Topic: Snort installation

[Paul]

How can I get snort to work on SME 6.0? Has anybody some experience?

I would be very interested having a solution...


Paul

[%sig%]

[jb]

Paul,

Did you ever get a solution for this?

JB

[Paul]

Unfortunately not ...

Would still be interested.


Paul

[Floyd]

Did you try the directions here?
http://marari.net/downloads/snort/acid-howto.htm

[RayG]

I did a fresh install of SME 6 final on my box at home yesterday and loaded snort this morning. I used these versions:

snort-2.0.4-1.i386.rpm
snort-mysql-2.0.4-1.i386.rpm
sme-acid-2.0.0-1ari.noarch.rpm

I had to edit /etc/snort/snort.conf to comment out the "preprocessor asn1_decode" line to prevent a fatal error during snort's startup.

Snort seems to be working as it has reported several attacks already.

I'm holding off a bit to install trevor-mitel-guardian as the firewall configuration in SME 6 final is quite a bit different from previous versions. The two may be compatible but I want to be sure first.

[jb]

Ray,

Where did you see that preprocessor error at.  I am not seeing that.  I am currently only running this with 1 nic, so I edited /etc/init.d/snortd and changed all eth1 to eth0.  I will reload with a 2nd nic later on and see if the results are different.

Currently when I do a service snortd start, my box seems to be hanging at starting snort:  But, if I do a service snortd status, I get snort-mysql (pid ...) is running...

And, looking in /var/log/messages doesn't show any preporcessor errors as well.

Thanks for taking the time to help.

JB

[jb]

Ray,

Did a re-install with 2 nics and got the same as you.  Thanks for your help and time.

JB

[RayG]

I'm at work and don't recall the exact error message in the "messages" log file but it was a snortd fatal error. If I recall correctly it listed the preprocessor name but did not contain the word "preprocessor". When I did "/etc/rc.d/init.d/snortd status" I would receive a responce saying snortd was not running. Even after issuing an "/etc/rc.d/init.d/snortd start".

[RayG]

I found another problem with snort. Or at least with the installation on my machine. The /etc/logrotate.d/snort file has a typo on line 4. Near the end of the line, the "r" in "var" is transposed with a "/". This causes the daily log rotate to fail.

[jb]

I can confirm that.  Good catch Ray.

[Drifting]

So did anyone get snort and acid working on 6?
I did an upgrade and it promptly killed Snort and Acid (Well I assume that is what has happened). Newbie to Linux, but it was somehow reassuring to see all those blocked Ip's <Grin>

I note the Marinara website does not mention version 6, so can only assume that it does not support it?

Drift.

[moj]

I am running 6 Final. I installed Snort and the Mitel Guardian package using: http://marari.net/downloads/snort/acid-howto.htm
along with absolutely everything I could find in the forums. It "sorta" works. I had Snort/Guardian installed w/ 5.6 and it worked great...no problems at all. But things are different enough in 6 that it (Snort) just does not work out of the box...you will have to tweak things a lot. I am still not happy with mine. I am considering uninstalling actually. I get alert reports and that...but it still does not work as it should. That's my experience with it. Guardian does not work at all.