OK, I've got Snort installed and I think it is runnig. It is generating logs.
I have a few questions questions.
1. How can I test it? I've tried running a port scanner against it and
IDSwakeup but neither one of them gernerate any log entries.
2. How do I configure it? I did go in and change the Ethernet port that it
was watching. ETH1 is my external port and it installed as monitoring eth0. I
don't see any snort.conf file anywhere as is referenced in the documentation.
Where do I configure the notification method etc?
3. I tried updating the rules set to the latest vision rules but I think it
bombs out when I use them. I noticed that Snort doesn't show up in the "ps x"
command but after installing the new rules the logs sit there with nothing
being added to them. Then wheh I do a "snortd restart" it says "failed" when
shutting snort down. I go back to the old vision rules and it works fine.
Anyone have any ideas? Should I download the latest version of snort and
install it over the old one? Will the latest version be in the next firewall
beta?
4. There is no documentation on using the utilities that come with snort.
snort-stat, snortlog, etc. I looked in the files themselves and ran them
using the comments, but nothing showed up in the reports.
5. Any instructions on how to setup realtime monitoring of the snort system
once it's running would be helpful. It would be real nice if they were
tailored for the Mandrake Firewall install.
Thanks,
Steve
