Difference between revisions of "Snort IDS installation"

(Created page with "Category:Linux Intrusion Detection System (IDS) – Snort =Requirements= * Database server (MySQL). See MySQL server Therefore, you should look to the according...")
 
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:Linux]]
 
[[Category:Linux]]
  
Intrusion Detection System (IDS) – Snort
+
 
  
 
=Requirements=
 
=Requirements=
Line 8: Line 8:
  
  
 +
 +
=Sources=
 +
 +
* Ubuntu-FR Snort: http://doc.ubuntu-fr.org/snort
 +
* Ubuntu-FR Snort-inline [IPS]: http://doc.ubuntu-fr.org/snort_inline
  
  
Therefore, you should look to the according part of this document and come back when the Web server is install on your server.
 
  
 
=SNORT installation=
 
=SNORT installation=
Line 18: Line 22:
 
You need to add a '''new MySQL database and user for snort'''.
 
You need to add a '''new MySQL database and user for snort'''.
  
''hint'': you can use [[Web app PhpMyAdmin|PHPMyAdmin]] or [[MySQL Workbench]] to do so!
+
''hint'': you can use [[Web app PhpMyAdmin|PHPMyAdmin]] or [[MySQL workbench]] to do so!
  
  
Line 26: Line 30:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
apt-get install snort-doc snort-mysql snort-rules-default snort-common snort-common-libraries oinkmaster
+
apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster
 +
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
During the installation you will be ask for the $HOME_NET.
 
During the installation you will be ask for the $HOME_NET.
Line 34: Line 40:
  
  
===Populate database===
 
  
You have to use a MySQL script to init database schema and root content.
+
==Basic configuration==
 +
 
 +
'''Interactive way'''
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
cd /usr/share/doc/snort-mysql
+
dpkg-reconfigure snort
zcat create_mysql.gz | mysql -u snort -h localhost -p snort
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
...if ok, you will not see anything
+
* Boot
 +
* Interface: eth0
 +
* set the IP@ of your server
 +
* Do '''NOT''' enable promiscuous mode
 +
* No custom options
 +
* (optional) daily reports by email
  
  
Check that the database is OK.
+
'''Manual way'''
  
 +
Set attributes:
  
If so, remove the pending installation flag:
+
<syntaxhighlight lang="bash">
 +
vim /etc/snort/snort.debian.conf
 +
</syntaxhighlight>
 +
 
 +
!! Note that settings are set in ''Debian'' configuration, the ''.conf'' is SNORT global configuration !!
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
rm /etc/snort/db-pending-config
+
DEBIAN_SNORT_HOME_NET="IP@/submask"
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
==Initial Configuration==
 
  
Reconfigure Snort:
+
==Know your version of snort==
 +
 
 +
<syntaxhighlight lang="bash">
 +
snort -V
 +
</syntaxhighlight>
 +
 
 +
 
 +
you should see something like that:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
dpkg-reconfigure snort-mysql
+
  ,,_    -*> Snort! <*-
 +
  o"  )~  Version 2.9.6.0 GRE (Build 47)
 +
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
 +
          Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
 +
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.
 +
          Using libpcap version 1.5.3
 +
          Using PCRE version: 8.31 2012-07-06
 +
          Using ZLIB version: 1.2.8
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Caution: you need to carefully select theses options:
 
* Do NOT use the “promiscuous” mode if your server is not within your LAN ;
 
* Use the database log and put the required arguments.
 
  
Check the configuration!
 
# vim /etc/snort/snort.conf
 
→ line 46: var HOME_NET IP@/submask !! You need to specify something here !!
 
→ line 49: var EXTERNAL_NET !$HOME_NET
 
  
!! Do not do this on DEBIAN !!
 
Uncomment and complete:
 
output database: log, mysql, user=root password=test dbname=db host=localhost
 
  
 Caution: if you’re using custom ports configuration for some of your severs :
+
=Configure rules and update=
 You have to adjust the port number of each services in this config file !
 
  
You might encounter some errors, don't panic ! :-)
 
Adjust snort rules
 
Source: http://doc.ubuntu-fr.org/snort
 
  
Rules web-site: http://rules.emergingthreats.net/open-nogpl/
+
==SNORT account==
  
Get latest rules set
+
Get a SNORT account: https://www.snort.org
# vim /etc/oinkmaster.conf
 
  
just comment line 22 and use:
 
#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
 
  
url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.4/emerging.rules.tar.gz
+
Each SNORT account has an OINKCODE, that is required to get the updates.
  
Download and install rules
 
# oinkmaster -o /etc/snort/rules
 
  
Automatic rules update
 
# crontab -e
 
  
Add
+
==Oinkmaster==
55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules
+
 
 +
Oinkmaster is THE reference tool to get the rules updates. However, that's a pain to configure. :'(
 +
 
 +
 
 +
Instead of that, the community as created [https://code.google.com/p/pulledpork/ Pulled Pork]: that's a script that does the configuration for you.
 +
 
 +
 
 +
 
 +
==Pulled Pork==
 +
 
 +
 
 +
===Preparation===
 +
 
 +
PulledPork required specifics files & folders:
 +
 
 +
<syntaxhighlight lang="bash">
 +
mkdir -p /etc/snort/rules/iplists
 +
touch /etc/snort/rules/iplists/default.blacklist
 +
chmod 777 /etc/snort/rules/iplists/default.blacklist
 +
</syntaxhighlight>
 +
 
 +
 
 +
===Get Pulled Pork===
 +
 
 +
Get the latest version of Pulled Pork: https://code.google.com/p/pulledpork/downloads/list
 +
 
 +
<syntaxhighlight lang="bash">
 +
cd /tmp && wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
 +
</syntaxhighlight>
 +
 
 +
 
 +
===Installation===
 +
 
 +
Unzip the archive and open it
 +
 
 +
<syntaxhighlight lang="bash">
 +
tar xvf pulledpork-0.7.0.tar.gz
 +
cd pulledpork-0.7.0
 +
</syntaxhighlight>
 +
 
 +
 
 +
Copy configuration files to the /etc/snort + start script (pulledpork.pl) to the /usr/local/bin/ directory.
 +
 
 +
<syntaxhighlight lang="bash">
 +
cp pulledpork.pl /usr/local/bin/pulledpork.pl
 +
chmod 755 /usr/local/bin/pulledpork.pl
 +
cp etc/* /etc/snort/
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
===Configuration===
 +
 
 +
Edit PulledPork configuration
 +
 
 +
<syntaxhighlight lang="bash">
 +
vim /etc/snort/pulledpork.conf
 +
</syntaxhighlight>
 +
 
 +
 
 +
Set / adjust the following settings:
 +
 
 +
<syntaxhighlight lang="bash">
 +
## Set your OinkCode
 +
## Lines 19,21,24,26 replace <oinkcode> by your own.
 +
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
 +
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
 +
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
 +
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
 +
 
 +
## Line 72 (default = /usr/local/etc/snort/rules/snort.rules)
 +
rule_path=/etc/snort/rules/snort.rules
 +
 
 +
## Line 87 (default = /usr/local/etc/snort/rules/local.rules)
 +
local_rules=/etc/snort/rules/local.rules
 +
 
 +
## Line 90 (default = /usr/local/etc/snort/sid-msg.map)
 +
sid_msg=/etc/snort/sid-msg.map
 +
 
 +
## Line 110 (default = /usr/local/lib/snort_dynamicrules/)
 +
sorule_path=/usr/lib/snort_dynamicrules/
 +
 
 +
## Line 113 (default = /usr/local/bin/snort)
 +
snort_path=/usr/sbin/snort
 +
 
 +
## Line 117 (default = /usr/local/etc/snort/snort.conf)
 +
config_path=/etc/snort/snort.conf
 +
 
 +
## Line 120 uncomment and adjust (default = /usr/local/etc/snort/rules/so_rules.rules)
 +
sostub_path=/etc/snort/rules/so_rules.rules
 +
 
 +
## Line 131
 +
distro=Ubuntu-14.04
 +
 
 +
## Line 139 (default = /usr/local/etc/snort/rules/iplists/default.blacklist)
 +
black_list=/etc/snort/rules/iplists/default.blacklist
 +
 
 +
## Line 148 (default = /usr/local/etc/snort/rules/iplists)
 +
IPRVersion=/etc/snort/rules/iplists
 +
 
 +
## Line 190 uncomment the snort_version line
 +
######
 +
# Put your right version like 2.9.6.0
 +
# You can check what are the available versions on https://www.snort.org/downloads/#rule-
 +
# Usually there is no 2.9.6.0 but 2.9.6.1, 2.9.6.2,... instead
 +
###
 +
snort_version=2.9.6.1
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==Get rules==
 +
 
 +
Execute Pulled Pork
 +
 
 +
<syntaxhighlight lang="bash">
 +
pulledpork.pl -c /etc/snort/pulledpork.conf
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
You should see something like:
 +
 
 +
<syntaxhighlight lang="bash">
 +
 
 +
    http://code.google.com/p/pulledpork/
 +
      _____ ____
 +
    `----,\    )
 +
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
 +
      `--==\\/
 +
    .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
 +
  @_/        /  66\_  cummingsj@gmail.com
 +
    |    \  \  _(")
 +
    \  /-| ||'--'  Rules give me wings!
 +
      \_\  \_\\
 +
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 +
 
 +
...
 +
 
 +
Fly Piggy Fly!
  
Add rules to Snort
+
</syntaxhighlight>
# echo "#EmergingThreats.net Rules" >> /etc/snort/snort.conf
 
# cd /etc/snort/rules
 
# for i in `ls emerging*` ; do echo "include \$RULE_PATH/"$i >> /etc/snort/snort.conf ; done;
 
  
Check result
 
# vim /etc/snort/snort.conf
 
→ You should see lots of emerging rules
 
  
Advice: you should comment the following
 
#include $RULE_PATH/emerging-botcc-BLOCK.rules
 
  
#include $RULE_PATH/emerging-compromised-BLOCK.rules
+
==Test snort==
  
#include $RULE_PATH/emerging-drop-BLOCK.rules
+
You can check that SNORT is working with your rules by launching it. See [[#Run SNORT]]
  
#include $RULE_PATH/emerging-dshield-BLOCK.rules
 
  
#include $RULE_PATH/emerging-rbn-BLOCK.rules
 
  
#include $RULE_PATH/emerging-sid-msg.map
+
==Get rules periodically==
  
#include $RULE_PATH/emerging-sid-msg.map.txt
+
The best way to get rules periodically is to setup a cronjob.
  
Start snort
+
Create an entry in crontab to automate the process of keeping the Snort rules up to date.
To test your configuration:
 
# snort -c /etc/snort/snort.conf
 
You should see a little pig :) (Ctrl+C to stop it)
 
  
If there's some errors, then you can check the /var/log/syslog
 
> You might have to comment some rules, depending on your configuration.
 
  
Managing rules
+
Edit crontab
All the rules are not enable by default. According to your own policy, you might want to enable some specifics rules. Have a look to your configuration file
 
# vim /etc/snort/snort.conf
 
→ line 839: enable the required policies
 
• Policy.rules
 
• Community-policy.rules
 
  
Disable specific rules
+
<syntaxhighlight lang="bash">
 +
crontab -e
 +
</syntaxhighlight>
  
# vim /etc/snort/snort.conf
 
  
You might be spam by false alerts such as
+
Add
“COMMUNITY SIP TCP/IP message flooding directed to SIP proxy”
 
 To disable theses, you have to edit the corresponding ruleset 
 
community-sip.rules
 
*-voip.rules
 
*-sip.rules
 
  
 +
<syntaxhighlight lang="bash">
 +
0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules
 +
</syntaxhighlight>
  
Snort Graphical Front-End
 
Required programs
 
Add-ons, to display graphs and statistics
 
# pear upgrade
 
# pear install Image_Color
 
# pear install Image_Graph
 
# pear install Mail
 
# pear install Mail_Mime
 
  
Automatic installation
 
# apt-get install acidbase
 
→ Use the automatic configuration of the database with “dbconfig-common”
 
MySQL
 
UNIX Socket
 
  
Manual installation
 
  
Requirement
 
ADODB (Database abstraction layer for PHP)
 
Official website: http://adodb.sourceforge.net/
 
Downloads: http://sourceforge.net/projects/adodb/files/
 
  
# wget fileURL
+
=Run SNORT=
# tar -xzvf adodb-php.tar.gz
 
# mv adodb5 /etc/php5
 
→ ADODB is now in /etc/php5/adodb5
 
  
Download BASE
+
This is how you can start SNORT manually:
Official website: http://base.secureideas.net/
 
Download last version from the official website, even if it's a late one (since 2010)
 
  
Extract it to: /var/www/default/base
+
<syntaxhighlight lang="bash">
 +
snort -c /etc/snort/snort.conf
 +
</syntaxhighlight>
  
Create MySQL BASE tables into SNORT database.
 
# cd /var/www/default/base/sql
 
  
Run one of the following scripts (there are the same)
 
create_base_tbls_mysql.sql
 
acid2base_tbls_mysql.sql
 
  
 +
if OK you should see:
  
Installation
+
<syntaxhighlight lang="bash">
URL/base/setup/index.php
+
...
  
Step 1 of 5
+
4150 Snort rules read
• Language
+
    3476 detection rules
• Path to adodb: /etc/php5/adodb5 (manual)
+
    0 decoder rules
/usr/share/php/adodb
+
    0 preprocessor rules
 +
3476 Option Chains linked into 271 Chain Headers
 +
0 Dynamic rules
 +
+++++++++++++++++++++++++++++++++++++++++++++++++++
  
Step 2 of 5
+
...
MySQL configuration : please re-use the SNORT database
 
  
Step 3 of 5
+
        --== Initialization Complete ==--
It's not mandatory to create a new user
+
</syntaxhighlight>
  
Step 4 of 5
 
Create required tables
 
  
Configuration
+
'Ctrl + C' to exit.
  
Edit the specific acidbase database settings
 
# vim /var/www/website/webapps/acidbase/base_conf.php
 
  
$BASE_urlpath = '/webapps/acidbaseids';
 
  
$action_email_smtp_host = 'smtp.example.com';
+
If there's some errors, then you can check the /var/log/syslog
# smtp.gmail.com:587
 
$action_email_smtp_localhost = 'serverHostName';
 
# extranet.daxiongmao.eu
 
$action_email_smtp_auth = 1;
 
  
$action_email_smtp_user = 'username';
+
.. You might have to comment some rules, depending on your configuration...
  
$action_email_smtp_pw = 'password';
 
  
$action_email_from = 'snort@serverDomain.com';
 
# snort@extranet.daxiongmao.eu
 
$action_email_subject = 'BASE Incident Report';
 
  
$action_email_msg = '';
 
  
$action_email_mode = 0;
+
=Managing rules=
  
Create the tables.
+
All the rules are not enable by default. According to your own policy, you might want to enable / disable some specifics rules.  
https://server1.example.com/acidbase/base_db_setup.php
 
  
Adjust your php.ini settings
+
Have a look to your configuration file
# vim /etc/php5/cli/php.ini
 
  
You need to adjust the “error reporting” variable as follow
+
<syntaxhighlight lang="bash">
error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+
vim /etc/snort/snort.conf
 +
</syntaxhighlight>
  
!! For cherokee you've to edit your PHP interpreter settings !!
+
Cf STEP 7 (~ line 555).
→ vServers → target server → Rule management
 
→ select PHP rule → handler tab
 
• Disable error Handler
 
 
  
Reload Apache 2
 
# /etc/init.d/apache2 reload
 
  
Setup ACID
+
Don't forget to restart SNORT !
https://server1.example.com/acidbase/setup/index.php
 
  
Delete acid bug
+
<syntaxhighlight lang="bash">
You might have to disable some settings in /usr/share/acidbase/includes/base_cache.inc.php, lines 556 && 562. It might triggers false alerts.
+
service snort restart
Important reminders
+
</syntaxhighlight>
You need to supervise your installation and check the log regularly!!
 
You need to adjust your configuration to avoid too many false positive, keeping only the real alerts
 

Latest revision as of 12:28, 10 August 2014



Requirements


Sources


SNORT installation

Requirements

You need to add a new MySQL database and user for snort.

hint: you can use PHPMyAdmin or MySQL workbench to do so!


Installation

Packages

apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl


During the installation you will be ask for the $HOME_NET.

  • If plan to protect a network, use the Network IP@/Submask
  • For a single computer put IP@/32. Do that for servers that are hosted somewhere on the cloud (OVH, TripNet, ...).


Basic configuration

Interactive way

dpkg-reconfigure snort
  • Boot
  • Interface: eth0
  • set the IP@ of your server
  • Do NOT enable promiscuous mode
  • No custom options
  • (optional) daily reports by email


Manual way

Set attributes:

vim /etc/snort/snort.debian.conf

!! Note that settings are set in Debian configuration, the .conf is SNORT global configuration !!

DEBIAN_SNORT_HOME_NET="IP@/submask"


Know your version of snort

snort -V


you should see something like that:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8



Configure rules and update

SNORT account

Get a SNORT account: https://www.snort.org


Each SNORT account has an OINKCODE, that is required to get the updates.


Oinkmaster

Oinkmaster is THE reference tool to get the rules updates. However, that's a pain to configure. :'(


Instead of that, the community as created Pulled Pork: that's a script that does the configuration for you.


Pulled Pork

Preparation

PulledPork required specifics files & folders:

mkdir -p /etc/snort/rules/iplists
touch /etc/snort/rules/iplists/default.blacklist
chmod 777 /etc/snort/rules/iplists/default.blacklist


Get Pulled Pork

Get the latest version of Pulled Pork: https://code.google.com/p/pulledpork/downloads/list

cd /tmp && wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz


Installation

Unzip the archive and open it

tar xvf pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0


Copy configuration files to the /etc/snort + start script (pulledpork.pl) to the /usr/local/bin/ directory.

cp pulledpork.pl /usr/local/bin/pulledpork.pl
chmod 755 /usr/local/bin/pulledpork.pl
cp etc/* /etc/snort/


Configuration

Edit PulledPork configuration

vim /etc/snort/pulledpork.conf


Set / adjust the following settings:

## Set your OinkCode
## Lines 19,21,24,26 replace <oinkcode> by your own.
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>

## Line 72 (default = /usr/local/etc/snort/rules/snort.rules)
rule_path=/etc/snort/rules/snort.rules

## Line 87 (default = /usr/local/etc/snort/rules/local.rules)
local_rules=/etc/snort/rules/local.rules

## Line 90 (default = /usr/local/etc/snort/sid-msg.map)
sid_msg=/etc/snort/sid-msg.map

## Line 110 (default = /usr/local/lib/snort_dynamicrules/)
sorule_path=/usr/lib/snort_dynamicrules/

## Line 113 (default = /usr/local/bin/snort)
snort_path=/usr/sbin/snort

## Line 117 (default = /usr/local/etc/snort/snort.conf)
config_path=/etc/snort/snort.conf

## Line 120 uncomment and adjust (default = /usr/local/etc/snort/rules/so_rules.rules) 
sostub_path=/etc/snort/rules/so_rules.rules

## Line 131
distro=Ubuntu-14.04

## Line 139 (default = /usr/local/etc/snort/rules/iplists/default.blacklist)
black_list=/etc/snort/rules/iplists/default.blacklist

## Line 148 (default = /usr/local/etc/snort/rules/iplists)
IPRVersion=/etc/snort/rules/iplists

## Line 190 uncomment the snort_version line
######
# Put your right version like 2.9.6.0
# You can check what are the available versions on https://www.snort.org/downloads/#rule-
# Usually there is no 2.9.6.0 but 2.9.6.1, 2.9.6.2,... instead
###
snort_version=2.9.6.1


Get rules

Execute Pulled Pork

pulledpork.pl -c /etc/snort/pulledpork.conf


You should see something like:

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

...

Fly Piggy Fly!


Test snort

You can check that SNORT is working with your rules by launching it. See #Run SNORT


Get rules periodically

The best way to get rules periodically is to setup a cronjob.

Create an entry in crontab to automate the process of keeping the Snort rules up to date.


Edit crontab

crontab -e


Add

0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules



Run SNORT

This is how you can start SNORT manually:

snort -c /etc/snort/snort.conf


if OK you should see:

...

4150 Snort rules read
    3476 detection rules
    0 decoder rules
    0 preprocessor rules
3476 Option Chains linked into 271 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

...

        --== Initialization Complete ==--


'Ctrl + C' to exit.


If there's some errors, then you can check the /var/log/syslog

.. You might have to comment some rules, depending on your configuration...



Managing rules

All the rules are not enable by default. According to your own policy, you might want to enable / disable some specifics rules.

Have a look to your configuration file

vim /etc/snort/snort.conf

Cf STEP 7 (~ line 555).


Don't forget to restart SNORT !

service snort restart