.

Need help with Snort

<<

zenlakin

User avatar

Newbie
Newbie

Posts: 13

Joined: Thu May 19, 2011 6:45 am

Post Sat Sep 03, 2011 7:46 pm

Need help with Snort

Hello everyone. I am trying to get Snort up and running and from what I can tell it is running and I am able to get it to start and to show traffic in verbose mode but I can't for the life of me get any data to show in base or get any "test" rules that I have setup to fire at all... My install environment is as follows:

Windows 7 Ultimate host running Debian 6 in vmware. My vmware instance has 2 NIC's, eth0 is set to host only and eth1 is bridged. I have setup a test rule in local.rules to fire an alert anytime there is ICMP traffic within my HOME_NET and I have tried to ping both IP's assigned to my NIC's on the VM from my host and from the VM back to my host and the pings are successful however there is no alert that fires... Any thoughts?

Zen
<<

Lubinski

Newbie
Newbie

Posts: 26

Joined: Fri Dec 03, 2010 1:34 pm

Post Sat Sep 03, 2011 9:27 pm

Re: Need help with Snort

Are you using barnyard2 to output? What does your snort.conf output line read?
<<

zenlakin

User avatar

Newbie
Newbie

Posts: 13

Joined: Thu May 19, 2011 6:45 am

Post Sat Sep 03, 2011 10:52 pm

Re: Need help with Snort

I am not using barnyard. Just BASE via the web url (http://localhost/acidbase). I am not for sure what you are asking for in regards to the snort.conf output line...I will have to take a look at the conf file and see what that is set to but I didn't change anything in regards to output in that file so it would be whatever was default...
<<

zenlakin

User avatar

Newbie
Newbie

Posts: 13

Joined: Thu May 19, 2011 6:45 am

Post Sun Sep 04, 2011 9:37 am

Re: Need help with Snort

I have been doing some reading and I am thinking there is something wrong with the way eth1 is setup because if I am understanding things correctly, eth1 should not have an IP address since it should be running in promiscuous mode and only listening for traffic on the wire. I do have that interface setup in VMware as a Bridged connection but when I boot up my Debian install which is running snort, I see that eth0 and eth1 both have IP addresses assigned..
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Sun Sep 04, 2011 2:44 pm

Re: Need help with Snort

Not assigning an IP is more an issue for remaining undetected than anything to do with functionality.  Out of curiosity is there any type of threshold set for the rule you're using?  Does it need to see more than X packets per Y seconds?  Does it need to hit more than X IPs or Y ports? 
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

zenlakin

User avatar

Newbie
Newbie

Posts: 13

Joined: Thu May 19, 2011 6:45 am

Post Tue Sep 06, 2011 6:53 pm

Re: Need help with Snort

I still couldn't get it to work so I am starting over with a fresh VM with Debian 6. Anybody know of a good tutorial for setting up and configuring snort in a VM using Debian?
<<

zenlakin

User avatar

Newbie
Newbie

Posts: 13

Joined: Thu May 19, 2011 6:45 am

Post Tue Sep 06, 2011 7:21 pm

Re: Need help with Snort

This is the site I am following only I have Debian in a VM

http://www.aboutdebian.com/snort.htm

Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software