Friday, January 26, 2007

Testing Snort 2.6.x

Download the latest snort tarball, then I create snort RPMS :

$ rpmbuild -tb snort-2.6.x.tar.gz --with mysql
...
Wrote: /home/tedi/rpms/RPMS/i586/snort-2.6.x-1.i586.rpm
Wrote: /home/tedi/rpms/RPMS/i586/snort-mysql-2.6.x-1.i586.rpm
...

Next, I registered to Snort community to be able to download Snort rules.

Then I extract the rules and move all of the files in rules/ directory to /etc/snort/rules directory :

# mv rules/* /etc/snort/rules/

# mv /etc/snort/rules/sid-msg.map /etc/snort/

I found out that there are two snort.conf files. The first one from the RPM package and the other one from the rule file. I want to check what are the differences between them :

$ diff /etc/snort/snort.conf /etc/snort/rules/snort.conf

2c2
< # http://www.snort.org Snort 2.6.0 config file --- > # http://www.snort.org Snort current Ruleset
5c5
< # $Id$ --- > # $Id: snort.conf,v 1.167 2006/06/09 15:14:08 mwatchinski Exp $
111c111
<> var RULE_PATH ../rules
182c182
<> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
192c192
<> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
852c852
<> # include $RULE_PATH/virus.rules
855a856
> # include $RULE_PATH/spyware-put.rules

Most of the differences are related to path. The last difference is very interesting, the new snort.conf commented out virus.rules and spyware-put.rules

Then I test my snort configuration :

# snort -T -c /etc/snort/snort.conf
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

...

--== Initialization Complete ==--

,,_ -*> Snort! <*- o" )~ Version 2.6.0 (Build 59) i386 '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2006 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.5
Preprocessor Object: SF_SMTP Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.0

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

Posted by Tedi Heriyanto at 14:54 Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)