Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trouble with Snort --enable-inline

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 10 Jun 2009 10:06:04 -0500
you actually need to send both sides of connection to snort so you
need something like

iptables -I OUTPUT -j QUEUE

I can't help you with your vmware woes though, if you are having
vmware problems try finding a vmware list.

Regards,

Will

On Wed, Jun 10, 2009 at 9:53 AM, Oscar Mauricio Benavidez
Suarez<obenavidez () gmail com> wrote:

thank's for your answers well y want to do a normal snort inline setup.

well i make a resume of my installation

first install debian lenny
then
i install all the prerequisites

#apt-get install apache2

#apt-get install mysql-server

#apt-get install php5

#apt-get install php5-mysql

#apt-get install build-essential

#apt-get install libpcre3-dev

#apt-get install iptables-dev

#apt-get install libnet0-dev

#apt-get install libmysqlclient12-dev

#apt-get install checkinstall

i go to http://libdnet.sourceforge.net/ and download  the file
libdnet-1.11.tar.gz

#tar -xvf libdnet-1.11.tar.gz

#cd libdnet-1.11
#./configure
#make
#checkinstall

then i make the folders for the snort,

# mkdir /etc/snort
# mkdir /etc/snort/rules
#mkdir /var/log/snort


after building the database
mysqladmin -u root password new_root_password

#mysql -u root -p

create database snort;



grant all on snort.* to snort@localhost identified by 'password';



flush privileges;
exit;


#mysql -u root -p snort < snort-2.8.4.1/schemas/create_mysql

#vim /etc/snort/snort.conf

var RULE_PATH /etc/snort_inline/rules
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET !$HOME_NET

output database: log, mysql, user=snort password=omb123456 dbname=snort
host=localhost sensor_name=espec

then i save this changes

#cd snort-2.8.4.1
#./configure --enable-inline --with-mysql
#make
#checkinstall

and everything works fine


don't show any error,

iptables -A INPUT -j QUEUE

iptables -I INPUT -i lo -j ACCEPT loopback traffic

before i execute this two comands, my vmachine ethernet interface don't
answer,
if i make ping to another machine this is the repsonse


#ping 192.168.0.254
PING 192.168.0.254 (192.168.0.254) 56(84) bytes of data.
From 192.168.0.191 icmp_seq=2 Destination Host Unreachable
From 192.168.0.191 icmp_seq=3 Destination Host Unreachable
From 192.168.0.191 icmp_seq=4 Destination Host Unreachable

From 192.168.0.191 icmp_seq=5 Destination Host Unreachable

From 192.168.0.191 icmp_seq=6 Destination Host Unreachable
From 192.168.0.191 icmp_seq=7 Destination Host Unreachable
^C
--- 192.168.0.254 ping statistics ---
265 packets transmitted, 0 received, +6 errors, 100% packet loss, time
264708ms
, pipe 3

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
QUEUE      all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

y have to restart the vmachine to can get again access to the network or
internet, anyway i execute this two commands to add rules on the iptables
and then

#snort -Q -v -c /etc/snort/snort.conf -l /var/log/snort



for tha BASE, i download the base-1.3.9.tar.gz

#tar -xvf base-1.3.9.tar.gz
#mv /home/user/Desktop/base-1.3.9 /var/www/base

download the adodb5
#tar -xvf adodb5.tgz
#mv /home/user/Desktop/adodb /var/www/base/

#chown -R www-data /var/www/base/

then i configured the base_config.php.dist

$DBlib_path="/var/www/base//adodb";

$DBtype="mysql";

$alert_dbname = snort;
$alert_host = localhost;
$alert_port = "";
$alert_user = snort;
$alert_password = my_password;

$archive_dbname = snort;
$archive_host = localhost;
$archive_port = "";
$archive_user = snort;
$archive_password = my_password;


#mv /var/www/base/base_conf.php.dist /var/www/base/base_conf.php

# mysql -u root -p snort < /var/www/base/sql/create_base_tbls_mysql.sql

and after i connect to the http://localhost/base and it shows me the main
page of BASE, evertithing was ok, but the sensor don't send info to BASE o
the sensor is not working properly.

NOTE: if i run snort before or after i put the rules at the iptables it dont
shows like be sniffing nothing, i wanto to run the snort in a normal mode
inline, thank's for your time.

i apologize for my english i'm from colombia and speak spanish, thank's.

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: