я устанавливал c репозитария, запускал так
PHP Code:
/opt/bin/snort -A full -i ppp0 -l /opt/var/log/snort/alert -c /opt/etc/snort.conf -s
конфиг был такой
PHP Code:
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /opt/etc/snort/rules
#dynamicpreprocessor directory /
#dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort_dynamicrule/
#config disable_decode_alerts
config enable_decode_oversized_alerts
config detection: search-method ac-bnfa
config order: pass alert log activation
#preprocessor flow: stats_interval 0 hash 2
#preprocessor frag2
#preprocessor frag3_global: max_frags 65536
#preprocessor frag3_engine: policy first detect_anomalies
#preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_udp:
preprocessor http_inspect: global \
iis_unicode_map /opt/etc/snort/unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8081 } oversize_dir_length 500
preprocessor bo
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor arpspoof
#preprocessor xlink2state: ports { 25 691 }
#output alert_fwsam: 127.0.0.1:888/snort
#output database: alert, mysql, user=snort password=snort dbname=snort_db host=localhost
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort password=snort dbname=snort_db host=localhost
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include /opt/etc/snort/classification.config
include /opt/etc/snort/reference.config
include $RULE_PATH/local.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
#include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
#include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
#include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules
include /opt/etc/snort/threshold.conf
До конца я не разобрался, может тут и неправильно чего, но логи писал, только не понял в каком формате и кодировке, а анализатор я так и не поставил. Посмотри я выложил, все что накопал ftp://styxnout.homeip.net/Public/soft/snort/