Testing Snort 2.6.x

Download the latest snort tarball, then I create snort RPMS :

$ rpmbuild -tb snort-2.6.x.tar.gz –with mysql

Wrote: /home/tedi/rpms/RPMS/i586/snort-2.6.x-1.i586.rpm
Wrote: /home/tedi/rpms/RPMS/i586/snort-mysql-2.6.x-1.i586.rpm

Next, I registered to Snort community to be able to download Snort rules.

Then I extract the rules and move all of the files in rules/ directory to /etc/snort/rules directory :

# mv rules/* /etc/snort/rules/

# mv /etc/snort/rules/sid-msg.map /etc/snort/

I found out that there are two snort.conf files. The first one from the RPM package and the other one from the rule file. I want to check what are the differences between them :

$ diff /etc/snort/snort.conf /etc/snort/rules/snort.conf

# http://www.snort.org Snort current Ruleset
# $Id: snort.conf,v 1.167 2006/06/09 15:14:08 mwatchinski Exp $
var RULE_PATH ../rules
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
# include $RULE_PATH/virus.rules
> # include $RULE_PATH/spyware-put.rules

Most of the differences are related to path. The last difference is very interesting, the new snort.conf commented out virus.rules and spyware-put.rules

Then I test my snort configuration :

# snort -T -c /etc/snort/snort.conf
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode

–== Initializing Snort ==–
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

–== Initialization Complete ==–

,,_ -*> Snort!
Preprocessor Object: SF_SMTP Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.0

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
Final Flow Statistics
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s