Snort IDS and omnia


#1

I am trying to run snort.
Found this wiki https://wiki.openwrt.org/doc/howto/snort
But when I try to run snort it ends with:

ERROR: Can’t find pcap DAQ!
Fatal Error, Quitting…

libpcap and libdaq is installed.
Anyone esle try to runt snort on omnia?


#2

http://seclists.org/snort/2012/q1/89


#3

No progress since? noumes?


#4

Finaly got snort working!

In config file snort.conf need set up
config daq: pcap
config daq_dir: /usr/lib/daq —because this is set only in init file so when runing snort via cmd ends error without this


#5

Nice, do you have some results? How good is SNORT?


#6

I have snort up and running on the Omnia with zero output or alerts. Would love to see configs if anyone has this working successfully!


#7

Same problem got zero output from snort.
Sending log to remote syslog didnt work for me
output alert_syslog: host=IP:port, LOG_AUTH LOG_ALERT.

run snort with -l creates file but file is still empty

in syslog there is only statistic when stoping snort nothing else


#8

I found some output… cat /var/log/messages |grep snort

2017-01-13T13:25:07-05:00 alert snort[]: [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.XX.XXX:58396 -> 192.168…XX.XXX:80

These alerts, oddly, are not available for viewing with a simple “cat /var/log/messages” and nor are they showing up in my graylog2 instance. I only found them with: cat /var/log/messages |grep snort

A note - I also updated the snort rules using pulledpork.pl on a different host and synced them over to the turris box. I also disabled DNP and MOD processors to reduce memory consumption.


#9

I added those 2 lines in the config.
Libdaq is installed, I verified the path.
Did you do other changes?


#10

I got it to work, and I added output alert_fast: alert.fast to my snort.conf

It writes alerts in/var/log/snort/alert.fast

It doesn’t work when it runs with -s option, that is the default on /etc/init.d/snort


#11

Awesome to see someone got it working. Be nice if you summarised the experience and how to install it and get it going as a community doc:

https://www.turris.cz/doc/en/public/start


#12