Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Snort + SnortSam; Configuration Check

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort + SnortSam; Configuration Check


Posted by codyd on June 11, 2005 20:01:43

Hello, All.

I'm new to the list-- maybe I'm doing this correctly. ;)

I'm attempting to be thorough with my setup information; please excuse
the lengthy email.

I've downloaded the following binaries from the awesome SnortSam website:

snortsam-opsec-2.31.tar.gz
snort-2.3-mysql-sam.tar.gz

Both files have been extracted and and the binaries have been placed
in /usr/local/bin/ with execute permissions.

I'm running Slackware 10.1 with kernel 2.6.11.11.

In the rc.local file, I've placed the following commands:

/usr/local/bin/snortsam /etc/snortsam.conf &
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort &

Obviously, the snortsam configuration file is located at
/etc/snortsam.conf and the snort configuration file is located at
/etc/snort/snort.conf. Snort rules are located at /etc/snort/rules/.


I've modified the snort.conf file and made the following changes:

var HOME_NET 192.168.1.0/24

var RULE_PATH /etc/snort/rules/

# preprocessor xlink2state: ports { 25 691 }

output database: log, mysql, user=snort password=snort dbname=snort
host=localhost

output alert_fwsam: localhost


No other changes than those listed above have been made to the snort.conf file.

The snortsam.conf file contains the following:


accept 192.168.1.0/24
accept localhost
accept 127.0.0.1
iptables eth1 log




I'm using "BASIC" to display the alerts. Snort is successfully
logging the alerts; however, I can't seem to make SnortSam actually
block events (e.g., port scans) via IpTables.


If anyone could offer any assistance via suggestions/recommendations,
tutorials, links, etc., it would be greatly appreciated!

Thanks!
Cody

Posted by roesch on June 29, 2005 18:20:09

I think this is a better question for Frank Knobbe, maintainer of SnortSAM...

-Marty


site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.