Snort mailing list archives
Re: Up and Running
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 11 Sep 2012 15:34:27 -0400
On Sep 11, 2012, at 3:22 PM, PR <oly562 () gmail com> wrote:
On Tue, 2012-09-11 at 13:37 -0400, Joel Esler wrote:On Sep 11, 2012, at 1:20 PM, PR <oly562 () gmail com> wrote: <snip>
2. WARNING: flowbits key 'file.fli' is set but not ever checked. and 20 more like this...Are you using pulled pork.not at the moment, i did it manually, downloaded rules and snort per the manual links
Okay. Pulledpork will correct the flow bit issues for you. <snip>
4. WARNING: ip4 normalizations disabled because not inline. WARNING: tcp normalizations disabled because not inline. WARNING: icmp4 normalizations disabled because not inline.If you aren't inline, this is correct.i believe i am not, it says at bottom of stdout, what i am running, that is included in my cut pastes of stdout. snort should say in stdout what i am running, correct, it said, ids mode
Right. You should run Snort in Daemon mode once you have it working.
5. wondering about these few entries as well: 0 decoder rules 0 preprocessor rules zero?If you aren't using preprocessor or decoder rules, that's correct. These are commented out in the snort.conf by default.ok, thats a good topic. when does one use preporcessor or decoder rules. i hear preproc and i think iptables or prior to inspection, something like that,,,, ill read about that in the manual next. thanks
Look for preprocessor.rules in the snort.conf.
and... pcap DAQ configured to passive.That's not a warning, that's informational.ok, what does that mean, passive, as in pcap is not sniffing? i think pcap and i think wireshark or ettercap or sniffing software. i could configure that in daq conf somewhere i suspect. correct? ill try to find a doc or manual on daq next, i guess that is what you mean by, what i want to or i am trying to do... i said above what im trying to do :0)
Passive, meaning, "not inline". You cannot block traffic.
if you can see anything wrong, please let me know, i feel im getting close... lol thanks, peteI don't show any stoppers.ok, great, except now its not logging $RULES, i just slammed it with audit software and nothing was logged... yes mysql is right, it worked prior to turning on $RULES in snort.conf. obviously i dont understand it all lol... and also preproc, sorules, how pulledpork effects things when i install it, and the BUG noted for white/black list in snort.conf as well. ill read the manual now, and see if i can find some answers.
it should be logging, by default, in /var/log/snort.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Up and Running Joel Esler (Sep 11)
- Message not available
- Re: Up and Running Joel Esler (Sep 11)
- Message not available
- Re: Up and Running Joel Esler (Sep 11)
- Re: Up and Running Joel Esler (Sep 11)
- Message not available