Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Snort help, cant start it.
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
General_Dark
n00b
n00b


Joined: 03 Nov 2007
Posts: 10
PostPosted: Sun May 25, 2008 5:47 pm    Post subject: Snort help, cant start it. Reply with quote
Ok, so I just installed snort and I basicly want it to check all traffic on port 25, 80 and 443. So I went through all the config-file (thanks for all comments!) and enabled what I thought was being used for that kind of sniffing. So far so good, but when I try to start the daemon I recieve:
* Starting snort ... [ !! ]
* ERROR: snort failed to start

Ok, no big deal I just check the logs, however they dont contain any useful information. It just says how I've configured it. What types of attacks and such I'm looking out for.
Is my problem my syslog-ng? or is it something in Snort?

Running Gentoo 2007 with a 2.6.4 kernel.
Thanks in advance for the help
Back to top
View user's profile Send private message
rada
Apprentice
Apprentice


Joined: 21 Oct 2005
Posts: 202
Location: Ottawa, Canada
PostPosted: Sun May 25, 2008 6:02 pm    Post subject: Reply with quote
Post /etc/conf.d/snort and /etc/snort/snort.conf.
Mine, look like:

# cat /etc/conf.d/snort
Code:
# Config file for /etc/init.d/snort

# This tell snort which interface to listen on (any for every interface)
IFACE=eth1

# Make sure this matches your IFACE
PIDFILE=/var/run/snort_$IFACE.pid

# You probably don't want to change this, but in case you do
LOGDIR="/var/log/snort"

# Probably not this either
CONF=/etc/snort/snort.conf

# This pulls in the options above
SNORT_OPTS="-D -u snort -i $IFACE -c $CONF"


#cat /etc/snort/snort.conf
Code:
output database: log, mysql, user=snort dbname=snort_log password=snt host=localhost


AFAIK, snort will check all ports by default. It uses tcpdump.
Back to top
View user's profile Send private message
General_Dark
n00b
n00b


Joined: 03 Nov 2007
Posts: 10
PostPosted: Sun May 25, 2008 6:20 pm    Post subject: Reply with quote
Sry, should done that directly. Didnt have more then one conffile tho:/

Here is comes:
/etc/snort/snort.conf

Code:

var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SMTP_PORTS 25
var HTTPS_PORTS 443
var SHELLCODE_PORTS !80
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536 prealloc_frags 262144 memcap 512MB
preprocessor frag3_engine: policy linux \
                           detect_anomalies
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor bo
preprocessor smtp: \
  ports { 25 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: tcpdump.log
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy