Installing Snort

[Aristotle]

I attempted to unsuccessfully install Snort yesterday. I removed MySQL and PHP from my Linux box as instructed by the install instructions yet I don't know where to get the latest version of PHP and SQL for fedora. The different versions of snort also confused me. There are three versions: Snort, Snort-MySQL, and Snort-PHP. I am guessing these are used for data base management of the different ID it recognizes. Any help on what I am supposed to do to get these things successfully installed would be a great help -_-

 

Now if only TCPdump would install.....

[Propane]

um... www.php.net for the latest php package and www.mysql.com for the latest mysql package... What do you want to do with snort as that is the one you will want to get

[KraZy]

Wont the RH RPM's work for FC without problems? (haven't played with FC yet...)

 

Once I was able to track down the proper RPM for my distro, all was well. Either way, if you don't, you are looking at dependancy-hell for snort, btw.

Edited May 25, 2004 by KraZy

[d3bruts1d]

Wont the RH RPM's work for FC without problems?

Most of them do.

[KraZy]

Just to add to an outdated discussion....

 

I have been playing around -alot- with snort l8ly, and have slowly started to discover the differances. Yes, snort and snort-mysql are basically the same thing, just that one is compiled with mysql support. (which in my case, i have to sort through about 14k alerts (yes.. about 14,000 valid alerts) daily, in which case the MySQL dump has been helping alot. My sniffer runs 4 nics now, and will be bumped up to 6 once I get the resources, and sorting the alerts by ID is also needed.

 

When I get back home, I will be assembling a similar system on my lan. With Apache setup and running, I will be able to monitor any intrusions from any computer via http. (which would not be possible without snort-mysql, php (with GD support) )

 

So... that is answer to the original question with some real-life application, in case anyone cares....

[shervin2]

Ok, I've had some experince with Linux based Distro's and with Airsnort with my dad's labtop. Orinoco have the BEST wireless cards to pick up signals. But im sure your not using Snort to get acsess to anything illeagal right?

[Bosco]

Guys guys guys.. don't sort through thousands of alerts.. there is a much easier way. Download ACID: http://acidlab.sourceforge.net/

 

You can easily see reports of alerts via a web interface.

[shervin2]

Nice linky! But too bad I dont got my Labtop anymore...

[KraZy]

Guys guys guys.. don't sort through thousands of alerts.. there is a much easier way. Download ACID: http://acidlab.sourceforge.net/

 

You can easily see reports of alerts via a web interface.

That is exactly what I use, actually... (PHP /w GD mighta been a giveaway) Even so, I am still pushing ACID to its limits, even with heavy rule-tweeking and FlexResp. It simply is starting to crack under the load.

[Bosco]

We use to push hundreds of thousands of alerts thru it daily and never had a probably with it "cracking" under the pressure. Maybe you should tweak apache and mysql?

 

Mysql 4.0 and query caching helps a lot.