Snort mailing list archives

Re: installation help

From: Sharif Uddin <Sharif.Uddin () spectrumasa com>
Date: Thu, 28 Aug 2014 14:59:36 +0000

Hello


I have managed to setup and install snorby using the following guides

https://snorby.org/


since centos 7 does not have required ruby I had to use the following guide
https://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/
https://www.digitalocean.com/community/tutorials/how-to-setup-a-rails-4-app-with-apache-and-passenger-on-centos-6



I want to know how to set up snort and snorby configuration for alerts etc.


Internal network is 172.16.0.0/22


172.16.0.1 is the  firewall


172.16.3.14 snort server


-----Original Message-----
From: Sharif Uddin [mailto:Sharif.Uddin () spectrumasa com]
Sent: 28 August 2014 10:30
To: waldo kitty; snort-users () lists sourceforge net
Subject: Re: [Snort-users] installation help

Thanks all for the advice, I guess it is running fine.

I would like to know if it is receiving alerts. I left a tail running on /var/log/messages and below is what I see today




Aug 27 19:01:01 snort systemd: Starting Session 5 of user root.
Aug 27 19:01:01 snort systemd: Started Session 5 of user root.
Aug 27 20:01:01 snort systemd: Starting Session 6 of user root.
Aug 27 20:01:01 snort systemd: Started Session 6 of user root.
Aug 27 21:01:01 snort systemd: Starting Session 7 of user root.
Aug 27 21:01:01 snort systemd: Started Session 7 of user root.
Aug 27 22:01:01 snort systemd: Starting Session 8 of user root.
Aug 27 22:01:01 snort systemd: Started Session 8 of user root.
Aug 27 22:11:22 snort dhclient[1061]: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc) Aug 27 22:11:22 
snort NetworkManager: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc) Aug 27 22:11:22 snort 
dhclient[1061]: DHCPACK from 172.16.0.11 (xid=0x473f73dc) Aug 27 22:11:22 snort NetworkManager: DHCPACK from 
172.16.0.11 (xid=0x473f73dc) Aug 27 22:11:22 snort NetworkManager[690]: <info> (enp0s3): DHCPv4 state changed reboot -> 
renew
Aug 27 22:11:22 snort NetworkManager[690]: <info>   address 172.16.1.157
Aug 27 22:11:22 snort NetworkManager[690]: <info>   plen 22 (255.255.252.0)
Aug 27 22:11:22 snort NetworkManager[690]: <info>   gateway 172.16.0.1
Aug 27 22:11:22 snort NetworkManager[690]: <info>   server identifier 172.16.0.11
Aug 27 22:11:22 snort NetworkManager[690]: <info>   lease time 43200
Aug 27 22:11:22 snort NetworkManager[690]: <info>   nameserver '172.16.0.11'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   nameserver '172.16.0.15'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain name 'uk.domain.com'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'uk. domain.com.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search ' domain.com.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'usa. domain.com.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'houston.'
Aug 27 22:11:22 snort NetworkManager[690]: <info>   domain search 'cairo.'
Aug 27 22:11:22 snort dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' 
unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 27 22:11:22 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service 
name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 27 22:11:22 snort dhclient[1061]: bound to 172.16.1.157 -- renewal in 20986 seconds.
Aug 27 22:11:22 snort NetworkManager: bound to 172.16.1.157 -- renewal in 20986 seconds.
Aug 27 22:11:22 snort systemd: Starting Network Manager Script Dispatcher Service...
Aug 27 22:11:22 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 27 22:11:22 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 27 22:11:22 snort systemd: Started Network Manager Script Dispatcher Service.
Aug 27 23:01:01 snort systemd: Starting Session 9 of user root.
Aug 27 23:01:01 snort systemd: Started Session 9 of user root.
Aug 28 00:01:01 snort systemd: Starting Session 10 of user root.
Aug 28 00:01:01 snort systemd: Started Session 10 of user root.
Aug 28 01:01:01 snort systemd: Starting Session 11 of user root.
Aug 28 01:01:01 snort systemd: Started Session 11 of user root.
Aug 28 02:01:01 snort systemd: Starting Session 12 of user root.
Aug 28 02:01:01 snort systemd: Started Session 12 of user root.
Aug 28 03:01:01 snort systemd: Starting Session 13 of user root.
Aug 28 03:01:01 snort systemd: Started Session 13 of user root.
Aug 28 04:01:01 snort systemd: Starting Session 14 of user root.
Aug 28 04:01:01 snort systemd: Started Session 14 of user root.
Aug 28 04:01:08 snort dhclient[1061]: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc) Aug 28 04:01:08 
snort NetworkManager: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc) Aug 28 04:01:08 snort 
dhclient[1061]: DHCPACK from 172.16.0.11 (xid=0x473f73dc) Aug 28 04:01:08 snort NetworkManager: DHCPACK from 
172.16.0.11 (xid=0x473f73dc) Aug 28 04:01:08 snort dhclient[1061]: bound to 172.16.1.157 -- renewal in 20219 seconds.
Aug 28 04:01:08 snort NetworkManager: bound to 172.16.1.157 -- renewal in 20219 seconds.
Aug 28 04:01:08 snort NetworkManager[690]: <info> (enp0s3): DHCPv4 state changed renew -> renew
Aug 28 04:01:08 snort NetworkManager[690]: <info>   address 172.16.1.157
Aug 28 04:01:08 snort NetworkManager[690]: <info>   plen 22 (255.255.252.0)
Aug 28 04:01:08 snort NetworkManager[690]: <info>   gateway 172.16.0.1
Aug 28 04:01:08 snort NetworkManager[690]: <info>   server identifier 172.16.0.11
Aug 28 04:01:08 snort NetworkManager[690]: <info>   lease time 43200
Aug 28 04:01:08 snort NetworkManager[690]: <info>   nameserver '172.16.0.11'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   nameserver '172.16.0.15'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain name 'uk.spectrumasa.com'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'uk.spectrumasa.com.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'spectrumasa.com.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'usa.spectrumasa.com.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'houston.'
Aug 28 04:01:08 snort NetworkManager[690]: <info>   domain search 'cairo.'
Aug 28 04:01:08 snort dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' 
unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 04:01:08 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service 
name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 04:01:08 snort systemd: Starting Network Manager Script Dispatcher Service...
Aug 28 04:01:08 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 04:01:08 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 04:01:08 snort systemd: Started Network Manager Script Dispatcher Service.
Aug 28 05:01:01 snort systemd: Starting Session 15 of user root.
Aug 28 05:01:01 snort systemd: Started Session 15 of user root.
Aug 28 06:01:01 snort systemd: Starting Session 16 of user root.
Aug 28 06:01:01 snort systemd: Started Session 16 of user root.
Aug 28 07:01:01 snort systemd: Starting Session 17 of user root.
Aug 28 07:01:01 snort systemd: Started Session 17 of user root.
Aug 28 08:01:01 snort systemd: Starting Session 18 of user root.
Aug 28 08:01:01 snort systemd: Started Session 18 of user root.
Aug 28 09:01:01 snort systemd: Starting Session 19 of user root.
Aug 28 09:01:01 snort systemd: Started Session 19 of user root.
Aug 28 09:38:07 snort dhclient[1061]: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc) Aug 28 09:38:07 
snort NetworkManager: DHCPREQUEST on enp0s3 to 172.16.0.11 port 67 (xid=0x473f73dc) Aug 28 09:38:07 snort 
dhclient[1061]: DHCPACK from 172.16.0.11 (xid=0x473f73dc) Aug 28 09:38:07 snort NetworkManager: DHCPACK from 
172.16.0.11 (xid=0x473f73dc) Aug 28 09:38:07 snort dhclient[1061]: bound to 172.16.1.157 -- renewal in 21474 seconds.
Aug 28 09:38:07 snort NetworkManager[690]: <info> (enp0s3): DHCPv4 state changed renew -> renew
Aug 28 09:38:07 snort NetworkManager[690]: <info>   address 172.16.1.157
Aug 28 09:38:07 snort NetworkManager[690]: <info>   plen 22 (255.255.252.0)
Aug 28 09:38:07 snort NetworkManager[690]: <info>   gateway 172.16.0.1
Aug 28 09:38:07 snort NetworkManager[690]: <info>   server identifier 172.16.0.11
Aug 28 09:38:07 snort NetworkManager[690]: <info>   lease time 43200
Aug 28 09:38:07 snort NetworkManager[690]: <info>   nameserver '172.16.0.11'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   nameserver '172.16.0.15'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain name 'uk. domain.com'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'uk. domain.com.'
Aug 28 09:38:07 snort NetworkManager: bound to 172.16.1.157 -- renewal in 21474 seconds.
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search ' domain.com.'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'usa. domain.com.'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'houston.'
Aug 28 09:38:07 snort NetworkManager[690]: <info>   domain search 'cairo.'
Aug 28 09:38:07 snort dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' 
unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 09:38:07 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service 
name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 28 09:38:07 snort systemd: Starting Network Manager Script Dispatcher Service...
Aug 28 09:38:07 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 09:38:07 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 28 09:38:07 snort systemd: Started Network Manager Script Dispatcher Service.
Aug 28 10:01:01 snort systemd: Starting Session 20 of user root.
Aug 28 10:01:01 snort systemd: Started Session 20 of user root.







/var/log/snort/alert is empty
/var/log/snort/snort.log.1409158229 is empty

How do I capture all network traffic?



-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net]
Sent: 28 August 2014 05:03
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] installation help

On 8/27/2014 12:52 PM, Sharif Uddin wrote:

When I check status I get following

                                 [root@snort bin]# ./snort status

"status" is not a valid snort option... it sounds like a startup script option for a script with the same name as the
snort binary... i suggest "which snort"
to find out what you are running and to see if it is actually what you think you are running ;)

--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify
the sender immediately and delete the original message without making any copies. Copyright in this email and any
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered
office: 95 Aldwych, London WC2B 4JF.

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

installation help Sharif Uddin (Aug 27)
- Re: installation help Robert Millott (Aug 27)
  - Re: installation help Sharif Uddin (Aug 27)
    - Re: installation help Robert Millott (Aug 27)
  - Re: installation help Jeremy Hoel (Aug 27)
- Re: installation help Joel Esler (jesler) (Aug 27)
- Re: installation help waldo kitty (Aug 27)
  - Re: installation help Sharif Uddin (Aug 28)
    - Re: installation help Sharif Uddin (Aug 28)
- <Possible follow-ups>
- Re: installation help Scott Finlon (Aug 27)