As I said in the original message, it is working. I did go into snortd and
set the ethernet port to the one I want to monitor. 1.6.3 is what came with
beta 3. snort.conf does not exist in /etc or /etc/snort. The RPM that came
with beta 3 uses a file that's called rules.something and calls an incuded
file called vision.rules
Steve
On Friday 09 March 2001 15:18, you wrote:
> Snort 1.7 was put into contribs if I recall.. I made the rpm for it. as for
> the config I would look in /etc/snort/snort.conf Also there are docs
> in /usr/share/doc/snort-1.7 if I recall. As for the Network card
> you want it to listen on go to
>
> /etc/rc.d/init.d/snortd and edit that file there is a few lines like this
>
> # Specify your network interface here
> INTERFACE=eth0
>
> edit to make it work on the interface you want...
>
> -John
>
> > OK, I've got Snort installed and I think it is runnig. It is generating
>
> logs.
>
> > I have a few questions questions.
> >
> > 1. How can I test it? I've tried running a port scanner against it and
> > IDSwakeup but neither one of them gernerate any log entries.
> >
> > 2. How do I configure it? I did go in and change the Ethernet port that
> > it was watching. ETH1 is my external port and it installed as monitoring
>
> eth0. I
>
> > don't see any snort.conf file anywhere as is referenced in the
>
> documentation.
>
> > Where do I configure the notification method etc?
> >
> > 3. I tried updating the rules set to the latest vision rules but I think
>
> it
>
> > bombs out when I use them. I noticed that Snort doesn't show up in the
> > "ps
>
> x"
>
> > command but after installing the new rules the logs sit there with
> > nothing being added to them. Then wheh I do a "snortd restart" it says
> > "failed"
>
> when
>
> > shutting snort down. I go back to the old vision rules and it works fine.
> > Anyone have any ideas? Should I download the latest version of snort and
> > install it over the old one? Will the latest version be in the next
>
> firewall
>
> > beta?
