snort on ubuntu 8.04

I am following this guide on how to install snort on ubuntu and i am on the mysql part, it tells me to issue this command: mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password'; everytime i do i get this error: ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement how do i fix this?
scripttron75Asked:
Who is Participating?
 
louislietaerCommented:
go for

cd /etc/snort

and

snort -c ./snort.conf
0
 
louislietaerCommented:
grant command if not compatible with the option --skip-grant-tables

you may work arround updating table user

mysql> USE mysql;

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> UPDATE user SET Select_priv='Y',Select_priv='Y',Update_priv='Y', Delete_priv='Y', Create_priv='Y', Drop_priv='Y', Reload_priv='Y',Shutdown_priv='Y',Process_priv='Y',File_priv='Y',Grant_priv='Y',References_priv='Y', Index_priv='Y', Alter_priv='Y', Show_db_priv='Y', Super_priv='Y' WHERE user='snort';

Query OK, 2 rows affected (0.02 sec)
Rows matched: 2  Changed: 2  Warnings: 0
mysql> flush privileges;
0
 
scripttron75Author Commented:
thank you for that but can you make it a little less difficult to understand what this means?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
louislietaerCommented:
you have got to option

start mysql without the option "--skip-grant-tables" and "grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password';" will work

or if you leave "--skip-grant-tables" you will have to use the work arround described before
by passing these 3 commands
1) use mysql;
this will select the database
2) update user set ....bla bla ..... where user='snort';
this  will grant all privileges to user snort;
3)flush privileges;
it is a good way to finish you session ;)

0
 
scripttron75Author Commented:
what is the command to start mysql without the option  --skip-grant-tables"
0
 
louislietaerCommented:
Just remove the option "--skip-grant-tables" in your start script
0
 
scripttron75Author Commented:
there is no start script YET! i am following these directions:

Configure mysql

Next we need to configure a mysql database for snort to use for alerts.

Code:

mysql -u root -p

Enter your mysql password for root (you did write it down didn't you ?)

You will get a mysql prompt "mysql>". I will use this prompt to indicate commands entered in mysql (as opposed to the command line) you do not need to enter the "mysql >".

Quote:
mysql> create database snort;
mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password';
mysql> exit

    * Consider changing the name of the database to something other than "snort".
    * Consider changing the name of mysql user to something other then "snort" (in 'snort'@'localhost').
    * Change the password to something other then "snort_password".


Now, back at the command line, import the snort database scheme

Code:

mysql -D snort -u snort -p < /usr/src/snort-2.8.3/schemas/create_mysql

0
 
louislietaerCommented:
hello,

It seam that the creation of user snort has been omitted, so before grant command type the command create user

see detail folowing this link
http://dev.mysql.com/doc/refman/5.1/en/create-user.html
0
 
scripttron75Author Commented:
im sorry i am still having an issue: what is that exact syntax for to create the user snort?
0
 
louislietaerCommented:

CREATE USER snort@'localhost' IDENTIFIED BY 'pass1';

0
 
scripttron75Author Commented:
i get this after i run that command:

ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement
0
 
louislietaerCommented:
Can you please start from strach:

under linux log as root

type command : /etc/init.d/mysql restart

type command : mysql -p
you will be prompt for mysql root password

then create user snort, grant etc
0
 
scripttron75Author Commented:
thank you louislietaer that worked but makes no sense though as i was already logged in as root. does MYsql have a gui for it or is it just command based.
0
 
scripttron75Author Commented:
i guess i spoke too soon:

mysql> CREATE USER snort@'localhost' IDENTIFIED BY 'linuxids';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on snort. * to 'snort'@'localhost' identified by 'snort_linuxids';
Query OK, 0 rows affected (0.00 sec)

does this mean it worked?
0
 
scripttron75Author Commented:
given the document i am following after running the create and grant commands i have to run this command

mysql -D snort -u snort -p < /usr/src/snort-2.8.4/schemas/create_mysql

i get this:

ERROR 1045 (28000): Access denied for user 'snort'@'localhost' (using password: YES)  i used the right password:  snort_linuxids

0
 
scripttron75Author Commented:
after i put the password:  snort_linuxids

i get this:

ERROR 1049 (42000): Unknown database 'snort'
root@jeff-desktop:/usr/src#
0
 
scripttron75Author Commented:
i think i got it, there was not a snort db created when there should been since i was following the guide, i created one and it looks like it worked now on to the next command.
0
 
scripttron75Author Commented:
ok now i am on this command:

Using any editor, open /etc/snort/snort.conf and make the following changes :

    * In nano you can search using ctrl-W
    * In vim you can search using /
    * Search for "HOME_NET" , "EXTERNAL_NET", then mysql (without quotes).


   1. Change "var HOME_NET any" to "var HOME_NET 192.168.0.0/16" (use your netmask here).

how do i know what my netmask is:  i am on a private network of 192.168.75.xxx  ?
0
 
louislietaerCommented:
Well Done Let's go futher

You wrote :

1. Change "var HOME_NET any" to "var HOME_NET 192.168.0.0/16" (use your netmask here).
how do i know what my netmask is:  i am on a private network of 192.168.75.xxx  ?

Answer :
in shell Bash, type ifconfig, you should have

eth0      Link encap:Ethernet  HWaddr 00:0f:1f:56:ef:e3
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20f:1fff:fe56:efe3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39232499 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42301781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3762547676 (3.5 GB)  TX bytes:1881975675 (1.7 GB)
          Interrupt:20

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:50433 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50433 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20548511 (19.5 MB)  TX bytes:20548511 (19.5 MB)
--------------------------------------------------------------------------------------

Look for eth0 (a few words futher) mask 255.255.xxx.xxx

With you IP you should have the calue 255.255.255.0 as your ip is class C

You wrote:
does MYsql have a gui ?
My answer :
yes, I use 2.
First is provided by mysql projet : http://dev.mysql.com/downloads/gui-tools/5.0.html
Second : http://www.navicat.com/

But let's finish your installation first.
0
 
scripttron75Author Commented:
ok thank you this is a slow process i will keep this going.
0
 
louislietaerCommented:
Yes, it is not good for my rank in hall of fame ;)
0
 
scripttron75Author Commented:
ok thanks for your patience:

i am now on this part where i had to dl a script that bodhi.hahn provided with his guide:

root@jeff-desktop:/etc/init.d# cd /usr/src
root@jeff-desktop:/usr/src# chown root.root /etc/init.d/snort
root@jeff-desktop:/usr/src# chmod 500 /etc/init.d/snort
root@jeff-desktop:/usr/src# exec /etc/init.d/snort boot
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
jeff@jeff-desktop:~$
jeff@jeff-desktop:~$

i downloaded the script and moved it to /etc/init.d/snort then opened the file with openoffice and then changed these settings:

The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that if there are no alerts, snort will lose it's connection with the mysql database.

To solve this, I wrote a script to start / restart snort.

The script is attached to this post and is called "ubuntu.snort.init.txt"

Copy this file to your computer and copy/move it to /etc/init.d/snort

Now lets look at the code. You need to look at two lines.

   1. The first is your interface. The default is eth0. If you wish to use snort on an alternate interface, such as eth1, you will need to edit the line IFACE="eth0" and change "eth0" to "eth1"
          * Note : Snort will not work with wireless interfaces, you need to use airsnort instead.
   2. The second option is to whitelist ip addresses. I advise you do this with caution, but you *may* wish to white IP addresses such as your router and your public ip address.

      To white list an IP , add it to the line WHITELIST='' (note that is two single quotes, ' ' and not a double quote " ) , one ip at a time, separated by a space, like this :

      Code:

      WHITELIST='127.0.0.1 192.168.1.1'

 i changed the eth0 to eth1 and then i put my these ip addresses as i do not want snort to monitor them:

127.0.0.1 192.168.75.1 192.168.75.2 up to 192.168.75.11 then i saved it and now i am on the part above
0
 
scripttron75Author Commented:
this part:

says there is no directory

root@jeff-desktop:/etc/init.d# cd /usr/src
root@jeff-desktop:/usr/src# chown root.root /etc/init.d/snort
root@jeff-desktop:/usr/src# chmod 500 /etc/init.d/snort
root@jeff-desktop:/usr/src# exec /etc/init.d/snort boot
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
0
 
scripttron75Author Commented:
this is what he says about his startup script for snort:

Now that you are done editing the file, set ownership and permissions :

Code:

chown root.root /etc/init.d/snort
chmod 500 /etc/init.d/snort

Starting snort on boot

My script has a 20 second sleep built in (sometimes when you start snort it will fail after a 10-15 second delay). To avoid adding a 20 second longer boot time, use the "boot" option.

With this factoid in mind, edit /etc/rc.local and add :

Code:

exec /etc/init.d/snort boot

i did that code and get no directory
0
 
louislietaerCommented:
Can you provide the output of ifconfig on your computer and the famous script
0
 
louislietaerCommented:
Where are you living my time 9:26 PM
0
 
scripttron75Author Commented:
no i am in pacific time
0
 
scripttron75Author Commented:
here is ifconfig

root@jeff-desktop:/home/jeff# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:04:5a:7b:54:03  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:1 dropped:0 overruns:0 carrier:2
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:16 Base address:0x1000

eth1      Link encap:Ethernet  HWaddr 00:08:02:cc:d8:bf  
          inet addr:192.168.75.10  Bcast:192.168.75.255  Mask:255.255.255.0
          inet6 addr: fe80::208:2ff:fecc:d8bf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5960 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5590 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4089555 (3.9 MB)  TX bytes:1445379 (1.3 MB)

eth0:avahi Link encap:Ethernet  HWaddr 00:04:5a:7b:54:03  
          inet addr:169.254.3.137  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0x1000

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1130 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:56804 (55.4 KB)  TX bytes:56804 (55.4 KB)
0
 
scripttron75Author Commented:
this is the script
ubuntu.snort.init.txt
0
 
louislietaerCommented:
Well

the script must be placed in /etc/init.d

run the command chmod +x /etc/init.d/snort

to run the script
/etc/init.d/snort start
to stop
/etc/init.d/snort start
to view status
/etc/init.d/snort status
to restart
/etc/init.d/snort restart

The script needs this command to run properly
/usr/bin/zenity
/usr/bin/gksu
/usr/bin/id -u
/usr/local/bin/snort

you can check with the command 'whereis' example : 'whereis zenity' should printout '/usr/bin/zenity /usr/share/zenity' for example

and this file /etc/snort/snort.conf (can you provide me this file)
0
 
scripttron75Author Commented:
i tried to upload snort.conf but EE says its a unknown file type?
0
 
scripttron75Author Commented:
I forgot after following these commands for snort.conf it changed the permission level:

chown root.root /etc/init.d/snort
chmod 500 /etc/init.d/snort

i can open it with openoffice.org but editing has been denied. how can we change that?
0
 
louislietaerCommented:
chmod 770 /etc/init.d/snort
0
 
louislietaerCommented:
What about

/usr/bin/zenity
/usr/bin/gksu
/usr/bin/id -u
/usr/local/bin/snort
0
 
louislietaerCommented:
try this command :

find / -name snort.conf -print (you may find on your disk)
0
 
scripttron75Author Commented:
i ahve not run those yet:

What about

/usr/bin/zenity
/usr/bin/gksu
/usr/bin/id -u
/usr/local/bin/snor

when do i run those

0
 
scripttron75Author Commented:
I ran that command and here is the ouput:

root@jeff-desktop:/home/jeff# find / -name snort.conf -print
find: /home/jeff/.gvfs: Permission denied
/etc/snort/snort.conf
/usr/src/snort-2.8.4/etc/snort.conf
/usr/src/etc/snort.conf
0
 
louislietaerCommented:
provide /usr/src/snort-2.8.4/etc/snort.conf
0
 
scripttron75Author Commented:
root@jeff-desktop:/home/jeff# /usr/src/snort-2.8.4/etc/snort.conf
bash: /usr/src/snort-2.8.4/etc/snort.conf: Permission denied
0
 
louislietaerCommented:
What about

for /usr/bin/zenity type command "whereis zenity"
for /usr/bin/gksu type command "wheris gksu"
for /usr/bin/id -u type command "whereis id"
for /usr/local/bin/snort type command "whereis snort"

those are command used by the script, I want to be sure they are on your system
0
 
scripttron75Author Commented:
do i run where is zenity in the script or in the command line?  
0
 
scripttron75Author Commented:
root@jeff-desktop:/home/jeff# /usr/bin/zenity  where is zenity
You must specify a dialog type. See 'zenity --help' for details
0
 
louislietaerCommented:
no just
where is zenity

the result should be at least : /usr/bin/zenity  
0
 
scripttron75Author Commented:
root@jeff-desktop:/home/jeff# where is zenity
bash: where: command not found
0
 
louislietaerCommented:
can you provide this file

/usr/src/snort-2.8.4/etc/snort.conf
0
 
scripttron75Author Commented:
after that command:

root@jeff-desktop:/home/jeff# /usr/src/snort-2.8.4/etc/snort.conf
bash: /usr/src/snort-2.8.4/etc/snort.conf: Permission denied
0
 
louislietaerCommented:
I dont want you to execute, just upload it so I see what is in there ;)
0
 
louislietaerCommented:
you wrote
do i run where is zenity in the script or in the command line?

whereis is a linux command run it from the shell as user root

the result of this command is the paths where to can find the file you pass as parameter of the command whereis
0
 
scripttron75Author Commented:
EE says its a not a accepted extension, do you want me to copy and paste?
0
 
louislietaerCommented:
rename the file with the linux shell command

mv /usr/src/snort-2.8.4/etc/snort.conf /usr/src/snort-2.8.4/etc/snort.conf.txt

we will assume when i will write a # at the begining of line it is a linux shell command for example i will write

type
#mv /usr/src/snort-2.8.4/etc/snort.conf /usr/src/snort-2.8.4/etc/snort.conf.txt

ok ?


0
 
scripttron75Author Commented:
got it
0
 
scripttron75Author Commented:
snort.conf.txt
snort.conf.txt
0
 
louislietaerCommented:
send me the results of

#whereis zenity
and
#wheris gksu
and
#whereis id
and
#whereis snort
0
 
scripttron75Author Commented:
zenity: /usr/bin/zenity /usr/share/zenity /usr/share/man/man1/zenity.1.gz

gksu: /usr/bin/gksu /usr/share/gksu /usr/share/man/man1/gksu.1.gz

gksu: /usr/bin/gksu /usr/share/gksu /usr/share/man/man1/gksu.1.gz

snort: /usr/src/snort-2.8.4/snort.8 /usr/src/etc/snort.conf /etc/snort /usr/local/bin/snort



0
 
louislietaerCommented:
So try
#/etc/init.d/snort start

0
 
scripttron75Author Commented:
root@jeff-desktop:/home/jeff# /etc/init.d/snort start
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
0
 
louislietaerCommented:
why this char ÿ

#nano /etc/init.d/snort

try to clean strange chars
0
 
scripttron75Author Commented:
sorry that was wrong:

root@jeff-desktop:/home/jeff# /etc/init.d/snort start
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory
0
 
scripttron75Author Commented:
i opened snort and at the begining of the file is:

#!/bin/bash

# This is a "simple" script written by bodhi.zazen to start snort.
# This script is released under the GPL V3.
# Feel free to make modifications.
# If you modify or redistribute this script please give the courtesy of credit.

# This script requires zenity if you wish to run it in X.

# Test root and display

############################################################
###                 Configuration options                ###
############################################################
############################################################
# The following sections are used to configure snort
# Change "eth0" to the interface you wish to use with snort
0
 
scripttron75Author Commented:
the y character is when i did a copy and paste
0
 
scripttron75Author Commented:
root@jeff-desktop:/home/jeff# /etc/init.d/snort start
/etc/init.d/snort: line 1: ÿ#!/bin/bash: No such file or directory

i ran it again and that is what i get above
0
 
scripttron75Author Commented:
replace the Y character with just #!/bin/bash
0
 
scripttron75Author Commented:

louislietaer:  please let me know if you are going to continue to help me with this?

0
 
louislietaerCommented:
Oh Yes, But rather try an another approach.

I found a little tutorial  installing snort on ubuntu from a package. As I am french the tutorial is french, but I will help you to go thru it. (if you agree)

http://doc.ubuntu-fr.org/snort 
0
 
scripttron75Author Commented:
I have been following this guide:

http://ubuntuforums.org/showthread.php?t=919472

this installs mysql and some other programs does your guide do this or is it just snort?
0
 
louislietaerCommented:
yes snort and oinkmaster that is an automatic rules updater for snort
0
 
scripttron75Author Commented:
ok waht about mysql, base and ossec?  after your guide is done i can just continue with these installations
0
 
louislietaerCommented:
mysql is quite easy to install under ubuntu

#apt-get install mysql-server

plus eventualy some my.conf modification

ossec I don't know
0
 
scripttron75Author Commented:
what i am saying is that with the guide i have been using i want to utilize all those things in that guide, i provided a link to the guide for you to see it.  i want to use mysql, OSSEC and BASE that is in that guide so what i am going to do is follow your snort install and then go from there but the thing is i am already ahead with the snort install so it does not make sense to start from scratch unless you feel it will benefit this installation. please let me know
0
 
scripttron75Author Commented:
ok lets do the guide that you have, its in french so i need to be guided on this. thank you
0
 
scripttron75Author Commented:
louislietaer:  please let me know when you want to do this?
0
 
louislietaerCommented:
Sorry, I had to work on the field for a big move of servers

Let me know when you will be awake
0
 
scripttron75Author Commented:
I am awake now.
0
 
scripttron75Author Commented:
please let me know when you want to do this.  I am ready to go.  give me the first step
0
 
louislietaerCommented:
Hello,

I am still tired, let's have an appointment tomorrow, call me as soon as you can.

regards
0
 
scripttron75Author Commented:
k let me know i am up from 7am to 12pm pacific time and sometimes up until 3 am
0
 
louislietaerCommented:
Hello,

Call me on your morning as soon as you are ready to work, I will be there
0
 
scripttron75Author Commented:
WIll do, it will be pacific time i guess you are hours ahead of me.
0
 
louislietaerCommented:
9 hours
0
 
scripttron75Author Commented:
ok whenever you are ready
0
 
louislietaerCommented:
Well Yes, I will have to do a little to prepare diner to my childs, but lets go

#sudo apt-get install snort oinkmaster snort-rules-default
0
 
scripttron75Author Commented:
ok i ran that command and i have this screen that says:

configuring snort looking for an IP address  with host bit:

my ip address scheme is 192.168.75.xxx  and i have 6 machines on my LAN network.  Quick Question will this monitor packets that are on the whole network or just this computer.  I have this desktop connected to a switch along with my other computers then that switch plus into my main router.
0
 
louislietaerCommented:
lets start with your computer
0
 
scripttron75Author Commented:
yes the computer i am on with ubuntu 8.04 so it is asking me for an ip address what should i put?
0
 
louislietaerCommented:
Put the Ip address of your computer
0
 
scripttron75Author Commented:
is it like this:  192.168.75.10/24
0
 
louislietaerCommented:
I decide to install on my ubuntu to see
0
 
louislietaerCommented:
go for 192.168.75.0/24, this will check your all network
0
 
scripttron75Author Commented:
ok i am back at the prompt!  next step?
0
 
louislietaerCommented:
snort is running now ;)

#sudo gedit /etc/oinkmaster.conf

comment this line
    #url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz 

add this one
    http://www.emergingthreats.net/rules/emerging.rules.tar.gz
0
 
scripttron75Author Commented:
this line:

#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz 

do you want me to add that to the .conf file?  what line?
0
 
louislietaerCommented:
No just comment (find it and put a # at the beginning)
0
 
scripttron75Author Commented:
find what?
0
 
louislietaerCommented:
sorry i make a mistake

add this one
    http://www.emergingthreats.net/rules/emerging.rules.tar.gz

is not good

add this one
   url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz

is good
0
 
louislietaerCommented:
0
 
scripttron75Author Commented:
please clarify, this line:

url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz  is already in the .conf
0
 
louislietaerCommented:
just add a character# at the beginning of this line this will comment the all line
0
 
scripttron75Author Commented:
what line number should i put this on?

 url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
0
 
louislietaerCommented:
Just after the line you just comment
0
 
scripttron75Author Commented:
let me know if this looks correct

# Location of rules archive
# -------------------------
# NOTE: this might need to be changed based on the Snort version
# you are running. This configuration files uses Snort 2.2.x
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
# url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
# For Snort 2.1
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz

# For Snort 2.0
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz
# To use CVS snapshots
# url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
0
 
louislietaerCommented:
no it should look like this

let me know if this looks correct

# Location of rules archive
# -------------------------
# NOTE: this might need to be changed based on the Snort version
# you are running. This configuration files uses Snort 2.2.x
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
# For Snort 2.1
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz

# For Snort 2.0
# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz
# To use CVS snapshots
# url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
0
 
scripttron75Author Commented:
ok looks good now, next step!!!  :>)
0
 
louislietaerCommented:
ok

#sudo oinkmaster -o /etc/snort/rules
0
 
scripttron75Author Commented:
ok ran i ran: #sudo oinkmaster -o /etc/snort/rules

no issues next step we can do this
0
 
louislietaerCommented:
yes as root

#crontab -e

add this line

55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules

ctrl o and ctrl x to save and exit.

then insert a comment line at the end of  snort.conf ():

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf
0
 
scripttron75Author Commented:
i ran the command crontab -e and this is in that file

# m h  dom mon dow   command

do i delete that and put the 55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules
0
 
louislietaerCommented:
no leave it is a comment. You should know now the the # caracter at the beginning of the line is a comment.
Here this comment work as headers for columns

By the way crontab is the unix scheduler

just add the new line
0
 
scripttron75Author Commented:
so this 55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules

is not a comment
0
 
louislietaerCommented:
true this will update the every monday at 13:55 the file /etc/snort/rules by running : /usr/sbin/oinkmaster -o /etc/snort/rules
0
 
scripttron75Author Commented:
louislietaer:  where is snort.conf i have it in numerous places which one do i need to edit?
0
 
louislietaerCommented:
/etc/snort/snort.conf
0
 
scripttron75Author Commented:
is this comment suppose to look like this:

#echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf
0
 
louislietaerCommented:
no this is confusing it is a linux command synthax

try

echo "#EmergingThreats.net Rules"

this whill display #EmergingThreats.net Rules on the screen

this one

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf

will add the line
#EmergingThreats.net Rule

at the end of /etc/snort/snort.conf
0
 
scripttron75Author Commented:
ok got it next step, i just did this command:

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf

and it added to the conf file
0
 
louislietaerCommented:
go for this two linux commands

cd /etc/snort/rules



for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i ; done » /etc/snort/snort.conf


every character is important so copy paste
0
 
scripttron75Author Commented:
root@jeff-desktop:/etc/snort/rules# for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i ; done » /etc/snort/snort.conf
bash: syntax error near unexpected token `»'
root@jeff-desktop:/etc/snort/rules# for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i ; done » /etc/snort/snort.conf
bash: syntax error near unexpected token `»'
root@jeff-desktop:/etc/snort/rules#
0
 
scripttron75Author Commented:
what time is where u are?
0
 
scripttron75Author Commented:
i will be back later, itis hot out here in California
0
 
louislietaerCommented:

the were a bug in the procedure go for


cd /etc/snort/rules



for i in `ls -1 emerging*` ; do echo "include \$RULE_PATH/"$i  » /etc/snort/snort.conf ; done;


every character is important so copy paste

this will add the rules downloaded by oinkmaster to /etc/snort.conf

0
 
louislietaerCommented:
Here south of france (Montpelier) is 22 PM and temperature is ok 24 Celsius
0
 
louislietaerCommented:
edit this file

namo /etc/snort/snort.conf

at the end of the file after #EmergingThreats.net Rules you will see all rules add by last command

Comment #include $RULE_PATH/emerging-botcc-BLOCK.rules

Comment #include $RULE_PATH/emerging-compromised-BLOCK.rules

Comment #include $RULE_PATH/emerging-drop-BLOCK.rules

Comment #include $RULE_PATH/emerging-dshield-BLOCK.rules

Comment #include $RULE_PATH/emerging-rbn-BLOCK.rules

Comment #include $RULE_PATH/emerging-sid-msg.map

Comment #include $RULE_PATH/emerging-sid-msg.map.txt

snort is ready to run

type this command

/etc/init.d/snort restart
0
 
louislietaerCommented:
I will be back in 1 hour

are you sure you want to install base have a look for this windows clients of snort

http://www.activeworx.org/Default.aspx?tabid=54
0
 
scripttron75Author Commented:
that client is fine, we can do that
0
 
scripttron75Author Commented:
louislietaer:  can you look th conf file.  this comment should be changed as well too shouldnt it.  

Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS

or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET any

# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET any
#var EXTERNAL_NET !$HOME_NET

shouldnt we change those to refelect my network?
0
 
scripttron75Author Commented:
this is getting confusing for both of us.  I have done the install now the conf needs to be configured can i send it to you and you can change the neccesary things in it.
Tell me what configuration file you need?  
0
 
louislietaerCommented:
All you to do is comment those line at the end of the file

Comment #include $RULE_PATH/emerging-botcc-BLOCK.rules

Comment #include $RULE_PATH/emerging-compromised-BLOCK.rules

Comment #include $RULE_PATH/emerging-drop-BLOCK.rules

Comment #include $RULE_PATH/emerging-dshield-BLOCK.rules

Comment #include $RULE_PATH/emerging-rbn-BLOCK.rules

Comment #include $RULE_PATH/emerging-sid-msg.map

Comment #include $RULE_PATH/emerging-sid-msg.map.txt


even it is not mandatory

snort is now working on your system, you have to express your needs, snort will report all network activity and you can configure it nearly to infinite.

Now you have to work on reporting depending on what you are looking for.
0
 
louislietaerCommented:
Collecting information that you don't need is server time and resources consuming. And some new attacks can be found in the future by hackers. That the reason of Oinkmaster keep snort up to date. You will need sometimes to change /etc/snort/snort.conf
0
 
scripttron75Author Commented:
ok i added those lines at the end of snort.conf without the COMMENT mark on them. only put this:

#include $RULE_PATH/emerging-botcc-BLOCK.rules

 #include $RULE_PATH/emerging-compromised-BLOCK.rules

#include $RULE_PATH/emerging-drop-BLOCK.rules

#include $RULE_PATH/emerging-dshield-BLOCK.rules

 
include $RULE_PATH/emerging-rbn-BLOCK.rules


 #include $RULE_PATH/emerging-sid-msg.map

 #include $RULE_PATH/emerging-sid-msg.map.txt


I do not see this part in the file though:

#EmergingThreats.net

0
 
louislietaerCommented:
Here my snort.conf file.

you should have the same
snort.conf.txt
0
 
scripttron75Author Commented:
ok i copied your emerging threats and put it at the bottom.


where do we go from here
0
 
louislietaerCommented:
snort is ready to run

type this command

/etc/init.d/snort restart
0
 
scripttron75Author Commented:
problem

root@jeff-desktop:/home/jeff# /etc/init.d/snort restart
 * Stopping Network Intrusion Detection System  snort                    [ OK ]
 * Starting Network Intrusion Detection System  snort                    [fail]
root@jeff-desktop:/home/jeff#
0
 
louislietaerCommented:
can you type this command and send me back the result

ls -l /etc/snort/rules/emer*
0
 
louislietaerCommented:
my result

root@ubuntu:/etc/snort# ls -l rules/emer*
-rw-r----- 1 root root   43064 2009-05-08 21:54 rules/emerging-attack_response.rules
-rw-r----- 1 root root   27425 2009-05-08 21:54 rules/emerging-botcc-BLOCK.rules
-rw-r----- 1 root root   26681 2009-05-08 21:54 rules/emerging-botcc.rules
-rw-r----- 1 root root  106283 2009-05-08 21:54 rules/emerging-compromised-BLOCK.rules
-rw-r----- 1 root root  101597 2009-05-08 21:54 rules/emerging-compromised.rules
-rw-r----- 1 root root    2667 2009-05-08 21:54 rules/emerging.conf
-rw-r----- 1 root root   14275 2009-05-08 21:54 rules/emerging-dos.rules
-rw-r----- 1 root root    7197 2009-05-08 21:54 rules/emerging-drop-BLOCK.rules
-rw-r----- 1 root root    6846 2009-05-08 21:54 rules/emerging-drop.rules
-rw-r----- 1 root root    2468 2009-05-08 21:54 rules/emerging-dshield-BLOCK.rules
-rw-r----- 1 root root    2435 2009-05-08 21:54 rules/emerging-dshield.rules
-rw-r----- 1 root root  158997 2009-05-08 21:54 rules/emerging-exploit.rules
-rw-r----- 1 root root   17931 2009-05-08 21:54 rules/emerging-game.rules
-rw-r----- 1 root root    8761 2009-05-08 21:54 rules/emerging-inappropriate.rules
-rw-r----- 1 root root  486871 2009-05-08 21:54 rules/emerging-malware.rules
-rw-r----- 1 root root   33037 2009-05-08 21:54 rules/emerging-p2p.rules
-rw-r----- 1 root root  279979 2009-05-08 21:54 rules/emerging-policy.rules
-rw-r----- 1 root root  131879 2009-05-08 21:54 rules/emerging-rbn-BLOCK.rules
-rw-r----- 1 root root  122474 2009-05-08 21:54 rules/emerging-rbn.rules
-rw-r----- 1 root root   49352 2009-05-08 21:54 rules/emerging.rules
-rw-r----- 1 root root   46837 2009-05-08 21:54 rules/emerging-scan.rules
-rw-r----- 1 root root 2019605 2009-05-08 21:54 rules/emerging-sid-msg.map
-rw-r----- 1 root root 2019605 2009-05-08 21:54 rules/emerging-sid-msg.map.txt
-rw-r----- 1 root root   25560 2009-05-08 21:54 rules/emerging-tor-BLOCK.rules
-rw-r----- 1 root root   23636 2009-05-08 21:54 rules/emerging-tor.rules
-rw-r----- 1 root root  399223 2009-05-08 21:54 rules/emerging-virus.rules
-rw-r----- 1 root root    4518 2009-05-08 21:54 rules/emerging-voip.rules
-rw-r----- 1 root root  149162 2009-05-08 21:54 rules/emerging-web.rules
-rw-r----- 1 root root 2277470 2009-05-08 21:54 rules/emerging-web_sql_injection.rules

0
 
scripttron75Author Commented:
root@jeff-desktop:/home/jeff# ls -l /etc/snort/rules/emer*
ls: cannot access /etc/snort/rules/emer*: No such file or directory
0
 
scripttron75Author Commented:
i tried it while under /etc/snort

root@jeff-desktop:/etc/snort# ls -l /etc/snort/rules/emer*
ls: cannot access /etc/snort/rules/emer*: No such file or directory
root@jeff-desktop:/etc/snort#
0
 
scripttron75Author Commented:
it seems like this install is all messed up.
0
 
scripttron75Author Commented:
Louis, i went back and did everything you told me too the output is this from the last command you gave me.  Also I am a semi-NEWB to linux but i do understand what we are doing but the Syntax is foreign to me.  I know basic commands.  after i ran the command: ls -l /etc/snort/rules/emer*

root@jeff-desktop:/etc/snort/rules# /etc/init.d/snort restart
 * No snort instance found to be stopped!
root@jeff-desktop:/etc/snort/rules# /etc/init.d/snort restart
 * No snort instance found to be stopped!
root@jeff-desktop:/etc/snort/rules# ls -l /etc/snort/rules/emer*
-rw-r----- 1 root root   43064 2009-05-08 21:03 /etc/snort/rules/emerging-attack_response.rules
-rw-r----- 1 root root   27425 2009-05-08 21:03 /etc/snort/rules/emerging-botcc-BLOCK.rules
-rw-r----- 1 root root   26681 2009-05-08 21:03 /etc/snort/rules/emerging-botcc.rules
-rw-r----- 1 root root  106283 2009-05-08 21:03 /etc/snort/rules/emerging-compromised-BLOCK.rules
-rw-r----- 1 root root  101597 2009-05-08 21:03 /etc/snort/rules/emerging-compromised.rules
-rw-r----- 1 root root    2667 2009-05-08 21:03 /etc/snort/rules/emerging.conf
-rw-r----- 1 root root   14275 2009-05-08 21:03 /etc/snort/rules/emerging-dos.rules
-rw-r----- 1 root root    7197 2009-05-08 21:03 /etc/snort/rules/emerging-drop-BLOCK.rules
-rw-r----- 1 root root    6846 2009-05-08 21:03 /etc/snort/rules/emerging-drop.rules
-rw-r----- 1 root root    2468 2009-05-08 21:03 /etc/snort/rules/emerging-dshield-BLOCK.rules
-rw-r----- 1 root root    2435 2009-05-08 21:03 /etc/snort/rules/emerging-dshield.rules
-rw-r----- 1 root root  158997 2009-05-08 21:03 /etc/snort/rules/emerging-exploit.rules
-rw-r----- 1 root root   17931 2009-05-08 21:03 /etc/snort/rules/emerging-game.rules
-rw-r----- 1 root root    8761 2009-05-08 21:03 /etc/snort/rules/emerging-inappropriate.rules
-rw-r----- 1 root root  486871 2009-05-08 21:03 /etc/snort/rules/emerging-malware.rules
-rw-r----- 1 root root   33037 2009-05-08 21:03 /etc/snort/rules/emerging-p2p.rules
-rw-r----- 1 root root  279979 2009-05-08 21:03 /etc/snort/rules/emerging-policy.rules
-rw-r----- 1 root root  131879 2009-05-08 21:03 /etc/snort/rules/emerging-rbn-BLOCK.rules
-rw-r----- 1 root root  122474 2009-05-08 21:03 /etc/snort/rules/emerging-rbn.rules
-rw-r----- 1 root root   49352 2009-05-08 21:03 /etc/snort/rules/emerging.rules
-rw-r----- 1 root root   46837 2009-05-08 21:03 /etc/snort/rules/emerging-scan.rules
-rw-r----- 1 root root 2019605 2009-05-08 21:03 /etc/snort/rules/emerging-sid-msg.map
-rw-r----- 1 root root 2019605 2009-05-08 21:03 /etc/snort/rules/emerging-sid-msg.map.txt
-rw-r----- 1 root root   25560 2009-05-08 21:03 /etc/snort/rules/emerging-tor-BLOCK.rules
-rw-r----- 1 root root   23636 2009-05-08 21:03 /etc/snort/rules/emerging-tor.rules
-rw-r----- 1 root root  399223 2009-05-08 21:03 /etc/snort/rules/emerging-virus.rules
-rw-r----- 1 root root    4518 2009-05-08 21:03 /etc/snort/rules/emerging-voip.rules
-rw-r----- 1 root root  149162 2009-05-08 21:03 /etc/snort/rules/emerging-web.rules
-rw-r----- 1 root root 2277470 2009-05-08 21:03 /etc/snort/rules/emerging-web_sql_injection.rules
0
 
scripttron75Author Commented:
I ran this command:

/etc/init.d/snort start i got this

root@jeff-desktop:/etc/snort/rules# /etc/init.d/snort start
 * Starting Network Intrusion Detection System  snort                            {FAIL}
0
 
louislietaerCommented:
copy my snort.conf file and erase yours

rerun

/etc/init.d/snort start
0
 
scripttron75Author Commented:
I replaced my snort.conf with yours and saved it still failing???

root@jeff-desktop:/etc/snort# /etc/init.d/snort start
 * Starting Network Intrusion Detection System  snort                                                                 [fail]
root@jeff-desktop:/etc/snort#
0
 
scripttron75Author Commented:
what else can we try
0
 
louislietaerCommented:
Is there a way I can access to your host by ssh for example
0
 
scripttron75Author Commented:
yes we can
0
 
scripttron75Author Commented:
no maybe not!  i have had problems with people from europe before sorry.
0
 
louislietaerCommented:
What I say, I have been doing the same process on my host and snort is working on my host.

replay the scenario again, and try to find where was the mistake done
0
 
scripttron75Author Commented:
that is what i did, i went back through it all over and started from scratch still no go.  do you want to remote in?
0
 
scripttron75Author Commented:
I ran thru the whole thing again on another machine using vmware client.  it installed all correctly it is only when i get to this part:

/etc/init.d/snort restart that it stops the service then trys to run it and it fails?  

what is the issue.
0
 
scripttron75Author Commented:
root@jeff-desktop:/etc/snort# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 1
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      514 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2401 client (Footprint)
      3306 client (Footprint)
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Server Flow Depth: 300
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

PortVar 'SSH_PORTS' defined :  [ 22 ]
ERROR: /etc/snort/rules/emerging-sid-msg.map(1) => Unknown rule type: 2000005
Fatal Error, Quitting..
root@jeff-desktop:/etc/snort#
0
 
louislietaerCommented:
hello,

comment this line in /etc/snort/snort.conf

rerun

snort -c ./snort.conf

if another error  appear comment the line

loop the process above until no more errors
0
 
scripttron75Author Commented:
Louis:

what do you mean comment this line:

/etc/snort/snort.conf
that is a command?
0
 
louislietaerCommented:
edit /etc/snort/snort.conf  file

find the line containing "emerging-sid-msg.map" ( the error showed above)

Insert a '#' a the beginning of the line (this will comment the line)

save the file

re run snort -c ./snort.conf

if another error loop the process


0
 
scripttron75Author Commented:
root@jeff-desktop:/home/jeff# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf
ERROR: Unable to open rules file: ./snort.conf or ././snort.conf
Fatal Error, Quitting..
root@jeff-desktop:/home/jeff#
0
 
scripttron75Author Commented:
Louis, i looked in the /etc/snort directory and found 2 snort.conf files

root@jeff-desktop:/etc/snort# dir
classification.config  reference.config  snort.conf          threshold.conf
community-sid-msg.map  rules             snort.conf~          unicode.map
gen-msg.map             sid-msg.map       snort.debian.conf

is this a big deal?
0
 
scripttron75Author Commented:
after running snort -c ./snort.conf i got this:


DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
ERROR: Misconfigured dynamic preprocessor(s)
Fatal Error, Quitting..
root@jeff-desktop:/etc/snort#
0
 
louislietaerCommented:
hello,

this is due to multiple installation, a bad path in the snort.conf file

follow http://eatingsecurity.blogspot.com/2007/10/upgrading-to-snort-280.html

and try to fix it
0
 
scripttron75Author Commented:
louis that is probably the issue, because i was trying to install snort before using NSMnow which is a all in one program, i am going to reformat this machine and then we can do it again after a clean install
0
 
scripttron75Author Commented:
I am going to go thru your install again
0
 
scripttron75Author Commented:
Louis, going back thru your install, i noticed that you are using snort rules 2.2 is this old?
0
 
scripttron75Author Commented:
Louis this is a long output but i ran :  snort -c ./snort.conf  and it started successfully



root@jeff-Ubuntudesktop:/home/jeff# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Unable to open rules file: ./snort.conf or ././snort.conf
Fatal Error, Quitting..
root@jeff-Ubuntudesktop:/home/jeff# cd /etc/snort
root@jeff-Ubuntudesktop:/etc/snort# snort -c ./snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 1
    Bound Addresses: 0.0.0.0/0.0.0.0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      3306 client (Footprint)
    Bound Addresses:0.0.0.0/0.0.0.0
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256
SMTP Config:
      Ports: 25
      Inspection Type:            STATEFUL
      Normalize Spaces:           YES
      Ignore Data:                NO
      Ignore TLS Data:            NO
      Ignore Alerts:              NO
      Max Command Length:         0
      Max Header Line Length:     0
      Max Response Line Length:   0
      X-Link2State Alert:         YES
      Drop on X-Link2State Alert: NO

DCE/RPC Decoder config:
    Autodetect ports ENABLED
    SMB fragmentation ENABLED
    DCE/RPC fragmentation ENABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED

DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
3382 Snort rules read
    3382 detection rules
    0 decoder rules
    0 preprocessor rules
3382 Option Chains linked into 263 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Verifying Preprocessor Configurations!
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'community_uri.size.1050' is set but not ever checked.
37 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Preprocessor/Decoder Rule Count: 0
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size    : 256 Chars
| Sizeof State     : 2 bytes
| Storage Format   : Full
| Num States       : 148353
| Num Transitions  : 4107188
| State Density    : 10.8%
| Finite Automatum : DFA
| Memory           : 120.96Mbytes
+-------------------------------------------------------------
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 2
| Patterns         : 50
| Pattern Chars    : 245
| Num States       : 203
| Num Match States : 50
| Memory           :   6.87Kbytes
|   Patterns       :   1.21K
|   Match Lists    :   1.19K
|   Transitions    :   4.30K
+-------------------------------------------------

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.7.0 (Build 35)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.6  <Build 11>
           Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
           Preprocessor Object: SF_DCERPC  Version 1.0  <Build 4>
           Preprocessor Object: SF_SMTP  Version 1.0  <Build 7>
           Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 10>
           Preprocessor Object: SF_DNS  Version 1.0  <Build 2>
Not Using PCAP_FRAMES
0
 
scripttron75Author Commented:
Louis good news after reformating works now, i am on this part:

echo "#EmergingThreats.net Rules" » /etc/snort/snort.conf
0
 
scripttron75Author Commented:
i know what the issue was, the snort.conf file at the end with the emerging threats RULES_PATH was not commented all of them have to be commented.
0
 
scripttron75Author Commented:
i have gone thru all of it and it is now working.  no failure we need to install the GUI for snort?
0
 
scripttron75Author Commented:
Louis please dont give up on me. we can do this
0
 
louislietaerCommented:
Sorry,I was busy yesterday

well done, for which gui you want to go ?
0
 
scripttron75Author Commented:
the Gui that you said was better than BASE?
0
 
scripttron75Author Commented:
also install something to log packets that are incoming like mysql?  lets do the GUI first and get that going and then i will post a screen shot.
0
 
scripttron75Author Commented:
you sent me a link for activeworx.org can you help me get this installed and also log packets to a database?  also if we are using a database dont we have to worry about how large the database will become?
0
 
scripttron75Author Commented:
Louis please let me know when you are available to help me finish this installtion. thank you
0
 
louislietaerCommented:
Hello,

I am now available, what is going on ?
0
 
scripttron75Author Commented:
Louis, i went with an easy solution to the installed it is called EasyIDS, it is Cent-os with no gui and snort is installed with everything. the only thing is now to figure out how it works.
0
 
scripttron75Author Commented:
Louis I would love to give you the points but do you know how to easyIDS if you do great give me some pointers.
0
 
scripttron75Author Commented:
did not complete installation
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.