This is to be used as a brief overview to get ET into your NIDS and not ment to help configure your system. If you are first time installer for Snort or Sguil I would recommend using securixlive.com nsmnow with centos 5 series as this is pretty painless and should get you a quick setup for monitoring. The first step that you need to do is go over to emergingthreats.net and pull down the compressed rules to your sguil server. After this is finished untar the file and move the .rules files to the /etc/nsm/sensor1/rules folder if you did a default install. Make sure they are the correct permissions
#chown sguil:sguil emerg*
Next you need to alter the snort.conf file and add the rules. You can simply do a cut and paste from the emerging.conf file and just add it to the bottom of the snort.conf. Next add the to the sid-msg.map in /etc/nsm/sensor1
#cat emerging-sid-msg.map >> sid-msg.map
Finally you need to copy the emerging rules over to the /nsm/server_data/server1/rules/sensor1 folder so that you can view the rules in the sguil client. Now just start up your nsm and you should have a little more help with alerts.
No comments:
Post a Comment