Jump to content
Sign in to follow this  
Aristotle

Installing Snort

Recommended Posts

I attempted to unsuccessfully install Snort yesterday. I removed MySQL and PHP from my Linux box as instructed by the install instructions yet I don't know where to get the latest version of PHP and SQL for fedora. The different versions of snort also confused me. There are three versions: Snort, Snort-MySQL, and Snort-PHP. I am guessing these are used for data base management of the different ID it recognizes. Any help on what I am supposed to do to get these things successfully installed would be a great help -_-

 

Now if only TCPdump would install.....

Share this post


Link to post
Share on other sites

um... www.php.net for the latest php package and www.mysql.com for the latest mysql package... What do you want to do with snort as that is the one you will want to get

Share this post


Link to post
Share on other sites

Wont the RH RPM's work for FC without problems? (haven't played with FC yet...)

 

Once I was able to track down the proper RPM for my distro, all was well. Either way, if you don't, you are looking at dependancy-hell for snort, btw.

Edited by KraZy

Share this post


Link to post
Share on other sites

Just to add to an outdated discussion....

 

I have been playing around -alot- with snort l8ly, and have slowly started to discover the differances. Yes, snort and snort-mysql are basically the same thing, just that one is compiled with mysql support. (which in my case, i have to sort through about 14k alerts (yes.. about 14,000 valid alerts) daily, in which case the MySQL dump has been helping alot. My sniffer runs 4 nics now, and will be bumped up to 6 once I get the resources, and sorting the alerts by ID is also needed.

 

When I get back home, I will be assembling a similar system on my lan. With Apache setup and running, I will be able to monitor any intrusions from any computer via http. (which would not be possible without snort-mysql, php (with GD support) )

 

So... that is answer to the original question with some real-life application, in case anyone cares....

Share this post


Link to post
Share on other sites

Ok, I've had some experince with Linux based Distro's and with Airsnort with my dad's labtop. Orinoco have the BEST wireless cards to pick up signals. But im sure your not using Snort to get acsess to anything illeagal right?

Share this post


Link to post
Share on other sites
Guys guys guys.. don't sort through thousands of alerts.. there is a much easier way. Download ACID: http://acidlab.sourceforge.net/

 

You can easily see reports of alerts via a web interface.

That is exactly what I use, actually... (PHP /w GD mighta been a giveaway) :) Even so, I am still pushing ACID to its limits, even with heavy rule-tweeking and FlexResp. It simply is starting to crack under the load.

Share this post


Link to post
Share on other sites

We use to push hundreds of thousands of alerts thru it daily and never had a probably with it "cracking" under the pressure. Maybe you should tweak apache and mysql?

 

Mysql 4.0 and query caching helps a lot.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×