Re: Up and Running

[Joel Esler <jesler () sourcefire com>]

On Sep 11, 2012, at 3:22 PM, PR <oly562 () gmail com> wrote:
> On Tue, 2012-09-11 at 13:37 -0400, Joel Esler wrote:
> > On Sep 11, 2012, at 1:20 PM, PR <oly562 () gmail com> wrote:
> > <snip>

> > > 2.  WARNING: flowbits key 'file.fli' is set but not ever checked. and 20 more like this...
> > Are you using pulled pork.
> not at the moment, i did it manually, downloaded rules and snort per the manual links

Okay.  Pulledpork will correct the flow bit issues for you.

<snip>


> > > 4. WARNING: ip4 normalizations disabled because not inline.
> > > WARNING: tcp normalizations disabled because not inline.
> > > WARNING: icmp4 normalizations disabled because not inline.
> >
> > If you aren't inline, this is correct.
> i believe i am not, it says at bottom of stdout, what i am running, that
> is included in my cut pastes of stdout. snort should say in stdout what
> i am running, correct, it said, ids mode 

Right.  You should run Snort in Daemon mode once you have it working.

> > > 5. wondering about these few entries as well:
> > >
> > > 0 decoder rules
> > >    0 preprocessor rules
> > > zero?
> >
> > If you aren't using preprocessor or decoder rules, that's correct.  These are commented out in the snort.conf by 
> > default.
> ok, thats a good topic. when does one use preporcessor or decoder rules. i hear preproc and i think iptables or prior 
> to inspection, 
> something like that,,,, ill read about that in the manual next. thanks

Look for preprocessor.rules in the snort.conf.

> > > and...
> > >
> > > pcap DAQ configured to passive.
> >
> > That's not a warning, that's informational.
> ok, what does that mean, passive, as in pcap is not sniffing? i think
> pcap and i think wireshark or ettercap or sniffing software. i could
> configure that in daq conf somewhere i suspect. correct? ill try to find
> a doc or manual on daq next, i guess that is what you mean by, what i
> want to or i am trying to do... i said above what im trying to do :0)

Passive, meaning, "not inline".  You cannot block traffic.

> > > if you can see anything wrong, please let me know, i feel im getting close... lol
> > > thanks, pete
>
> > I don't show any stoppers.
>
> ok, great, except now its not logging $RULES, i just slammed it with
> audit software and nothing was logged... yes mysql is right, it worked
> prior to turning on $RULES in snort.conf. obviously i dont understand it
> all lol... and also preproc, sorules, how pulledpork effects things when
> i install it, and the BUG noted for white/black list in snort.conf as
> well. ill read the manual now, and see if i can find some answers.

it should be logging, by default, in /var/log/snort.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!