I was wondering whether or not it is possible/advisable to install and run Snort on a single laptop with a wireless router (firewall enabled)? Does Snort require root privileges and are there any other issues one needs to be aware of when installing and running software like this?
View 6 RepliesI'm using a cross-over ethernet cable to connect a Desktop Windows 7 box, and a laptop running on SUSE 11.2. I want Windows to connect to the internet via the laptop's wireless interface.
View 1 Replies View RelatedI need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
I am running Fedora 13 - 64-bit variety and using KDE as the gui. No real issues asides from machine not exactly flying, but then this is a mere core 2 duo 1.6 with 2 gigs of ram, so not unexpected...
When I run top I see 3 users indicated - which worries me somewhat... I am the only user on this machine.
I come from a Debian / Ubuntu /Gentoo knowledge-base and this laptop is a fresh install, encrypted partitions, temp has own partition (encrypted too) and obviously the firewall is on, with ssh service turned off and ssh access removed in the firewall....
is this 3 users in top normal, or have i managed to be hacked in the 3 - 4 days since I started the install ? In all this time I have been sitting behind a router when on the net.
Am I looking at a fresh install, or are there valid reasons for the extra users?
I just ran "users" in terminal and I show up 3 times - I have only logged in once, through the GUI and no extra access routes
I'm try to setup a wireless network with my linksys wireless router and my HP laptop dual booting Vista & Suse 11.2. I have the vista networked, just fine. Where I can share files and the printer connected to my desktop. But I want to be able to use Suse in the same way, full time and to stray away from Vista. My wife and kids like easy. So I'm trying to transform them and show them something new.
View 9 Replies View Relatedi wanted to know if i can use my laptop as a wifi router; with encryption password and all security so if another computer is in the range can detect the signal and then try to connect to it with the encrypt pass.
also i have one more doubt. can a wireless router be used as a wifi ethernet card and detect wifi signals nearby and connect to internet. suppose i have a wireless router and i connect it to my desktop(with lan cables) which has ubuntu installed, and theres a wifi connections nearby can i connect the desktop to the internet.
Running Ubuntu 11.04 on a Gateway LT3103U netbook. It's running fine except for that fact that when it goes to sleep (timeout or lid closed) or going into suspend or otherwise restarted/shutdown, my router restarts. It's a DLink DIR-655 that has been working fine until I changed this netbook to Ubuntu.After installing Ubuntu on the netbook, it found my SSID being broadcast and I added the connection by supplying the WPA2 password. I have full network access (local and internet).
It's just the router restarts and all my other machines lose connections. The router is using DHCP but supplying IPs based on MAC. Netbook is set to use DHCP.
I am currently running snort as an IDS on the same machine that acts as our gateway. I installed it using sudo apt-get install snort. However, I'd like to make it run as an IPS. Is it possible to convert that currently running snort instance from running as an IDS to an IPS without having to download the snort tar balls and install it? I do not want the tar balls because during updates and upgrades, I'd like the whole OS and installed apps (such as snort) to be upgraded.
View 1 Replies View RelatedEnvironment
Linksys WRT54G Wireless
Laptop wireless Windows/XP
Windows/XP Hyper Terminal
Desktop Server Linux OEL 5 (not wireless) cable connected to the WRT54G router port. (I can go to the Internet with this server, but not able to communicate other computers on the WRT54G Wireless Network. Even though, the Linux Server is connected to the WRT54G router port.) From the Hyper Terminal Wireless laptop Windows/XP, I want to connect to my Linux Server.
How to enable ipv6 in snort. I read that it must compilate with --enable-ipv6 but still don't know how?
View 2 Replies View Relatedwant to set up snort on my F13 home computer.Is there a simple way to do it or do I have to do it the hard way (compiling and stuff) ?I want to use snort for intrusion prevention and detect possible threats from internet.
View 3 Replies View RelatedI have installed snort + mysql + acid base, I add some rules into /etc/snort/rules/local.rules to test the alert:
alert icmp 192.168.1.20 any -> 192.16.1.21 any (flags:A;ack:0;msg:"NMap icmp ping")
alert icmp 192.168.1.20 any -> 192.16.1.21 any (content:"abcdefgh";;msg:"ping de windows")
alert icmp 192.168.1.20 any <> 192.16.1.21 any (flags: S; msg: "HOULA SYN Packet!"
After I restart snort and I tied 2 pc by cross cable (192.168.1.20 for windows and the victim is 192.168.1.21 for Linux where the snort is installed), my HOME_NET 192.168.1.21 and the EXTEREL_NET !$HOME_NET. The problem is when I run:
snort -dvi eth0 -c /etc/snort/snort.conf
I see the packet transmitted and received (the received conten "abcdefgh" ), when I stopped snort CTRL+C I don't found any alert in the result!!! Run time prior to being shutdown was 218.523030 seconds.
Packet Wire Totals:
Received: 1346
Analyzed: 1342 (99.703%)
Dropped: 0 (0.000%)
Outstanding: 4 (0.297%) .....
dcerpc2 Preprocessor Statistics
Total sessions: 0
database: Closing connection to database "snort"
database: Closing connection to database "snort"
Snort exiting
I am running Lucid on this machine, but I have had this problem on every machine with Snort. When I awaken the system from suspend or hibernation, snort pegs out one of the CPUs.
View 4 Replies View Relateddoes anyone know of a good tutorial on how to set up and configure snort 2.8.5.2 on a ubuntu 10.10 system.I have been trying to set up snort and have run into alot of problems setting up the config file and the rules. It works in sniff and packet log mode but i cannot seem to set up IDS mode correctly. There is alot of different info on the net but not much help. There seems to be alot of work involved in setting this up which i do not mind provided i can find the proper documentation to configure the set up.
View 9 Replies View RelatedI work in a relatively small organisation of about 30 people (but with a complex network) and we've been looking to move our firewall to Microsoft's Threat Protection Manager on a mostly Windows network. I've been thinking we should have an IDS/IPS inside the firewall and I've been thinking about Snort in NIDS mode but have some basic questions:
1. Can anyone recommend a good web GUI for Snort?
2. Is it advisable to run both on the same machine? (Both from a POV of security and resources.)
3. Would Snort add any real benifit to using TPM?
I am running karmic koala with a recent install of snort 2.4.8.1(build 3 and i am at a loss for useful commands in solving an internal problem(within the network).All i have is `"sudo snort -v -i wlan0" on my very short list of useful commands regarding ids.It is doing little to no good in resolving my problem with a network snoop besides showing that it is running;i need some more weight (knowledge) in order to rectify the problem?
View 4 Replies View RelatedI have just complied Snort 2.9.0.4 under Ubuntu 10.10 x86_64 installed with all Lamp package.The syntax i used to compile Snort as follows below
[Code]...
I am trying to get snort running but I get this with service snortd status:
snort dead but subsys locked
service snortd restart
Stopping snort: [FAILED]
Starting snort: [ OK ]
[root@Fedora tylerm]# tail -f /var/log/messages
Mar 4 05:17:54 Fedora kernel: device eth0 entered promiscuous mode
Mar 4 05:17:54 Fedora kernel: device eth0 left promiscuous mode
Mar 4 05:17:54 Fedora snort[3280]: Initializing daemon mode
Mar 4 05:17:54 Fedora kernel: device eth0 entered promiscuous mode
Mar 4 05:17:54 Fedora snort[3282]: PID path stat checked out ok, PID path set to /var/run/
Mar 4 05:17:54 Fedora snort[3282]: Writing PID "3282" to file "/var/run//snort_eth0.pid"
Mar 4 05:17:54 Fedora snort[3282]: Daemon initialized, signaled parent pid: 3280
Mar 4 05:17:54 Fedora snort[3280]: Daemon parent exiting
Mar 4 05:17:54 Fedora snort[3282]: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied
Mar 4 05:17:54 Fedora kernel: device eth0 left promiscuous mode
Mar 4 05:18:42 Fedora ntpd[2300]: synchronized to 128.10.19.24, stratum 1
Mar 4 05:18:42 Fedora ntpd[2300]: time reset +0.906114 s
Mar 4 05:18:42 Fedora ntpd[2300]: kernel time sync status change 0001
I'm looking to possibly need to make use of snort and its packet filtering/inspection abilities to help cover for PCI. I've searched Amazon, but nothing really stand out, there is a new one (2007 - Snort Intrusion Detection and Prevention Toolkit), or slightly older ones... Managing Security with Snort & IDS Tools - 2004, Snort Cookbook - 2005, Snort for Dummies - 2004.
Now i'm tempted in just going for the latest one, but i'm completely new to snort so perhaps it needs another book like snort for dummies to get started ;-P
My son lost his USB Wireless stick for his Computer. I had thought I heard that if you had a second wireless router, you could use it somehow to detect the wireless router you have already set up in your home (like using a wireless card)? Is this what Ad-Hoc is? Either way, can this be done and if so how? I use a WRT54Gx2 Lynksys router and have a TRENDNET TEW-432BRP wireless router and also a spare D-link DI-514. I use ubuntu 10.04, and also wanted to know if I connected one of the router to his on the LAn port could he connect msaybe through an Ad-Hoc on my local computer here? He uses XP on his. I'm a newbie to linux and networking in general.
View 2 Replies View RelatedI have a desktop PC running Ubuntu 9.10 and Windows 7, and a Eee PC 701 laptop running EasyPeasy Ubuntu 9.04. I'd like to connect the desktop to the laptop with a wired connection (eth0), then the laptop to my ADSL router using wireless (ath0).
I have a crossover ethernet cable (I bought on ebay). I have set up my laptop with a static IP address on my LAN and it uses OpenDNS.
I have added this to /etc/sysctl.conf on the laptop:
net.ipv4.ip_forward=1
Then I tried this on the laptop:
sudo iptables --table nat --append POSTROUTING --out-interface ath0 -j MASQUERADE
sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT
This is a variation on what I found on other sites describing how to set up a router. I don't understand iptables very well, but I gather that the above two lines should set up forwarding so that traffic from my router to the laptop will be forwarded to the desktop, and vice versa.
But this doesn't work. The connection doesn't even establish between the laptop and the desktop.
I moved my server and network equipment, and now the wireless works but I cannot get my server online. I host a website, so this is kind of urgent.
I have a wireless router and can access the internet fine on my laptop. My server is wired & connected to the router. It sets up the networking properly.. ifconfig has an ip address, the default gateway is present. But I cannot ping google, or even the router. It says destination host unreachable.
So I go back to the laptop to check the router settings.. sometimes it likes to assign the server the wrong internal ip. But, I can't access the router settings either! The page (192.168.1.1) times out. Same with trying to ping the router. How can the laptop be online if it can't reach the router?
Oddly, ifconfig on my laptop reports an ip address starting with 99.233. It's always given me an internal address starting with 192.168. What's going on here? Is the router not allocating an internal ip? I use wicd to connect, if it's relevant.
We have a windows laptop that can only get a "local connection". Now it does sound like the router is forwarding directly to my laptop, instead of allocating internal ips.
How can I install snort in Ubuntu 10.10 and how can I use it?
View 1 Replies View RelatedI did a port scan on my server from outside my network and saw that port 10080 AMANDA is open.Amanda isn't installed on any of my computers or my server and the port is not forwarded by my modem or router. So why is this port open and how can I close it?
View 6 Replies View RelatedThis is my basic setup:
[URL]
I don't know how to get the wireless router to connect to the other wireless router so I can use internet on my computer. How do I achieve this wireless connection?
I normally install programs with yum but I have to download barnyard as a requisite for snort to detect instrusion attempts.I downloaded barnyard and ran ./configure, make, make install, etc.Where does the program get installed? I was running this as root so does it install it into /root/barnyard?
View 5 Replies View RelatedI want to set up a Linux box as a wireless router to replace our existing Netgear WNR1000 router, as I believe the Netgear does not support the coming IPv6 protocol. Unfortunately, it is not flashable with OpenWRT or DD-WRT presently.
As we have Comcast, our cable modem acts as a dumb modem according to the customer support guy I talked to, and our router is the one that asks for the IP address from DHCP. Thus, when Comcast switches over to IPv6, I don't believe my existing router would work, correct?
My idea is to take a Linux box and put two NICs and a wireless adapter in it, using IPCop or Smoothwall to set up a router. I could then enable IPv6 support for when we have IPv6 with Comcast. Is that possible? Would there be a way to get BIND to hand out private IP addresses in the same subnet on the both the LAN NIC and the wireless card?
I'm having trouble getting my network set up the way that I want it/had it. You see, when I first set up my network, I just had my cable modem going directly to my standard wired router (A D-Link DI-604), which had DHCP,and was connected to all of the computers on my network. I had one switch hooked up to one of the ports of the router, but this was a regular switch, and it would not try to assign IP addresses, it would just pass through the DHCP info as I wanted.
Now however, my network setup has changed. My room mate and I both got laptops, and we decided that we wanted to have wireless access so we didn't have to constantly plug in to the router.
Now my network is set up like this: The modem is hooked up to the router(DI-604), which is hooked up on the LAN side to our computers, our switch (which is hooked up to 3 more computers), and to a wireless router card (A Gigabyte GN-BC01).
The wireless router card has two jacks for ethernet. One for WAN, and one for LAN. The LAN side we have plugged only into the computer in which the card is installed.
Now the problem is this: The wireless router card comes with DHCP by default, and it's assigning addresses to the laptops and to the computer hat it's in, and worse, the IP addresses are on a different subnet than that of the main dlink router. The Main (dlink) router assigns addresses from 192.168.0.1 (itself) to 192.168.0.254, while the wireless router card assigns addresses from 192.168.1.1 to 192.168.1.254 (itself).
Because of this, I cannot access services on the wireless network from my wired network or vice versa. The first thing I tried was setting the card to assign addresses from 192.168.0.12 to 192.168.0.253, however it just said "internal error" when I tried to do this. I decided that this may be because it sees that it was being assigned an address on it's WAN side on the same subnet. So the next thing I tried was disabling DHCP and setting the "LAN IP Address" to 192.168.0.12, hoping that the DHCP would just go through the card, like a switch. I would have set the LAN IP address to be assigned by DHCP, but this was not an option, so I decided that'd be the best thing to set it to.
Once again however, setting the LAN ip address to an address on the same subnet as that of the IP assigned to it's WAN side caused it to report an "internal error". I verified that this was the issue by setting the LAN address to several other private IP addresses to test (I.E. 10.0.0.1, 192.168.3.1, 192.168.5.12).
My question then really is: How do I set up both routers so that I can access services and computers from each network from the other network. Should I set them with different subnets and set the gateway on the wireless network to the main router? To the wireless router card? Should I put them on the same subnet? Will it know how to communicate?
Here is a link to (picture) my network diagram. Network Diagram
As it stands I have a small home network operating behind my modem/router. Some of the ports on this are forwarded to my PS3 for gaming but I was looking at forward some for my file server.
At the moment I've forwarded port xxx22 to port 22 on my server for SSH for instance. ANd similarly 21 for FTP (although it doesnt seem to want to connect for any more than a few seconds using that). What I was thinking of doing was placing a small website for a handful of ppl to use on the server too and port forward again - xxx80 to 80. It works just fine but I'm a little concerned on the security front.
As I've moved the port to something different from the outside world I'm presuming I will have already cut the potential for malicious folks to wander in but is there anything else I should be doing? At the moment there's no firewall operating on the server, usually as its hidden behind the modem/router. But if I open this thign up more permanently what should I be doing? I've read a few articles on it but I'm always left with the overwhelming thought of "Thats if theres no firewall in my router" as they just seem to do the same.
I have a weird issue with source routing on a linux box.The plan goes like this:I have 2 internet providers at my office and i want to use a single router to route them both ( i don't need load balancing or failover). I just want access to either provider based on the ip i use on my pc. The first provider, let's call it RDS, is simple: i've got an RDS_IP, RDS_MASK and RDS_GW.The second provider is complicated, we'll call it INES. I have a INES_IP, INES_MASK, INES_GW and they also gave me a subnet of public ip's: ILAN_NET which i have to route myself through INES_IP.I also have a third nic with an local ip: LAN_NET and an alias for the INES subnet: ILAN_NETthe router has dhcp enabled, giving by default ip's from LAN_NET and using the default gw, RDSI have snat for the LAN_NET to go through RDS.
If i enter an ip from the ILAN_NET, instead of routing in through the INES_GW, it also goes through RDS_GW.the routing i've used for about 5 months has worked perfectly untill one day, when it just stopped. this is my setup:ip route add $RDS_MASK dev $RDS_IF src $RDS_IP table rdsip route add default via $RDS_GW table rdsip route add $INES_MASK dev $INES_IF src $INES_IP table inesip route add default via $INES_GW table inesip route add default via $RDS_GWip rule add from $RDS_IP table rdsip rule add from $INES_IP table inesip route add $LAN_NET dev $LAN_IF table rdsip route add 127.0.0.0/8 dev lo table rdsip route add $ILAN_NET dev $ILAN_IF table inesip route add 127.0.0.0/8 dev lo table ineswhat puzzles me the most is that this setup has worked, and now it doesn't .... without any changes on the router.I've tried everything save for a format/reinstall.