2.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Libpcap complains about permissions problems, what's going on?A: You are either not running snort as root or your kernel   is not configured correctly.                                                                   2.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why does snort complain about /var/log/snort?A: It requires this directory to log alerts to it.   Use: mkdir /var/log/snort2.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q:  I've got RedHat and ....A:  Check your version of libpcap.  :) If it's not >= 0.5, then you should    update.   2.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Where do I get the latest version of libpcap?A: http://www.tcpdump.org/2.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why does building snort complain about missing references?A: You must make libpcap with the --install-incl option or install the    libpcap-devel rpm.2.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why does building snort fail with errors about yylex and lex_init?A: You need the lex and yacc tools or their gnu equivalents   flex and bison installed.2.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q:  I Want to build a snort box.  Will this <Insert List> handle <this much>    traffic?A:  That depends.  ;-)  Lower the number of rules is a standard performance    increase.  Disable rules that you don't need or care about.  Etc...  There    have been many discussions on 'tweaking performance' with lots of 'I handle    XX mb with a ___ machine setup.' being said.  Look at some of the     discussions on snort-users2.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: What are CIDR netmasks?A: Excerpted from url: http://public.pacbell.net/dedicated/cidr.htmlCIDR is a new addressing scheme for the Internet which allows for more iefficient allocation of IP addresses than the old Class A, B, and C address scheme.CIDR Block Prefix # Equivalent Class C # of Host Addresses/27 1/8th of a Class C 32 hosts/26 1/4th of a Class C 64 hosts/25 1/2 of a Class C 128 hosts/24 1 Class C 256 hosts/23 2 Class C 512 hosts/22 4 Class C 1,024 hosts/21 8 Class C 2,048 hosts/20 16 Class C 4,096 hosts/19 32 Class C 8,192 hosts/18 64 Class C 16,384 hosts/17 128 Class C 32,768 hosts/16 256 Class C 65,536 hosts (= 1 Class B)/15 512 Class C 131,072 hosts/14 1,024 Class C 262,144 hosts/13 2,048 Class C 524,288 hostsFor more detailed technical information on CIDR, go to http://www.rfc-editor.org/rfcsearch.html and type in the number of the CIDR RFC you are interested in:RFC 1517: Applicability Statement for the Implementation of CIDRRFC 1518: An Architecture for IP Address Allocation with CIDRRFC 1519: CIDR: An Address Assignment and Aggregation StrategyRFC 1520: Exchanging Routing Information Across Provider Boundaries in the           CIDR Environment2.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: What is the use of the "-r" switch to read tcpdump files? A: Used in conjunction with a snort rules file, the tcpdump data can be   analyzed for hostile content, port scans, or anything else Snort can be used   to detect.  Snort can also just simply display the packets in their decoded   format, which many people find is easier to read than native tcpdump   output. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--***************************************Section 3: CONFIGURING SNORT***************************************3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q:  How do I setup snort on a 'stealth' interface?A:  Bring up the interface without an IP address on it. See FAQ 3.2...    http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/A:  Use an ethernet tap, or build your own 'receive-only' ethernet cable.    http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htmA:  Anyway, here is the cable I use:     LAN Sniffer     1 -----\ /-- 1     2 ---\ | \-- 2     3 ---+-*------- 3     4 - | - 4     5 - | - 5     6 ---*-------- 6     7 - - 7     8 - - 8         Basically, 1 and 2 on the sniffer side are connected, 3 and 6     straight through to the LAN. 1 and 2 on the LAN side connect to 3 and     6 respectively. This fakes a link on both ends but only allows     traffic from the LAN to the sniffer. It also causes the 'incoming'     traffic to be sent back to the LAN, so this cable only works well on     a hub. You can use it on a switch but you will get ...err...     interesting results. Since the switch receives the packets back in on     the port it sent them out, the MAC table gets confused and after a     short while devices start to drop off the switch. Works like a charm     on a hub though. 3.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I run snort on an interface with no IP address?A: ifconfig ethN up3.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: My network spans multiple subnets.  How do I define HOME_NET?A: Snort 1.7 supports IP lists.  You can assign a number of addresses to   a single variable.  For example:     var HOME_NET [10.1.1.0/24,192.168.1.0/24]   NOTE: Not all preprocessors support IP lists at this time.  Unless   otherwise stated, assume that any preprocessor using an IP list variable   will use the first value as the HOME_NET.  The portscan preprocessor   is an example.  To catch all detectable portscans, pass 0.0.0.0/0 in   as the first parameter.   preprocessor portscan: 0.0.0.0/0 5 3 portscan.log   Use the portscan-ignorhosts preprocessor to fine tune and ignore   traffic from noisy, trusted machines.3.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How can I run snort on multiple interfaces simultaneously.A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)    the only way is to run multiple instances of snort, one instance per    interface. However for  linux 2.1.x/2.2.x and higher you can use libpcap    library with S. Krahmer's patch which allows you to specify 'any' as     interface name. In this case snort will be able to process traffic     coming to all interfaces.3.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: IP address is assigned dynamically to my interface, can I use snort with it?A:  Yes.  With snort 1.7 and later, <interface>_ADDRESS variable is available.    The value of this variable will be always set to IP address/Netmask of the    interface which you run snort at. if interface goes down and up again (and    an IP address is reassigned) you will have to restart snort. For earlier    versions of snort numerous scripts to achieve the same result are    available.3.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I have one network card and two aliases, how can I force snort to "listen"   on both addresses ? A: If you're using at least version 1.7, you can specify an IP list like   this:	var HOME_NET [192.168.<your-IP>/24,<Internet address>/32]   If you're using something older (version 1.6.3-patch2 or whatever) you can   re-specify the HOME_NET variable multiple times like this (for example):	var HOME_NET 10.1.1.0/24	include scan-lib	etc.	var HOME_NET 192.168.1.0/24	include scan-lib	etc.3.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I ignore traffic coming from a particular host or hosts?A: Write pass rules and add the host(s) to the portscan-ignorehosts list.   Call Snort with the -o option to activate the pass rules.   See http://www.snort.org/writing_snort_rules.htm for more information.3.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I get Snort to log the packet payload as well as the header? A: Use the "-d" command line option.  3.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why are there no subdirectories under /var/log/snort for IP addresses?A: It depends on how your snort configuration logs. If it logs in binary   format, you'll have to process the binary log in order to get cleartext3.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do you get snort to ignore some traffic?A1: Specify bpf filters on the command line the tcpdump man page    has a description of bpf filters.A2: Use a pass ruleA3: The portscan preprocessor has it's own special exclusion list    with the portscan-ignorehosts.rules file directive3.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why does the portscan plugin log "stealth" packets even though the   host is in the portscan-ignorehosts list?A: These types of tcp packets are inherently suspicious, no matter where   they are coming from.  The portscan detector was built with the assumption   that "stealth" packets should be reported, even from hosts which are not   monitored for portscanning.  An option to ignore "stealth" packets may be   added in the future.3.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Which takes precedence, commandline or rule file ?A: The command line always gets precedence over the rules file.  If people   want to try stuff out quickly without having to manually edit the rules   file, they should be able to override many things from the command   line.  3.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How does rule ordering work?A: Marty has answered this many times on the snort-users mailing list.  Here is   an excerpt from a post on Thu, 22 Feb 2001 00:31:53 -0500, titled "Re:    [Snort-users] order of evaluation of rules"Currently, the data structures that store Snort rule data are theRuleTreeNodes (RTN) and the OptTreeNodes (OTN).  These data structs arestored in a two dimensinal linked list structure with the RTNs formingthe top row of the "Array" and the OTNs forming the columns under theRTNs.  Here's an ASCII illustration from the infamous "lisapaper":  RTN                   RTN                    RTN             --------------        --------------         ----- | Chain Header |      | Chain Header |      | Chai |              |      |              |      | | Src IP       |      | Src IP       |      | Src | Dst IP       |----->| Dst IP       |----->| Dst   ..... | Src Port     |      | Src Port     |      | Src | Dst Port     |      | Dst Port     |      | Dst |              |      |              |      |  --------------        --------------         -----         |                     |         |                     |         |                     |  OTN   \|/            OTN    \|/  -------V------       --------V------- | Chain Option  |    | Chain Option   | |               |    |        :       | | Content       |             : | TCP Flags     |             : | ICMP Data     | | Payload Size  | | etc.          | |               |  ---------------          |         |         |   OTN  \|/  -------V------ | Chain Option | |              | | Content      | | TCP Flags    | | ICMP data    | | Payload Size | | etc.         | |              |  --------------          |         | Rules with similar rule headers (i.e. all the CGI rules, the old stealthport scan detection rules, most of the rules that focus on any singleservice, etc) are grouped under a single RTN for the sake of efficiencyand the applicable OTNs are hung below them.  For instance, if you havethree rules like this:alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)alert tcp any any -> $HOME 80 (content: "bar"; msg: "bar";)alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)They all get grouped under the same RTN and the OTNs are "hung" beneaththem like this:  RTN --------------------|  SIP: any          ||  SP: any           ||  DIP: $HOME        ||  DP: 80            | --------------------           |          |  OTN    \|/   ---------v----------| content: foo       |