Re: [SLUG] Snort!

From: Russell Hires (rhires@earthlink.net)
Date: Sun Jul 28 2002 - 09:21:53 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These instructions are great! But I'm a debian fan, so that means apt-get. I
already have postgresql set up, I'm good there, too.

> Edit the snort.conf and set:
Now, the fun part...
>
> var HOME_NET $eth0_ADDRESS
>
> for whichever interface is the external interface on your firewall, or:
>
> var HOME_NET [192.168.1.0/24]
>
> where the CIDR is the address range of the network that you consider
> "yours".

I'm confused by these instructions. For me, my home network is eth1 (ip =
192.168.1.2), and the rest of the internet is on ppp0 (aka external
interface), which is what I get assigned because of my dsl connection (ip =
4.62.115.xx). So here I want to set the eth1 address, or the ppp0 address?

> $HOME_NET is frequently used as a "target" address for snort rules, so
> make sure that you set it to whatever range of addresses you'd like to
> get snort alerts on. i.e. if you just have one external address on RR,
> just use the $eth0_ADDRESS option - <snip> (And of course $eth1_ADDRESS is
> just as valid or $ppp_ADDRESS - whatever your external interface.)

So my HOME_NET _is_ my external address? I've got ppp0 as the external, and
eth1 as internal. I want to detect what's coming from the outside, which is
ppp0, right?

> Then set
>
> var EXTERNAL_NET !$HOME_NET
>
> $EXTERNAL_NET is used as the "source" for a lot of rules to match, so
> this should be anything NOT your $HOME_NET.
>
> A lot of rules wind up looking something like:
>
> "where source is $EXTERNAL_NET and dest is $HOME_NET ...."
>
> so those are two of the most important settings to tweak <snip>

> Then set
>
> var RULE_PATH /usr/local/etc/snort/rules

I've got debian (didn't I say that? :-) so I'm not sure how this applies. I
guess I'll check the docs for debian on this.

<snip>
>
> The hardest part of getting any useful information out of snort is
> getting any information at all out of snort. Logging to a database and
> using ACID is the probably the most user-friendly and useful way, so
> you'll need to scan down the config file for output plugins and find the
> database methods. Configure it as appropriate for the database you've
> set up by the examples given.

<snip>
I'll play with this, too. Sounds like fun!

>
> Once you've got that all set up, start snort:
>
> /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -i eth0 -l
> /var/log/snort -u snort -D
>
<snip>
- ---debian again. When I installed snort through apt-get, I am asked a few
questions, such as what is my home network...

<snip>
> Do a "ps" and see if snort is running. If not, tail your
> /var/log/daemon.log and see if it spit out an error message. Generally
> the error messages are pretty self-explanatory, so you should be able to
> figure out what the problem was and fix it.

Good advice! I wouldn't have known where to look otherwise.

> Depending on how you have logging set up, you may start to see things
> appear in your database, in /var/log/auth.log and/or in files located in
> /var/log/snort/. I generally have a CRON job that runs nightly that
> just does a "stop/start" on the SNORT process (you can find the PID in
> /var/run/snort_$iface.pid) so the logs in /var/log/snort will roll
> over, otherwise they can get pretty big if you get a lot of traffic.

I have nothing in my logs yet. I've only been running for 24 hours or so.

<major snip>
>
> I will give you a hint though - the WORST thing you can see in your
> snort logs is an alert that says "Successful exploit."

This is the best tutorial I've seen :-) Thanks!

Russell
- --
Linux -- the OS for the Renaissance Man
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9Q+/xAqKGrvVshJQRAmlrAKD5sEW9FLCQXtbDaSOn1VvMuzk1vQCg6/ra
XBqOZ0W1g9c+ZROxSitrylM=
=Y8qn
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 14:45:23 EDT