Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Chat » What systems are you using with Snort?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

What systems are you using with Snort?


Posted by krolrules on November 04, 2005 04:05:56

Just joined snort.org, and will hopefully be using snort in our org soon!

For a great discussion, and a great basis, I thought it would be great to start a thead on what type of Linux brand/Server users have out there with snort running on.

1. What Brand and version of Linux OS.
2. How long you've been running snort.
3. What obsticles did you have to overcome (short list).
4. Best advice to give to someone new to snort.

I would just like to see what's out there in the real world. Thanks, and hopefully this dicussion kicks off well!

-krorlules

Posted by gbobeck on November 07, 2005 21:20:38

Q1. I'm going to change your question a bit... I ran/run Snort on Win2k Server, WinXP Pro, FreeBSD 5.X, Gentoo 2005.1 Linux, Knoppix 3.9 / Loyoppix:S (shameless plug: http://webpages.cs.luc.edu/~loyoppix/) Linux. If I had a wee bit more time, I would try running it on Yellow Dog Linux 2.3 just for fun.

Q2. I've been running Snort since November 2004. I (we) had to install and run Snort as part of a project for our network security class at Loyola University Chicago.

Q3. The short list of obsticles:
1. use --with-mysql instead of --with-mysql= for my install.

2. some needed info (where snort.conf is left after install) not being present in documentation.

3. finding out that the passive ethernet tap as outlined on the docs page is NOT 1000Base-T compatible. I'm still looking into making a proper fix for this issue.

4. documentation for BASE is out of date.

Q4. My advice to Snort newbies:
1. **READ THE DOCUMENTATION AND HANDBOOK FIRST.** Sorry for the all caps, but they were necessary. Honestly, do this first and it will make everything easier for you.

2. If you aren't familiar with basic networking, please do a little reading and try to learn about CIDR and some basic networking information.

3. Always install from source and not from packages/portage. Most RPM's are created and compiled on a 386. This will hurt performance on your machine, especially under heavy load. Snort is very easy to install, and a custom compile will ensure better performance for your setup.

4. Learn and use good network security practices. Running Snort is good :-) but (for example) it won't protect you if your root password is 'password' and your box / network becomes 0wned.

5. Check your log files regularly. Running Snort is good :-) but never looking at its logs defeats the purpose of running Snort. There exists software which can aid in reading/processing/... you logs, such as BASE or (shameless plug!) my logger.py script ( http://www.cs.luc.edu/projects/comp412/dredd/downloads/ ) for example.

6. Update your rule files often.

7. Wear Sunscreen.

Posted by pratip on December 02, 2005 06:07:12

I am moving my company's IDS from ISS on Nokia IP330s to SNORT on OpenBSD on the same IP330s.
My current test box is a recycled workstation with 3 NICs.
- fxp0 is the priamry interface that I used to reach the box
- fxp1 is a sniff interface
- fxp2 is another sniff interface.
The box is running BASE for the alert console.
in the first week, I have so far managed to get more useful information out of the test rig than the ISS system I inherited when I got here.

Next, I want to play with the new OpenBSD "trunk" interface to see if I can have one snort config listen to a trunk interface that is really 2 (or more) NICs.

My guide along the way has been theO'Reilly book, "Managing Security With SNORT and IDS Tools".

As for managing the IDS sensors, I intend to look at SNORT Center, as recommended in the book. Does the community have any other suggestions?

Cheers,

/pratip

Posted by dada on March 22, 2006 22:04:42

hi
I am Dadasaheb, I developed a small project using Winpcap and VC++.
The exe of that project is working on my com, but it is not working on clients com with out any error,
Cananybody help me for this problem,
Waiting for reply.
Dadasaheb

Posted by Sost on September 29, 2007 04:25:48

Sorry I entered to your thread as an "intruder", as I see you have a lot of experience, gbobeck, see, I have the following problem (it's the same thing I 've been posting in every forum):

What things does the Linux OS I will be running SNORT on need, to be able to, at least, run SNORT? I installed SuSE 9 from the beginning, this means it 's a minimal instalation, and I had to install PCRE's library already (a C compiler too...), what other things/modules will need SNORT, to START running on the SuSE (I am sure it's the same f SuSE 10)?

Thanks! in advance!

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.