Search My Blog

Thursday, March 1, 2012

Snort is an open source network intrusion prevention and detection system.


Notes from me, Don:

Without all of the Requirements.
I get this Error on Boot, in Fedora 14 ("Starting snort: [FAILED]"). But, when I looked in Services. Snort is running now. And I did not start it manually. I have all but, Barnyard2 and DAQ. Which are not in my Fedora 14 Repos. I downloaded both and installed DAQ from the RPM file. But, Barnyard2 is only available from the barnyard2-1.9.tar.gz (last updated on 27 Dec 10) Right Now. The rest were aromatically installed with Snort and or the other Apps that I installed (see Screen Shot Below). So, I will have to manually install Barnyard2. And according to the FAQ on their Site ( SQL is needed too. I have MySQL installed already, but I don't mess with setting up the Data Base ans such, right now... Also, in the notes blow (from package manager). I may have to edit some config files too. But, sometimes that is done automatically by the Apps, when they are installed. These notes can sometimes be outdated. I may try this later...


Required Software

  • Libpcap
  • PCRE
  • Libdnet
  • Barnyard2
  • DAQ

Note to Windows users: If you’re downloading Snort binaries the only requirements are WinPcap and Barnyard.


In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.

Monitoring software may use libpcap and/or WinPcap to capture packets traveling over a network. libpcap and WinPcap also support saving captured packets to a file and reading files containing saved packets. Snort uses these files to read network traffic and analyze it.

For more information and to download please visit tcpdump


Perl Compatible Regular Expressions (PCRE) is a regular expression C library inspired by Perl’s external interface, written by Philip Hazel. The PCRE library is incorporated into a number of prominent open-source programs such as the Apache HTTP Server, the PHP and R scripting languages, and Snort.

For more information and to download please visit PCRE


Libdnet is a generic networking API that provides access to several protocols.

For more information and to download please visit libdnet


Barnyard is an output system for Snort. Snort creates a special binary output format called ``unified.’’ Barnyard2 reads this file, and then resends the data to a database back-end. Unlike the database output plugin, Barnyard2 manages the sending of events to the database and stores them when the database temporarily cannot accept connections.

For more information and to download please visit barnyard2


DAQ is the Data-Acquisition API that is necessary to use Snort version 2.9.0 and above.

For more information and to download please visit DAQ

Go there...

Package Manager Notes, with More info and Apps that work with Snort:

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has a real-time alerting capabilty, with alerts being sent to syslog, a separate "alert" file, or as a WinPopup message via Samba's smbclient
Edit /etc/snort.conf to configure snort and use snort.d to start snort.

This rpm is different from previous rpms and while it will not clobber your current snortd file, you will need to modify it.
There are 9 different packages available
All of them require the base snort rpm.  Additionally, you will need to chose a binary to install.

/usr/sbin/snort should end up being a symlink to a binary in one of the following configurations: plain plain+flexresp mysql      mysql+flexresp postgresql postgresql+flexresp snmp       snmp+flexresp bloat mysql+postgresql+flexresp+snmp
Please see the documentation in /usr/share/doc/snort-
There are no rules in this package  the license  they are released under forbids us from repackaging them  and redistributing them.

Port Scan Attack Detector (psad) is a collection of three lightweight system daemons written in Perl and in C that are designed to work with Linux iptables firewalling code to detect port scans and other suspect traffic.  It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, tcp flags and corresponding nmap options, reverse DNS info, email and syslog alerting, automatic blocking of offending ip addresses via dynamic configuration of iptables rulesets, and passive operating system fingerprinting.  In addition, psad incorporates many of the tcp, udp, and icmp signatures included in the snort intrusion detection system ( to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, xmas) which are easily leveraged against a machine via nmap.  psad can also alert on snort signatures that are logged via fwsnort (, which makes use of the iptables string match module to detect application layer signatures.

From the AirSnort Homepage

This software is OLD

It is no longer maintained or supported. Besides, there are much better tools out there. You really should be trying something like aircrack-ng.

Package Manager Notes:

AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. 802.11b, using the Wired Equivalent Protocol (WEP), is crippled with numerous security flaws. Most damning of these is the weakness described in " Weaknesses in the Key Scheduling Algorithm of RC4 " by Scott Fluhrer, Itsik Mantin and Adi Shamir. Adam Stubblefield was the first to implement this attack, but he has not made his software public. AirSnort, along with WEPCrack, which was released about the same time as AirSnort, are the first publicly available implementaions of this attack. AirSnort requires approximately 5-10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second.

fwsnort translates Snort rules into equivalent iptables rules and generates a Bourne shell script that implements the resulting iptables commands. In addition, fwsnort (optionally) uses the IPTables::Parse module to parse the iptables ruleset on the machine to determine which Snort rules are applicable to the specific iptables policy. fwsnort is able to translate approximately 60% of all rules from the Snort-2.3.3 IDS into equivalent iptables rules.

Links: Snort is an open source network intrusion prevention and detection system

psad - Intrusion Detection with iptables, iptables Log Analysis, iptables Policy Analysis :: barnyard2 :: download
Snort :: snort-downloads
AirSnort Homepage
fwsnort - iptables Intrusion Detection with String Matching and Snort Rules
Snort :: Home Page
AirSnort Homepage
fwsnort - iptables Intrusion Detection with String Matching and Snort Rules
Snort :: requirements
Use Profiling to Improve Snort Performance :: barnyard2 :: faq

No comments: