I am running Lucid on this machine, but I have had this problem on every machine with Snort. When I awaken the system from suspend or hibernation, snort pegs out one of the CPUs.
View 4 RepliesI need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
I upgraded to 4.4.3 from 4.4.2 this morning from AlienBob's packages (although I see they are now part of -current, but the mirrors are still behind) and I can no longer return from suspend on my laptop. I get a black screen with a mouse pointer that moves freely but it does not bring up my desktop. Ctrl-Alt-Backspace will bring me back to the console as it should, but this is a huge step backward. A few times I got a message about a new screen being detected after resuming but now it's just blank. I am running an intel onboard graphics card on an Asus laptop.
View 1 Replies View RelatedI am currently running snort as an IDS on the same machine that acts as our gateway. I installed it using sudo apt-get install snort. However, I'd like to make it run as an IPS. Is it possible to convert that currently running snort instance from running as an IDS to an IPS without having to download the snort tar balls and install it? I do not want the tar balls because during updates and upgrades, I'd like the whole OS and installed apps (such as snort) to be upgraded.
View 1 Replies View RelatedI'm using ubuntu 8.04 . Each time I return form suspend mode, the network icon in the right upper conner show a sign "!", which maybe mean there's limited network connection as in windwos. How can I solve this problem?
View 1 Replies View RelatedHow to enable ipv6 in snort. I read that it must compilate with --enable-ipv6 but still don't know how?
View 2 Replies View RelatedIn 2.6.37rc and later, there began an issue with regard to resuming my bttv card after suspend. The problem is that the tuner device is no longer seen upon resume after suspend. Luckily, I have found that the issue appears only when both bttv & radeon are loaded prior to suspend. So I am able to resolve/avoid the issue if
1) bttv loaded & radeon unloaded
2) bttv unloaded & radeon loaded
While I may revisit bisecting, I would like to have a pretty good idea on what to focus on. I have already tried to slim down the kernel to the key drivers during bisect, but I want to look more how the interaction of the two drivers plays into it. What I need is some background on suspend, some hardware specs, or some type of suspend debugger/hints where to look. Since the tuner is a dead simple device, it is hard to see where it could go wrong. So perhaps it is the PCI bus. The radeon card is PCI-X, and the tuner card is PCI. But it could also be I2C or SMBUS? Also note that in the prior kernel, 2.6.36, it is perfectly fine.
I would like to disable the login screen when the computer returns from suspension and hibernation, so that it will automatically log me back in. I am using Ubuntu 9.10.When I come back from suspension, for some reason, my key board does not work in the login screen and I cannot type my password.
View 9 Replies View Relatedwant to set up snort on my F13 home computer.Is there a simple way to do it or do I have to do it the hard way (compiling and stuff) ?I want to use snort for intrusion prevention and detect possible threats from internet.
View 3 Replies View RelatedI have installed snort + mysql + acid base, I add some rules into /etc/snort/rules/local.rules to test the alert:
alert icmp 192.168.1.20 any -> 192.16.1.21 any (flags:A;ack:0;msg:"NMap icmp ping")
alert icmp 192.168.1.20 any -> 192.16.1.21 any (content:"abcdefgh";;msg:"ping de windows")
alert icmp 192.168.1.20 any <> 192.16.1.21 any (flags: S; msg: "HOULA SYN Packet!"
After I restart snort and I tied 2 pc by cross cable (192.168.1.20 for windows and the victim is 192.168.1.21 for Linux where the snort is installed), my HOME_NET 192.168.1.21 and the EXTEREL_NET !$HOME_NET. The problem is when I run:
snort -dvi eth0 -c /etc/snort/snort.conf
I see the packet transmitted and received (the received conten "abcdefgh" ), when I stopped snort CTRL+C I don't found any alert in the result!!! Run time prior to being shutdown was 218.523030 seconds.
Packet Wire Totals:
Received: 1346
Analyzed: 1342 (99.703%)
Dropped: 0 (0.000%)
Outstanding: 4 (0.297%) .....
dcerpc2 Preprocessor Statistics
Total sessions: 0
database: Closing connection to database "snort"
database: Closing connection to database "snort"
Snort exiting
does anyone know of a good tutorial on how to set up and configure snort 2.8.5.2 on a ubuntu 10.10 system.I have been trying to set up snort and have run into alot of problems setting up the config file and the rules. It works in sniff and packet log mode but i cannot seem to set up IDS mode correctly. There is alot of different info on the net but not much help. There seems to be alot of work involved in setting this up which i do not mind provided i can find the proper documentation to configure the set up.
View 9 Replies View RelatedI work in a relatively small organisation of about 30 people (but with a complex network) and we've been looking to move our firewall to Microsoft's Threat Protection Manager on a mostly Windows network. I've been thinking we should have an IDS/IPS inside the firewall and I've been thinking about Snort in NIDS mode but have some basic questions:
1. Can anyone recommend a good web GUI for Snort?
2. Is it advisable to run both on the same machine? (Both from a POV of security and resources.)
3. Would Snort add any real benifit to using TPM?
I am running karmic koala with a recent install of snort 2.4.8.1(build 3 and i am at a loss for useful commands in solving an internal problem(within the network).All i have is `"sudo snort -v -i wlan0" on my very short list of useful commands regarding ids.It is doing little to no good in resolving my problem with a network snoop besides showing that it is running;i need some more weight (knowledge) in order to rectify the problem?
View 4 Replies View RelatedI have just complied Snort 2.9.0.4 under Ubuntu 10.10 x86_64 installed with all Lamp package.The syntax i used to compile Snort as follows below
[Code]...
I am trying to get snort running but I get this with service snortd status:
snort dead but subsys locked
service snortd restart
Stopping snort: [FAILED]
Starting snort: [ OK ]
[root@Fedora tylerm]# tail -f /var/log/messages
Mar 4 05:17:54 Fedora kernel: device eth0 entered promiscuous mode
Mar 4 05:17:54 Fedora kernel: device eth0 left promiscuous mode
Mar 4 05:17:54 Fedora snort[3280]: Initializing daemon mode
Mar 4 05:17:54 Fedora kernel: device eth0 entered promiscuous mode
Mar 4 05:17:54 Fedora snort[3282]: PID path stat checked out ok, PID path set to /var/run/
Mar 4 05:17:54 Fedora snort[3282]: Writing PID "3282" to file "/var/run//snort_eth0.pid"
Mar 4 05:17:54 Fedora snort[3282]: Daemon initialized, signaled parent pid: 3280
Mar 4 05:17:54 Fedora snort[3280]: Daemon parent exiting
Mar 4 05:17:54 Fedora snort[3282]: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied
Mar 4 05:17:54 Fedora kernel: device eth0 left promiscuous mode
Mar 4 05:18:42 Fedora ntpd[2300]: synchronized to 128.10.19.24, stratum 1
Mar 4 05:18:42 Fedora ntpd[2300]: time reset +0.906114 s
Mar 4 05:18:42 Fedora ntpd[2300]: kernel time sync status change 0001
I was wondering whether or not it is possible/advisable to install and run Snort on a single laptop with a wireless router (firewall enabled)? Does Snort require root privileges and are there any other issues one needs to be aware of when installing and running software like this?
View 6 Replies View RelatedI'm looking to possibly need to make use of snort and its packet filtering/inspection abilities to help cover for PCI. I've searched Amazon, but nothing really stand out, there is a new one (2007 - Snort Intrusion Detection and Prevention Toolkit), or slightly older ones... Managing Security with Snort & IDS Tools - 2004, Snort Cookbook - 2005, Snort for Dummies - 2004.
Now i'm tempted in just going for the latest one, but i'm completely new to snort so perhaps it needs another book like snort for dummies to get started ;-P
I recently bought an old desktop off ebay to give to my dad with lubuntu installed on it. He doesnt do much - just the usual web browsing and storing photos - so i went with something reasonably old and cheap - 2.6ghz celeron (ugh I Know) emachine (again ugh, but I thought it would the job). I made the RAM up to 512Mb and installed lubuntu.
Unfortunately when I installed flash the video was all jumpy when watching anything online. So I looked into the onboard graphics and found that there are driver issues with some of that series. So I bought a graphics card (NVIDIA Geforce 5500 128mb - PCI cos the lame MB doesnt have PCI -e or AGP).
Sadly the video is still jumpy and lame. I've tried it in firefox as well so this isnt a Chromium issue. The video is watchable if you download it and then play through VLC (which it wasnt before the NVIDIA card). Xfce4 Taskmanager shows CPU useage maxing when I use Chromium to watch flash but RAM staying around half used.
I know I've been a tool buying an emachine - particularly with a Celery processor and no AGP or PCI-e (ebay is a cruel mistress at times) but Im appealing for any help people might have to sort this out. Im hoping there might be something I can do.
I'm using Gnome and I'd like to still have the ability to reboot/shutdown from one particular account as well as root. How would I modify the chmod command to add this ability?Also, I have a few users who just will hold the power button in to shutdown the machine. How can I keep them from doing this?// Pruned from the vintage 2007 Prevent a non-root user from shutting down, rebooting or suspend the system thread. Please create new threads instead of resurrecting ancient ones.
View 2 Replies View RelatedIf I suspend this toshiba satellite, and the battery is or gets low it will wake from suspend to tell me that it will need to suspend due to a critical low battery. Which is pretty dumb. I've experimented with this by plugging and unplugging the ac adapter.
View 1 Replies View Related3 questions i have about "pm-suspend-hybrid"
1. is it possible to schedule this command in the same manner as shutdown ? eg sudo shutdown -h 60
2. is it possible to schedule the laptop to come out of suspend ?
3. i have a usb sound card (xfi go). when waking from suspend, the internal sound card is selected. i have to manually select the external sound card & for whatever reason, also unmute it too
How can I install snort in Ubuntu 10.10 and how can I use it?
View 1 Replies View RelatedI am running Debian 5 and I'm trying to install and configure SNORT. My first stop is to Snort.org where I check out the directions. They tell me I need Libpcap, PCRE, Libnet and Barnyard. I've looked at the Debian Snort installation guide, and I've noticed that most the documents are really old...
I've actually got libpcap and PCRE installed and now I'm trying to figure out how to get libnet installed. It seems more tricky. I think it's the oldest api I've seen.
I guess my main area of question is if there is a better way of getting Snort up and running... I had a previous version of Linux where I install just Snort and I had network packets streaming across the screen, but that's not very helpful as I need some kind of interface so I know what the hell im looking at.
So should I follow the instructions on Snort.org as well as the "Debian, Snort, Barnyard, BASE, & Oinkmaster Setup Guide"? Or does anyone know a more up-to-date guide for Debian users?
I normally install programs with yum but I have to download barnyard as a requisite for snort to detect instrusion attempts.I downloaded barnyard and ran ./configure, make, make install, etc.Where does the program get installed? I was running this as root so does it install it into /root/barnyard?
View 5 Replies View RelatedI'm using on my PC the firewall NuFW and SNORT. Snort send alerts when he detects a pornographic website. I would like that NuFW create an ACL to drop this IP. Can SNORT do this or must i do a program wich listen the Snort's port to catch the ip and write it in the ACL file of NuFW?
View 3 Replies View RelatedCode:
test@denial:~# ps -e | grep snort
18470 ? 00:00:00 snort
how do i disable snort daemon at start up? i only want it to be running when i want it to be running.
When i setup snort default listen on eth0, now i want change to eth1 set default listen interface.
View 11 Replies View RelatedI am trying to install snort on debian linux. The following error appears ERROR! Libpcre library not found. Get it from [URL].. I have installed the Libpcre3-dev library but the error is still on.What could I be doing wrong?
View 5 Replies View RelatedAccording to tutorial for installing snort in CentOS, downloaded from CentOS or snort site, I installed snort using:
Code:
./configure -with-mysql-libraries=/usr/lib64/mysql/ --enable-dynamicplugin --enable-ipv6 --enable-zlib
make
make install
[Code].....
Trying to figure out which Intrusion Detection System would be best for me. I've got a CentOs 5 / Linux / Apache system. If you've got experience with either (or both ) , please let me know your thoughts. I'm looking for the one thats not as technical, And a bit more user friendly I guess.
View 4 Replies View Related