Steele'
Subject: RE: [Snort-users] SnortSnarf in Windows

Well not yet, but I'll try and let you know the result.
In the meantime I have to deal with another issue: 
When I tried to copy the Snortsnarf's cgi folder, I found out there's no
"cgi" folder under Inetpub\wwwroot. I'm running W2K server/IIS5. There's a
"cgi-bin" under www on our NT boxes, but no "cgi" folder on any of the W2K
machines. Any ideas?

-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Wednesday, October 01, 2003 2:53 PM
To: 'snort-ml'
Subject: RE: [Snort-users] SnortSnarf in Windows


I'm not sure as it's been about a year since my last install. I'm thinking
that I ran the lockdown tool and there were options back in IIS to enable
server side includes, but maybe not. There is however a file located
somewhere on the 2003 install that you can edit to remove that restriction.

Have you tried the lockdown tool?

You can reverse the lockdown procedure.

Let me know what you find. 

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-ml [mailto:snort-ml () faceit com] 
Sent: Wednesday, October 01, 2003 10:30 AM
To: 'Michael Steele'
Subject: RE: [Snort-users] SnortSnarf in Windows

Ok in the document it is recommended to run IIS Lockdown, but this would 
disable server side includes and scripts and installs the URLscan filter.
Wouldn't these interfere with running Perl?


-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Saturday, September 27, 2003 4:58 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SnortSnarf in Windows


You can try:

http://www.winsnort.com

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-ml
Sent: Friday, September 26, 2003 12:23 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SnortSnarf in Windows

Does anyone know how to configure SnortSnarf in Windows?
I have a W2K server, with www & Perl installed. I have downloaded Snortsnarf
and ran the makefile.pl in Time-Modules directory. How do I configure
SnortSnarf to create html pages?




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

RE: SnortSnarf in Windows snort-ml (Oct 01)
- <Possible follow-ups>
- RE: SnortSnarf in Windows snort-ml (Oct 02)
- RE: SnortSnarf in Windows snort-ml (Oct 02)
- RE: SnortSnarf in Windows snort-ml (Oct 03)
  - RE: SnortSnarf in Windows Michael Steele (Oct 03)
- RE: SnortSnarf in Windows snort-ml (Oct 05)
  - RE: SnortSnarf in Windows Michael Steele (Oct 05)
- RE: SnortSnarf in Windows snort-ml (Oct 07)
  - RE: SnortSnarf in Windows Michael Steele (Oct 07)
- RE: SnortSnarf in Windows Everist, Benjamin S. (NASWI) (Oct 07)
  - RE: SnortSnarf in Windows Michael Steele (Oct 07)
  - RE: SnortSnarf in Windows Michael Steele (Oct 07)
  - RE: SnortSnarf in Windows Michael Steele (Oct 07)
- RE: SnortSnarf in Windows snort-ml (Oct 10)