Snort setup

From PrgmrWiki
Revision as of 10:17, 2 December 2008 by Lsc (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Please note... these are random notes, taken when I was halfway dead with insomnia. Scratch pad, if you will. I hope someday to make it decent, but for now, ignore this.

[root@lion ~]# /usr/sbin/brctl addif xenbr1 eth1
[root@lion ~]# /sbin/ifconfig eth1 promisc
[root@lion ~]# /sbin/ifconfig xenbr1 promisc
[root@lion ~]# /usr/sbin/brctl setageing xenbr1 0
[root@lion ~]# /usr/sbin/brctl setmaxage xenbr1 0
[root@lion ~]# /sbin/ifconfig xenbr1 up
[root@lion ~]# /sbin/ifconfig xenbr1 promisc

[root@lion ~]# /usr/sbin/xm create -c snort
[root@lion ~]# /sbin/iptables -A FORWARD -m physdev --physdev-in eth1 -j ACCEPT

now, this is run by hand on snort:

bash-3.1# tail -f   /var/log/secure |perl -n -e '~m/ (\d+\.\d+\.\d+\.\d+).* -> ([\d\.]+)/; if (($1 =~m/216.218.223/) || ($1 =~m/64.62.205/) || ($1 =~m/216.218.210/)) {`echo "$_" >> /var/www/html/snort/PRGMR`};print "$1  $2: $_  \n"; `echo  "$_" >> /var/www/html/snort/$2.log`'

but it really needs to be in the startup scripts