Posted by: jasonk2600 | January 18, 2010

Debian GNU/Linux Snort IDS Sensor

Synopsis

This post describes the steps necessary to configure a system running Debian GNU/Linux as a Snort Intrusion Detection System (IDS) sensor.  This post only covers the process of configuring a Snort IDS sensor that connects to a PostgreSQL database backend, for information on setting up a PostgreSQL backend for the Snort IDS and/or setting up a Snort IDS monitoring console refer to the following posts:

Installation

Install the PostgreSQL DBMS and Snort IDS using the aptitude software package management utility. When prompted for the address range for the local network, replace 10.0.1.0/24 with your LAN’s IP address range.

# aptitude install postgresql-client snort snort-pgsql snort-rules

Address range for the local network:
10.0.1.0/24

 

Configuration

Configure Snort to use your existing PostgreSQL database backend for reporting by adding the following to the /etc/snort/snort.conf configuration file.  NOTE:  Replace 10.0.1.1 with the IP address of your PostgreSQL DBMS server and replace Password with the password you chose for the snortuser.

output database: log, postgresql, user=snortuser
   password=Password dbname=snort host=10.0.1.1
   sensor_name=Debian

 

Remove the /etc/snort/db-pending-config file and start the Snort IDS sensor for the first time. Be sure to check /var/log/daemons.log for any error messages.

# rm /etc/snort/db-pending-config
# /etc/init.d/snort start

Starting Network Intrusion Detection System: snort

 

  [EoF]
Advertisements

Responses

  1. […] Debian GNU/Linux Snort IDS Sensor. […]

  2. […] Debian GNU/Linux Snort IDS Sensor. […]

  3. aptitude install postgresql-client snort snort-pgsql snort-rules
    shows result:
    No candidate version found for snort-pgsql
    No candidate version found for snort-pgsql
    No packages will be installed, upgraded, or removed.
    0 packages upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
    Need to get 0B of archives. After unpacking 0B will be used.

    what to do now. i am stuck on this
    please help….


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: