Snort mailing list archives
Re: newbie question
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 23 Nov 2015 11:20:07 +0000
Hello See the manual on daemons: http://manual.snort.org/node11.html You can use one process per nic or one process for two nics in an inline set. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Alex Samad [mailto:alex () samad com au] Sent: Sunday, November 22, 2015 4:18 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] newbie question Hi I am testing out snort. running it on centos 6.x. I have installed the packages from https://forensics.cert.org/. Seems like the snort.org only has centos/rhel 7 packages :( I installed snort-openappid-2.9.7.6-1.el6.x86_64 So I have it installed and it seems to be running as in i can run snort -c /etc/snort/snort.conf -N -s -i eth1.207 I did register and downloaded the snort rules, placed them in /usr/local/lib/snort updated my /etc/snort/snort.conf file to point there create empty white_list.rules and black_list.rules to satisfy preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules My snort box is not in the path of all the traffic, its a VM on a VMWare host. I have 2 nic's 1 is management with an IP that I can ssh to. The other nic is setup on VLAN 4095 (VMWare special vlan ID to get all packets, with tagging). I have created eth1.<vlanid> for all the interested vlans I want to watch. For example users and guest network. currently I have screen running and I start 2 processes like this snort -c /etc/snort/snort.conf -N -s -i eth1.145 I don't really want to log any packets, just want to check out the alerting. I believe this will send any alerts to syslog. I have been keeping track of /var/log/message /var/log/secure nothing as yet. How can I set this up so I run it as a deamon and can 1 process watch 2 or more interfaces ? or am I going about this all wrong :) thanks ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbie question Alex Samad (Nov 22)
- Re: newbie question Al Lewis (allewi) (Nov 23)