Re: snort output server setup

Yes the promiscuous NIC is the device that should be listed in the .conf file.  So for example our physical box has 3 nics.  Our management interface, our internal LAN, and our DMZ network.  We have two separate conf files one for eth1 (LAN) and one for eth2 (DMZ).

snort.eth1.conf:

ipvar HOME_NET LAN ip range/21

snort.eth2.conf:

ipvar HOME_NET DMZ ip range/21

In Debian the package contains a snort.debian.conf which tells the snort daemon what flags to run.  This is where the promisc NICs are entered.

DEBIAN_SNORT_STARTUP=boot

DEBIAN_SNORT_HOME_NET="LAN ip range/21,DMZ ip range/21"

DEBIAN_SNORT_OPTIONS="-A fast -s"

DEBIAN_SNORT_INTERFACE="eth1 eth2"

DEBIAN_SNORT_STATS_RCPT="root"

DEBIAN_SNORT_STATS_THRESHOLD="1"

eth1      Link encap:Ethernet  HWaddr 00:c0:9f:40:3b:c4

          inet6 addr: fe80::2c0:9fff:fe40:3bc4/64 Scope:Link

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:729425951 errors:10 dropped:764 overruns:0 frame:6

          TX packets:6312 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:4096109712 (3.8 GiB)  TX bytes:265320 (259.1 KiB)

eth2      Link encap:Ethernet  HWaddr 00:c0:9f:40:3b:c5

          inet6 addr: fe80::2c0:9fff:fe40:3bc5/64 Scope:Link

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:11512538 errors:0 dropped:149 overruns:0 frame:0

          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:824252137 (786.0 MiB)  TX bytes:468 (468.0 B)

snort    10888  8.4  8.5 775728 344632 ?       Ssl  06:25  15:12 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -A fast -s -c /etc/snort/snort.eth1.conf -S HOME_NET=[LAN ip range/21,DMZ ip range/21] -i eth1

snort    10921  0.1  6.4 775744 259140 ?       Ssl  06:26   0:10 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -A fast -s -c /etc/snort/snort.eth2.conf -S HOME_NET=[LAN ip range/21,DMZ ip range/21] -i eth2

I'm note sure if the .debian.conf exists in SUSE or not.  I would imagine it doesn't.  You may want to look at a tutorial at getting Snort setup first.  Then attempt to integrate LEM.  The LEM part is just a matter of outputting the logs and setting up your connector.

This will run it in daemon mode, use the snort.conf config file and log to /var/log/snort.

snort -D -c /etc/snort/snort.conf -l /var/log/snort/