automatically install and configure SNORT via script

http://autosnort.blogspot.in/


So... to start, what exactly is autosnort? To boil it down, autosnort is a shell script that will take a supported operating system and give you a fully updated, fully functional snort installation with minimal effort.

 

Hi there!

This is DA, the current maintainer for the autosnort script, project.... whatever-you-may-call-it.

I wanted to stop by and say thank you for linking the project on your forums. For anyone who is interested in the script, the blog post above gives you a rough idea of the goals and links to my github repo which currently houses 3 different variations of the script - one for CentOS, one for Ubuntu and another for Backtrack (with more planned in the near future).

The scripts are entirely free, open-source and being released under the MIT license, meaning you can do practically anything you'd like with them.

If you you are a user, and have questions, run into difficulties or would like to contribute, feel free to contact me. My contact information is plastered all over the script readme and the blog post.

Thanks!

da_667

 

Many thanks DA, am linking your work at the Ubuntu forums as well as the Chakra forums.

 

How do you install this? I saved it to a emty document file, renamed it but it wont run

 

Its a script, you need to give it execute permissions.

 

Out of curiosity, why would you want to do this if you face the problem of configuring the software? What added benefit will you have in such a scenario?

Mrk

 

Linux is all about curiosity and SNORT is a good start.

 

I asked him. Besides, I can think of at least 304 things before using Snort.
Mrk

 

And I ask you, why would you discourage one from trying out stuff in LINUX? One can only learn by trial and error and breakage, arent we all here to learn btw?

 

Sure, but you don't become a ninja by applying for brown belt first.
If someone does not know how to chmod a file, they are not ready for snort.

Besides, as an intrusion detection system, it's mostly a network tool. The fact it runs on Linux is less important here, and the implication is in understanding protocols, signatures, etc. Linux is secondary. And before going Snort, I would advise someone to learn about the OS architecture, startup scripts, reading logs, etc, before using a highly sophisticated tool for analyzing potentially tricky network patterns in a home environment, where these are quite unlikely to happen.

Mrk

 

Thank you da_667

For taking the time to work on and providing autosnort script/project it will be helpful to a lot of Users from beginner to expert users.

Can add the emergingthreats sigs

and do a FreeBSD script

Thanks

 

That is a good point but we can only learn how to drive by getting on the road as we learn how to swim by getting into the water. Sure we make mistakes but then they can be easily rectified, Linux is all about chances.

 

I'm going to have to agree with Mr.K on this one. If I would have started with snort I would have suffered endless frustration. I would advise starting with a firewall, learn to configure it & read the logs. Then maybe graduate to snort.

Incidentally, the auto snort script sounds quite intriguing. I'll have to give it a try.

 

Come on guys be nice

Just let me know how to install the script?!!

 

ComputerSaysNo, it looks like it downloads a tarball. Have you uncompressed it? Does it come with a readme or anything?

 

With Mrk we use to repeat the same thing since years about Snort...useless for desktops.
In the past an easy way to make a Centos based install wass EasyIDS liveCD
http://www.skynet-solutions.net/About-EasyIDS
If we take into consideration the technology, soft ids appears now obsolete.
Their management costs a lot of time (rules updates, falses positives etc) for an hypothetyical interest (low probability of DDOS, fast flux bot/worm etc) in a desktop/small lan environment.
For the rules for instance (blacklist cat and mouse game), paid subscribtions is often better, even if there is an active open source community
http://rules.emergingthreats.net/
UTM appliance ( http://www.watchguard.com/products/xtm-main.asp ) appears much more serious, as simple IDSs are not enough against the current arsenal offered to attackers (ip segmentation/fragmentation evasion methods etc).
What could do Snort against professional hacking? As IDS are deployed before the firewall, trust first your hardening checklist.
As pointed out by Mrk, what are the chances for a Linux desktop user to be victim of an DDOS for instance...if so (example of scenario:Russian nationalists hacktivisst DDOS attack against Mrk article about Georgia/Russia cyberwar)..then Snort will not help...unplug the modem/box and go walk with the dog...
A popular anti-IDS tool (for BackTrack users) is Inundator, designed to obfuscate a real attack by generating serial falses positives http://inundator.sourceforge.net/
Instead of a network based IDS, it is suited to use a host based IDS like OSSEC wich provides interesting antimalwares features (integrity checking)
http://ossec.net/

Anyway for those really interested in IDS, i suggest a focused network security distro, Security Onion
http://code.google.com/p/security-onion/wiki/Beta
http://securityonion.blogspot.fr/2012/09/security-onion-1204-beta-available-now.html

rgds