|
Home > Archive > Snort > September 2004 > [Snort-users] New user question(s)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] New user question(s)
|
|
| Chris 2004-09-22, 10:25 pm |
| I've setup snort, modified the snort.conf, have it running, but, reading =
the=20
FAQ I've got a few questions. =20
1. What is the difference in running snortd vice snort w/cl parameters?
2. Reading the FAQ it states to start snort with snort -A full -c=20
snort.conf then in the next line it states:
Note that the default output mode (-A full) of snort should not be used=20
except
in very controlled environments. It is the slowest way to run snort and
presents several hard to recover from problems with inode creation on
filesystems.
So, if this causes problems, how then should snort be started?
3. I run no servers on my box. I've set it up in the belief that if wou=
ld=20
compliment my firewall. If my firewall is working sufficiently in my=20
opinion, then do I even need to run an IDS?
I apologize in advance for the seemingly "dumb newbie questions"
--=20
Chris
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jason 2004-09-22, 10:25 pm |
|
Chris wrote:
> I've setup snort, modified the snort.conf, have it running, but, reading the
> FAQ I've got a few questions.
>
> 1. What is the difference in running snortd vice snort w/cl parameters?
> 2. Reading the FAQ it states to start snort with snort -A full -c
> snort.conf then in the next line it states:
>
> Note that the default output mode (-A full) of snort should not be used
> except
> in very controlled environments. It is the slowest way to run snort and
> presents several hard to recover from problems with inode creation on
> filesystems.
>
> So, if this causes problems, how then should snort be started?
You should use unified or binary logging, unified output is preferred
these days since you can get everything you need by post processing the
files using barnyard. The documentation for barnyard is in the tarball
available at snort.org
http://www.snort.org/dl/barnyard/
>
> 3. I run no servers on my box. I've set it up in the belief that if would
> compliment my firewall. If my firewall is working sufficiently in my
> opinion, then do I even need to run an IDS?
Absolutely needed. Your firewall does not protect from application level
attacks and is subject to configuration issues, the IDS is a great
compliment to the firewall allowing you to audit what is really happening.
>
> I apologize in advance for the seemingly "dumb newbie questions"
>
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Matt Kettler 2004-09-22, 10:25 pm |
| At 09:29 PM 9/21/2004, Chris wrote:
>1. What is the difference in running snortd vice snort w/cl parameters?
This I don't know.. I've never heard of snortd before.
>2. Reading the FAQ it states to start snort with snort -A full -c
>snort.conf then in the next line it states:
>
>Note that the default output mode (-A full) of snort should not be used
>except
>in very controlled environments. It is the slowest way to run snort and
>presents several hard to recover from problems with inode creation on
>filesystems.
>
>So, if this causes problems, how then should snort be started?
snort -A full -c snort.conf is a good starting point, but the manual is
correct that you probably don't want to use this for long-term production.
Eventually you'll want to shift to somethign faster. I use the equivalent
of snort -A fast -b, but much of mine is specfied in snort.conf.
In production, most people use SQL logging, to feed something like ACID or
BASE, or barnyard..
Some, like me, still use text logs, but log packet captures as binary pcap
to maintain speed.
>3. I run no servers on my box. I've set it up in the belief that if would
>compliment my firewall. If my firewall is working sufficiently in my
>opinion, then do I even need to run an IDS?
Does your firewall process the application layer, in detail, for attack
patterns?
Will your firewall recognize packets containing backdoor "phone home"
patterns? On outbound traffic?
Firewalls are *great* tools. However, they don't serve the same functions
as an IDS. An IDS helps you see anomalies in your traffic. It examines
packets in-depth to find suspect patterns in the actual packet payload, not
just the headers.
The only firewall product I know of that comes close to an IDS is a
netscreen with the deep-inspection feature. But even this is quite limited
by comparison to a true IDS.
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Harper, Patrick 2004-09-22, 10:25 pm |
| When you say snortd are you talking about the init script?
=20
-----Original Message-----
From: Matt Kettler [mailto:mkettler@evi-inc.com]=20
Sent: Wednesday, September 22, 2004 10:53 AM
To: Chris; 'Snort Users'
Subject: Re: [Snort-users] New user question(s)
At 09:29 PM 9/21/2004, Chris wrote:
>1. What is the difference in running snortd vice snort w/cl
parameters?
This I don't know.. I've never heard of snortd before.
>2. Reading the FAQ it states to start snort with snort -A full -c=20
>snort.conf then in the next line it states:
>
>Note that the default output mode (-A full) of snort should not be used
>except in very controlled environments. It is the slowest way to run=20
>snort and presents several hard to recover from problems with inode=20
>creation on filesystems.
>
>So, if this causes problems, how then should snort be started?
snort -A full -c snort.conf is a good starting point, but the manual is
correct that you probably don't want to use this for long-term
production.
Eventually you'll want to shift to somethign faster. I use the
equivalent of snort -A fast -b, but much of mine is specfied in
snort.conf.
In production, most people use SQL logging, to feed something like ACID
or BASE, or barnyard..
Some, like me, still use text logs, but log packet captures as binary
pcap to maintain speed.
>3. I run no servers on my box. I've set it up in the belief that if
would
>compliment my firewall. If my firewall is working sufficiently in my
>opinion, then do I even need to run an IDS?
Does your firewall process the application layer, in detail, for attack=20
patterns?
Will your firewall recognize packets containing backdoor "phone home"=20
patterns? On outbound traffic?
Firewalls are *great* tools. However, they don't serve the same
functions=20
as an IDS. An IDS helps you see anomalies in your traffic. It examines=20
packets in-depth to find suspect patterns in the actual packet payload,
not=20
just the headers.
The only firewall product I know of that comes close to an IDS is a=20
netscreen with the deep-inspection feature. But even this is quite
limited=20
by comparison to a true IDS.
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....t=3Dsnort-users
Disclaimer:
This electronic message, including any attachments, is confidential and int=
ended solely for use of the intended recipient(s). This message may contain=
information that is privileged or otherwise protected from disclosure by a=
pplicable law. Any unauthorized disclosure, dissemination, use or reproduct=
ion is strictly prohibited. If you have received this message in error, ple=
ase delete it and notify the sender immediately.=20
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Chris 2004-09-22, 10:25 pm |
| On Wednesday 22 September 2004 01:25 pm, Harper, Patrick wrote:
> When you say snortd are you talking about the init script?
>
A snortd script was installed in my /etc/rc.d/init.d folder. When runnin=
g=20
=2E/snortd from the cli as root I get "snortd start|stop|restart|status,=20
below is a portion of the script that starts snort:
# See how we were called.
case "$1" in
start)
=09if [ -x /usr/sbin/snort -a ! -e /var/lock/subsys/snort ]; then
=09=09gprintf "Starting snort: "
=09cd /var/log/snort
=09=09daemon /usr/sbin/snort -u snort -g snort -s -d -D \
=09=09=09 -i ${INTERFACE} -l /var/log/snort -c /etc/snort/snort.conf
=09=09touch /var/lock/subsys/snort
=09=09echo
=09else
=09=09gprintf "Snort already running.\n"
I'm going to have to search to see what the -u -g -s -d -D mean.
I'm running Mandrake 9.0 with snort 1.8.7-3mdk.
--=20
Chris
Registered Linux User 283774 http://counter.li.org
5:07pm up 14 days, 21:47, 1 user, load average: 0.26, 0.10, 0.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~
Please forgive me if, in the heat of battle, I sometimes forget which
side I'm on.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Harper, Patrick 2004-09-22, 10:25 pm |
| That is the init script. It will tell snort to start with whatever
options you plug into it. Just a script.
Mine simply tells the system to use eth0, to start snort -c
/etc/snort/snort.conf. My conf file tells snort (the binary) the
environmental variables, where the rules are, and what to output to.
Hope that helps
=20
-----Original Message-----
From: Chris [mailto:cpollock@earthlink.net]=20
Sent: Wednesday, September 22, 2004 5:17 PM
To: Harper, Patrick; Snort Users
Subject: Re: [Snort-users] New user question(s)
On Wednesday 22 September 2004 01:25 pm, Harper, Patrick wrote:
> When you say snortd are you talking about the init script?
>
A snortd script was installed in my /etc/rc.d/init.d folder. When
running ./snortd from the cli as root I get "snortd
start|stop|restart|status, below is a portion of the script that starts
snort:
# See how we were called.
case "$1" in
start)
if [ -x /usr/sbin/snort -a ! -e /var/lock/subsys/snort ]; then
gprintf "Starting snort: "
cd /var/log/snort
daemon /usr/sbin/snort -u snort -g snort -s -d -D \
-i ${INTERFACE} -l /var/log/snort -c
/etc/snort/snort.conf
touch /var/lock/subsys/snort
echo
else
gprintf "Snort already running.\n"
I'm going to have to search to see what the -u -g -s -d -D mean.
I'm running Mandrake 9.0 with snort 1.8.7-3mdk.
--
Chris
Registered Linux User 283774 http://counter.li.org 5:07pm up 14 days,
21:47, 1 user, load average: 0.26, 0.10, 0.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~
Please forgive me if, in the heat of battle, I sometimes forget which
side I'm on.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~
Disclaimer:
This electronic message, including any attachments, is confidential and int=
ended solely for use of the intended recipient(s). This message may contain=
information that is privileged or otherwise protected from disclosure by a=
pplicable law. Any unauthorized disclosure, dissemination, use or reproduct=
ion is strictly prohibited. If you have received this message in error, ple=
ase delete it and notify the sender immediately.=20
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|