Newbies Playing with Snort Using EagleX

Problem

You want to use Snort, ACID, MySQL, Apache, etc., but you either don't have a *nix box or are more comfortable with the MS Windows platform. Can you run these applications without having to get a Unix guru to set it up for you?

Solution

A product called EagleX from Engage Security allows you to set all this up on a Windows machine with local only listeners and connections.

Discussion

This product is offered for free from Engage Security at the following site: http://www.engagesecurity.com/downloads/#eaglex. It is a single 16-MB file that includes the following:

As you can tell already, this is not kept up to date, so this should be used only as an educational tool. However, if you want to run the latest version of Snort, you can upgrade the Snort portion of EagleX once it is installed.

Installation is as simple as following the prompts. If you are lost during the installation, see the recipe Installing and Configuring IDScenter (Recipe 5.2), as this is the core of EagleX. If you have ACID questions, see the recipe Installing and Configuring ACID (Recipe 5.6).

To change EagleX to use a new version of Snort, download a copy of Snort for Windows from http://www.snort.org and follow these instructions:

  1. Run the new version of Snort's install program. It should default install to C:Snort while the EagleX software was installed in C:eaglex, unless you specified another location.
  2. If you want to save the original configuration of Snort 2.0, just rename the C:eaglexsnort directory to something else such as C:eaglexsnort_eaglex.
  3. Copy your new Snort 2.2.x directory into the EagleX directory:

    copy C:snort C:eaglex"  

  4. Create a logs directory under the Snort directory.

    mkdir C:eaglexsnortlogs  

  5. Restart IDScenter and click Start Snort. Snort should now be running and capturing packets with the new Version 2.2.x.

Other EagleX components can also be upgraded to newer versions.

See Also

http://www.engagesecurity.com

http://www.winsnort.com

http://www.snort.org mailing lists

Log Analysis

Категории