[Gloucs] Snort!
Jill Tovey
gloucs at mailman.lug.org.uk
Fri Apr 4 16:37:00 2003
--=-AdkSdP5bYGIWR4iyvy/g
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Fri, 2003-04-04 at 11:46, Gareth Bromley wrote:
On 1 Apr 2003, Jill wrote:
> I am at the stage the stage where I am adding the sensor agent, the
> information I am typing in is as follows:
> enable sensor - ticked yes
> sensor name - snort
> sensor ip - 192.168.0.2
> sensor port - 2525
> username - admin
> password - ******
> Sensor Agent Type - snort centre agent v1 (ssl enabled)
> Interface name to sniff - eth0
> Snort command line - -U -o
OK, what version of Snort are you running, what addons and what Linux
platform.
snort 1.9.1 on Mandrake 9,
I have configured (or not) snort to run with the following:
Apache-1.3.26
MySQL-3.23.52-Max
mod_ssl-2.8.10
Openssl-0.9.6i
PHP-4.2.3
ACID-0.9.6
jpgraph-1.9.1
snortcenter-agent-v0.1.6
snortcenter-v0.9.6
Net_SSLeay.pm-1.20
gd-1.8.4
adodb250
(I think that's everything ;-) )
> Now, when I go to view sensor it says this:
> snort ->eth0 Can't Connect to 192.168.0.2:2525 Retry Connecting
What package is this in?
> Sensor Message sh: line 1: curl: command not found
Looks like a PATH setting problem or lack of curl on your platform.
This morning I tried reinstalling curl again with the following
commands:
./configure --with-ssl --enable-ssl
make
make install
and nothing has changed
I'm not sure how to check it is installed on the management console
though - and that is it in my path?
> I have tried a few variations on the sensor - such as using jt.mandrake
> (my hostname), 127.0.0.1, etc. I have also put an extra ethernet card in
> and tried using that but it shouldn't and didn't make a difference.
How many network cards do you have in your Snort sensor?
Using only 1 leaves it open to direct network attack, and you should use a
seperate promisc card unaddressed to sniff the network.
I am using snort on my everyday PC so, its not going in a DMZ or
anything (I don't have an extra PC), but I have another network card in
this PC, but using it doesn't seem to make a difference to the sensor,
I'll fiddle around with that though as I am not entirely sure I've got
it right.
> Now, when i go to https://localhost:2525/
> i find this error:
> Current config file error:
> sh: line 1: /usr/sbinsnort: No such file or directory
Again what tool are you using?
Cheers
Gareth
_______________________________________________
gloucs mailing list
gloucs@mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/gloucs
--=-AdkSdP5bYGIWR4iyvy/g
Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/1.0.4">
</HEAD>
<BODY>
On Fri, 2003-04-04 at 11:46, Gareth Bromley wrote:
<BLOCKQUOTE>
<PRE><FONT COLOR="#995ee8"><FONT SIZE="3"><I>On 1 Apr 2003, Jill wrote:</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> I am at the stage the stage where I am adding the sensor agent, the</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> information I am typing in is as follows:</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> enable sensor - ticked yes</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> sensor name - snort</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> sensor ip - 192.168.0.2</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> sensor port - 2525</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> username - admin</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> password - ******</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> Sensor Agent Type - snort centre agent v1 (ssl enabled)</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> Interface name to sniff - eth0</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> Snort command line - -U -o</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>OK, what version of Snort are you running, what addons and what Linux</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>platform.</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I></PRE>
</BLOCKQUOTE>
<FONT SIZE="3">snort 1.9.1 on Mandrake 9,</FONT>
<BR>
<FONT SIZE="3">I have configured (or not) snort to run with the following:</FONT>
<BR>
<FONT SIZE="3">Apache-1.3.26</FONT>
<BR>
<FONT SIZE="3">MySQL-3.23.52-Max</FONT>
<BR>
<FONT SIZE="3">mod_ssl-2.8.10</FONT>
<BR>
<FONT SIZE="3">Openssl-0.9.6i</FONT>
<BR>
<FONT SIZE="3">PHP-4.2.3</FONT>
<BR>
<FONT SIZE="3">ACID-0.9.6</FONT>
<BR>
<FONT SIZE="3">jpgraph-1.9.1</FONT>
<BR>
<FONT SIZE="3">snortcenter-agent-v0.1.6</FONT>
<BR>
<FONT SIZE="3">snortcenter-v0.9.6</FONT>
<BR>
<FONT SIZE="3">Net_SSLeay.pm-1.20</FONT>
<BR>
<FONT SIZE="3">gd-1.8.4</FONT>
<BR>
<FONT SIZE="3">adodb250</FONT>
<BR>
<FONT SIZE="3"></FONT>
<BR>
<FONT SIZE="3">(I think that's everything ;-) )</FONT>
<BLOCKQUOTE>
<PRE><FONT COLOR="#995ee8"><FONT SIZE="3"><I>> Now, when I go to view sensor it says this:</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> snort ->eth0 Can't Connect to 192.168.0.2:2525 Retry Connecting</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>What package is this in?</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> Sensor Message sh: line 1: curl: command not found</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>Looks like a PATH setting problem or lack of curl on your platform.</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I></PRE>
</BLOCKQUOTE>
<FONT SIZE="3">This morning I tried reinstalling curl again with the following commands:</FONT>
<BR>
<FONT SIZE="3"></FONT>
<BR>
<FONT SIZE="3">./configure --with-ssl --enable-ssl</FONT>
<BR>
<FONT SIZE="3">make</FONT>
<BR>
<FONT SIZE="3">make install</FONT>
<BR>
<FONT SIZE="3"></FONT>
<BR>
<FONT SIZE="3">and nothing has changed </FONT>
<BR>
<FONT SIZE="3"></FONT>
<BR>
<FONT SIZE="3">I'm not sure how to check it is installed on the management console though - and that is it in my path?</FONT>
<BLOCKQUOTE>
<PRE><FONT COLOR="#995ee8"><FONT SIZE="3"><I>> I have tried a few variations on the sensor - such as using jt.mandrake</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> (my hostname), 127.0.0.1, etc. I have also put an extra ethernet card in</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> and tried using that but it shouldn't and didn't make a difference.</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>How many network cards do you have in your Snort sensor?</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>Using only 1 leaves it open to direct network attack, and you should use a</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>seperate promisc card unaddressed to sniff the network.</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I></PRE>
</BLOCKQUOTE>
<FONT SIZE="3">I am using snort on my everyday PC so, its not going in a DMZ or anything (I don't have an extra PC), but I have another network card in this PC, but using it doesn't seem to make a difference to the sensor, I'll fiddle around with that though as I am not entirely sure I've got it right.</FONT>
<BR>
<FONT SIZE="3"></FONT>
<BLOCKQUOTE>
<PRE><FONT COLOR="#995ee8"><FONT SIZE="3"><I>> Now, when i go to https://localhost:2525/</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> i find this error:</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> Current config file error:</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>> sh: line 1: /usr/sbinsnort: No such file or directory</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>Again what tool are you using?</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>Cheers</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>Gareth</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>_______________________________________________</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>gloucs mailing list</FONT></FONT></I>
<FONT COLOR="#995ee8"><FONT SIZE="3"><I>gloucs@mailman.lug.org.uk</FONT></FONT></I></PRE>
</BLOCKQUOTE>
<A HREF="http://mailman.lug.org.uk/mailman/listinfo/gloucs"><FONT SIZE="3"><I>http://mailman.lug.org.uk/mailman/listinfo/gloucs</FONT></I></A>
<BLOCKQUOTE>
<PRE></PRE>
</BLOCKQUOTE>
</BODY>
</HTML>
--=-AdkSdP5bYGIWR4iyvy/g--