Home

Symantec Manhunt Smart Agent for Snort 2.0

1. MSA Configuration File The configuration file is broken down into sections with section headers enclosed in brackets The first section is called M SA and contains most of the configuration parameters The second section is called Flatfile and contains the EventSourceFile parameter The following is a sample configuration file MSA ManHuntHostIPAddr 10 0 0 34 1333 EDPSecret DokdYjNU732mnDuj MSALogDir usr msasnort logs MSALogLevel 5 EventDefinitionFile usr msasnort etc snort2mh evtdef Flatfile EventSourceFile var log snort alert Table 1 1 lists all editable parameters If you edit any of the configuration parameter values you must restart the M SA application See Starting and stopping the M SA on page 13 Table 1 1 MSA Configuration File Parameters AlertSenderAddr This parameter is available only for M anHunt 3 0 and is not available for M anH unt 2 2 The value is the IP address of the M SA machine If you define this variable you will also need to define an interface for the M SA in the M anHunt console It is critical that the IP address that you specify for the interface be the same as the IP address that you specify for the AlertSenderAddr parameter The Interface Name field in the Event Detail window of the M anH unt console will appear as the machine that you just defined 10 ManHunt Smart Agent for 5 0 Table 1 1 MSA Configuration File Parameters This is the value for E
2. ManHunt Smart Agent for Snort 2 0 Installation Guide 3 symantec ManHunt Smart Agent for Snort 0 Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Copyright Notice Copyright 6 2003 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation isthe copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY Thetechnical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty asto its accuracy or use Any useofthe technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec and the Symantec logo are U S registered trademarks of Symantec Corporation Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Printed in the nited States of America 10098765 4 3 2 1 SYMANTEC SOFTWARE LICENSE AGREEMENT SMART AGENT E use if You received th
3. IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HASBEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE Thedisclaimers and SYMANTEC CORPORATION AND ORITS SUBSIDIARIES SYMANTEC ISWILLING TO LICENSE THE SOFTWARE TO YOU ASAN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMSOF THIS LICENSE AGREEMENT READ THE TERMSAND CONDITIONS OF THISLICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE THISISA LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY OR LOADING THE SOFTWARE YOU AGREE TO THE TERMSAND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMSAND CONDITIONS CLICK ON THE I DO NOT AGREE NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE 1 LICENSE Thesoftware and documentation that accompanies this license collectively the Software is the proprietary property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software You will have
4. decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software C use a previous version or copy of the Software after You have received a disk replacement set or an upgraded version Upon upgrading the Software all copies of the prior version must be destroyed D usea later version of the Software than is provided herewith unless You have purchased corresponding maintenance and or upgrade insurance or have otherwise separately acquired the right to usesuch later version limitations set forth above will apply regardless of whether Y ou accept the Software 5 U S GOVERNMENT RESTRICTED RIGHTS RESTRICTED RIGHTSLEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software
5. r inclusive g directory Location of generators h optional required if genera tors h s stored in a directory different from its default location in your Snort distribution root If you installed Snort from a package such as an RPM then you may have to locate or download the source to obtain the file required for this option c directory Location of classification config optional required if classification config is stored in adirectory dif ferent from its default location in your Snort distribution root r directory Location of Snort rules optional required if your rules are stored in a directory different from its default loca tion in your Snort distribution root V Verbose output h Prints these arguments 2 When the meta data file has regenerated run insta11 ma sh in the same directory as the new meta data file Configuring Symantec ManHunt To enable communication between M anH unt and the M SA for Snort and to be able to 5 M anH unt response policies for Snort events you must create an ManHunt Smart Agent for Snort 0 external sensor nodein the M anH unt topology tree for the machine on which the M SA for Snort is installed To add an external sensor node Open the M anHunt console Right click External Sensors in the topology tree and click Add External Sensor in the pop up menu The Add External Sensor dialog appears In Add External Sensor enter aname of up to 39 characters
6. and vice versa This parameter is required Thisis an integer specifying the maximum number of events allowed in the cache before the oldest event is dropped Valid values are 500 100 000 If this parameter is not specified in the configuration file the default value is 3000 To change the default value for this parameter you must add it to the M SA section EDPSecret EventDefinitionFile EventSendRate EventSourceFile M anH untH osti PAddr M axEventsinC ache 11 ManHunt Smart Agent for Snort 0 Table 1 1 MSA Configuration File Parameters M SALogDir Thisis the directory to which the M SA should write its log file The default directory is lt M SA_install_dir gt logs If you delete this parameter from the configuration file then the default log directory becomes tmp M SALogLevel Thisis an integer that specifies the level of logging that the M SA uses Possible values are from 1 to 35 with 35 being the most verbose The default valueis 5 If you raisethelog level above 5 the performance of the M SA for Snort may be negatively impacted SNM PListen P This isa valid IP address to which the M SA machine is bound SnmpTrapPort Thisis an argument that allows SN MP traps to be collected on a port other than the default which is port 162 Changing the EDP passphrase To change the EDP passphrase on the M anH unt node edit the external sensor topology tree node The EDP passphrase on the M
7. certain rights to usethe Software after Y our acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to You Except as may be modified by an applicable Symantec license certificate license coupon or license key each a License M odule that accompanies precedes or follows this license Your rights and obligations with respect to the use of this Software are as follows YOU MAY A use that number of copies of the Software as have been licensed to You by Symantec under a License M odule for Your internal business purposes Your License M odule shall constitute proof of Your right to make such copies If no License Module accompanies precedes or follows this license You may make one copy of the Software You are authorized to use on a single machine B make one copy of the Software for archival purposes or copy the Software onto the hard disk of Your computer and retain the original for archival purposes C use each licensed copy of the Software on asingle central processing unit and D after written consent from Symantec transfer the Software on a permanent basis to another person or entity provided that You retain no copies of the Software and the transferee agrees to the terms of this license YOU MAY NOT A copy the printed documentation which accompanies the Software B sublicense rent or lease any portion of the Software reverse engineer
8. documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement M anufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 United States of America 6 EXPORT REGULATION Export re export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries Export or re export of Software to any entity on the Denied Parties List and other lists promulgated by various agencies of the United States Federal Government is strictly prohibited 7 GENERAL If You are located in North America or Latin America this Agreement will be governed by the laws of the State of California United States of America Otherwise this Agreement will be governed by the laws of England This Agreement and any related License M odule isthe entire agreement between You and Symantec relating to the Software and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software The discla
9. D PSecret is the encrypted form of the EDP passphrase and is set during the M SA installation process Do not attempt to edit this parameter from within the configuration file This parameter is required This is the path to the event definition file The M SA conversion engine uses instructions contained in the event definition file to convert Snort alerts into ManHunt events The event definition file is installed in the lt M SA_install_dir gt etc directory This parameter is required Thisis an integer specifying the maximum number of events per second that can be passed to the M anH unt node Valid values for M anH unt 2 2 are 10 30 and valid values for M anHunt 3 0 are 10 250 If this parameter is not specified in the configuration file the default value is 10 events per second If you add this parameter you must add it to the M SA section Note TheM SA cannot start properly if the log file approaches a certain size 2 3 Gigs depending on the system You can delete or rename the log file to correct the problem This is the file from which to read Snort alerts This parameter is required This isthe IP address of the M anHunt node to which Snort events are sent The format is 1P address port The port must be the port on which ManHunt is configured to receive events The default port is 1333 If you change the EDP Port Number parameter on the M anHunt node be sure to change the value in the M SA configuration file to match
10. anH unt node must match the EDP passphrase on the M SA for Snort machine Therefore if you change the passphrase on the M anH unt node you must also change the passphrase on the M SA for Snort machine by running the changesecret command located in the lt M SA_install_directory gt bin directory To change the EDP passphrase on the ManHunt node 1 LogintotheManHunt console 2 Right click the appropriate external sensor node and select Edit Device The Edit External Sensor dialog appears 3 In Edit External Sensor click Set ED P Passphrase 4 In EDP Passphrase enter the new passphrase the M anH unt node will use to communicate with the M SA for Snort This passphrase must be at least 8 characters long Re enter the passphrase for confirmation Click OK ManHunt Smart Agent for Snort 0 7 Click OK in the Edit External Sensor dialog box 8 Goto Topology and click Save Changes To change the EDP passphrase on the MSA for Snort machine 1 Gotothe lt msa_install_dir gt bin directory 2 Enter the following command changesecret lt MSA_ install _dir gt ete snort2mh conf Enter the old passphrase 4 Enter the new passphrase The passphrase must be at least 8 characters long Re enter the new passphrase Restart the M SA application with the stop and start commands See Starting and stopping the M SA on page 13 Note If you have forgotten the old passphrase you can delete the EDPSecret line from th
11. arc Of macos x ppc install md sh 3 Ensure that the meta data file to be installed begins with snort and ends with the md file extension If you have old meta data files you can choose to either delete or archive them Do one of the following TYP delete and press Enter to delete the old meta data files m TYP archive and press Enter to archive the old meta data files 4 ManHunt must be restarted to incorporate the new meta data Type and press Enter when prompted to restart M anH unt If this isthe M anHunt node used for administration quit and restart any administration consoles connected to the node to enable the consoles to incorporate the new meta data 7 ManHunt Smart Agent for Snort 0 Generating Snort meta data If you run Snort with a set of rules that is different than the standard package for Snort 2 0 you must generate and install anew meta data file Symantec providesa meta data extraction utility with the M SA for Snort that enables the generation of new meta data from Snort s latest signature updates Note You must be logged in as root to generate the Snort meta data To generate Snort meta data 1 On any machine that has access to your Snort distribution root directory run snortrules2mda p1 The script accepts the following arguments v version Snort version number without dots d directory Snort distribution root directory required unless you enter values for g c and
12. e configuration file lt M SA_install_dir gt etc snort2mh conf and then run changesecret again The script will not prompt you for the old passphrase once the passphrase line is removed See Configuring the M SA for Snort on page 9 Starting and stopping the MSA TheM SA installer creates startup scripts in the system startup directories etc init d and etc rc2 d to automatically start the M SA for Snort when the machine is rebooted In addition start and stop scripts are provided in the lt M SA_install_dir gt You must be logged in as root to run these scripts as they are installed in the root M SA install directory Simply run the start or stop commands from lt M SA_install_dir gt to start or stop the M SA Viewing Snort events in the ManHunt console You can view events from the M SA for Snort just as you would view any other events in the M anH unt console For more information about viewing events in the M anHunt console see the Symantec M anH unt Administration Guide To identify events as originating from Snort 1 From the M anHunt console Event View window expand the Base Type field 12 13 ManHunt Smart Agent for Snort 2 0 2 Snort events have a Base Type in the form of SNRT SNRT_ lt unique numerical identifier gt 3 TheTypefield in the M anHunt console contains a short description of the Snort event To see more information double click on the event and click the Advanced tab Uninstalling t
13. e software distributed on media containing multiple Symantec products any Symantec software on the media for which You have not received a permission in a License M odule nor F use the Software in any manner not authorized by this license 2 CONTENT UPDATES Certain Software utilize content which is updated from time to time including but not limited to the following Software antivirus software utilize updated virus definitions content filtering software utilize updated U RL lists some firewall software utilize updated firewall rules and vulnerability assessment products utilize updated vulnerability data these updates are collectively referred to as Content U pdates You shall have the right to obtain Content U pdates for any period for which You have purchased maintenance except for those Content Updates which Symantec elects to make available by separate paid subscription or for any period for which You have otherwise separately acquired the right to obtain Content U pdates Symantec reserves the right to designate specified Content U pdates as requiring purchase of a separate subscription at any time and without notice to You provided however that if You purchase maintenance hereunder that includes particular Content U pdates on the date of purchase You will not have to pay an additional fee to continue receiving such Content U pdates through theterm of such maintenance even if Symantec designates such Content U pdates as requi
14. fault port number of 1333 and press Enter This port number must match the value for the EDP Port Number configuration parameter used by the M anH unt node that will receive the Snort event data Type the EDP passphrase and press Enter The M SA for Snort communicates with the M anHunt node over EDP In order to enable M anH unt to receive event data from theM SA for Snort they must share an EDP passphrase The passphrase must be 8 to 64 characters long inclusive Note This must be identical to the passphrase that you enter in the M anH unt console when you create the external sensor node for the M SA for Snort See Changing the EDP passphrase on page 12 Re enter the EDP passphrase and press Enter Enter the path to the Snort alerts file or accept the default var log snort alert directory Enter the complete path if you do not accept the default path If the file does not already exist the install script will create it Change to the installation directory and run the start command to start the M SA for Snort lt MSA_install_dir gt start Upgrading to the MSA for Snort 2 0 10 During the upgrade process you can choose to either retain your current M SA configuration or remove it completely and do a fresh install 4 5 ManHunt Smart Agent for Snort 0 Note You can view the M anH unt version number and third party M SA product name and version number in the installation log which is located i
15. for the device This name will appear in the topology tree Enter an optional customer ID This ID is a way of labeling the devices for example to describe the physical location of the device Enter the IP address for the machine on which you installed the M SA for Snort Click Snort from Smart Agent Type Note The Snort Smart Agent type only appears if you have installed the Snort meta data Select the M anH unt node that will receive event data from the M SA for Snort Note You must select the M anH unt node before setting the EDP passphrase as M anH unt sets the EDP passphrase for the M anH unt nodethat is selected in the Event Receiver box at the time that you enter the EDP passphrase Set the EDP passphrase This passphrase must be the same passphrase you entered during the M SA for Snort installation process Enter a description for the M SA for Snort This description will be displayed on the main console screen when this external sensor node is selected in the topology tree 1 2 10 Click OK then click Save Changes to save your topology tree changes 8 9 ManHunt Smart Agent for Snort 0 Configuring the MSA for Snort TheM SA installation process creates a configuration file called snort2mh conf in the lt MSA_install_dir gt etc directory This file contains instructions and parameters for M SA operation and for connecting to the M anH unt node These parameters are described in Table 1 1
16. g on the system You can delete or rename the log file to correct the problem 6 Theexisting MSA for Snort will now uninstall itself then upgrade itself to the M SA for Snort 2 0 You will not be prompted for any more questions The upgrade install directory for the M SA for Snort 2 0 as well as the snort2mh conf logs snort2mh log files and the installation log will be retained 6 ManHunt Smart Agent for Snort 0 7 Change to the installation directory and run the start command to start the M SA for Snort lt MSA_install_dir gt start Installing Snort meta data You must install the Snort meta data on the M anH unt node that you log into from the administration console typically the primary master node Thisis done in order for you to be able to create the M SA for Snort external sensor node create response policies for Snort events and display Snort event data in the ManH unt console In addition you must install this meta data on the M anH unt node that will receive the Snort event data from the M SA for Snort if different from the master node Note You must be logged in as root to install the Snort meta data To install Snort meta data 1 PlacetheCD in theCD ROM drive mount the volume if necessary 2 ChangetotheCD directory and enter the install command cd Snort20MSA_MH lt version gt install lt platform gt where lt version gt iS 22 or 30 and lt platform gt is linux solaris8 intel solaris8 sp
17. he MSA for Snort The M SA for Snort can be uninstalled It is not necessary to uninstall the Snort meta data H owever if you require more space on the disk after uninstalling the M SA for Snort you can remove the meta data manually by deleting the lt M anH unt_install_directory gt md snort md file To uninstall the MSA for Snort 1 Run the following command lt MSA_install_dir gt install uninstall sh 2 Thescript will ask if you wish to continue uninstalling the M SA Type y and press Enter to uninstall the M SA for Snort 14 ManHunt Smart Agent for Snort 2 0
18. imers of warranties and damages and limitations on liability shall survive termination Software and documentation is delivered Ex Works California U S A or Dublin Ireland respectively ICC INCOTERMS 2000 This Agreement may only be modified by a License M odule which accompanies this license or by a written document which has been signed by both You and Symantec Should You have any questions concerning this Agreement or if You desire to contact Symantec for any reason please write to i Symantec Customer Service 555 International W ay Springfield OR 97477 U SA ii Symantec Customer Service Center PO BOX 5689 Dublin 15 Ireland or iii Symantec Customer Service 1 Julius Ave North Ryde NSW 2113 Australia Contents M anH unt Smart Agent for Snort 2 0 it 1 1 07 1 07 2 Configuring isi iscat ind t aaa a iodat d pin aaa nana a aaa 2 Installing the M SA for Snort 2 0 3 Upgrading to the MSA for Snort 2 0 4 Installing Snort meta data 6 Generating Snort meta data 6 Configuring Symantec M AnH unt c cscsessssesesessssssesesssssesesessssrsesesssseesees 7 Configuring the MSA for Snort 8 Changing the EDP passphrase 11 Starting and Stopping the M SA sssssesssesssssssssssscssesessssssesseesesssseees 12 Viewing Snort events in the M AnH unt console cesesessseseseseseeeseeees 12 Uninstalling the MSA for S
19. n the lt MSA_install_dir gt install directory To upgrade to the MSA for Snort 2 0 1 PlacetheCD in the CD ROM drive mount the drive if necessary 2 ChangetotheCD directory and enter the install command cd Snort20MSA_MH lt version gt install lt platform gt where lt version gt is 22 or 30 and lt platform gt is linux solaris8 intel solaris8 sparc Of macos x ppc install sh 3 Thescript will detect the existing M SA for Snort and ask if you would liketo install the M SA for Snort 2 0 or upgrade to the M SA for Snort 2 0 f you wish to remove your existing M SA for Snort configuration and perform a fresh installation press Enter to continue If you wish to upgrade and retain your existing M SA for Snort configuration type upgrade then press Enter 4 Typethe complete path to the existing install directory for the M SA for Snort then press Enter If you chose to perform a fresh installation in Step 3 the existing M SA for Snort will then uninstall itself When it has finished uninstalling the M SA for Snort 2 0 installation will begin Proceed now to Installing the M SA for Snort 2 0 on page 3 m Ifyouchoseto upgrade and maintain your existing M SA for Snort configuration in Step 3 please proceed to Step 5 5 Typethe complete path to the existing M SA for Snort log directory then press Enter Note TheM SA cannot start properly if the log file approaches a certain size 2 3 Gigs dependin
20. nort 13 ii Contents ManHunt Smart Agent for Snort 0 The M anH unt Smart Agent M SA for Snort 2 0 enables Symantec M anH unt to receive events in real time from a Snort alert file convert these events into the M anH unt event format and then send the events to a M anH unt node for aggregation and correlation with all other M anH unt events The M SA also enables you to set response policies for Snort events in the M anH unt Policy Configuration interface Symantec provides a meta data extraction utility with the M SA for Snort that enables the generation of new meta data from Snort s latest signature updates See Symantec M anH unt Administration Guide for instructions on creating response policies System requirements The M SA for Snort 2 0 requires the following Symantec M anH unt 2 2 patch 2 installed on Solaris 8 SPARC or Intel or Symantec M anH unt 3 0 installed on Solaris 8 SPARC or Intel or Red Hat Linux 8 0 Note Patch 2 is required for ManHunt 2 2 to enable you to properly view event information from M SAs You can download the patch at http www symantec com techsupp enterprise products manhunt manhunt_2 2 files html You can ascertain which M anH unt patches have been installed by looking in the lt M anHunt_inst_root gt patchlevel file The content of the patchleve file will consist of or include the file named 1 2 220 02 ManHunt patch 2 220 02 if you have patch 2 installed If you do no
21. ollowing is asample command to run Snort in this configuration snort A fast D c snort conf Note TheM anH unt console will receive any event data sent by Snort Therefore you may want to tune Snort policies and rules to avoid sending large amounts of duplicate data to M anH unt 3 ManHunt Smart Agent for Snort 0 Note By default Snort logs alerts to the var log snort alert file If you usethe l option when running Snort to change the default logging location you must enter the correct path and file name of the Snort alerts file when you install the MSA Installing the MSA for Snort 2 0 The MSA for Snort must be installed on the host where the Snort alert file is located typically the same host as the Snort sensor unless you have configured your Snort application to send alerts to a file on a remote machine The M SA for Snort receives the Snort event data converts the data into the M anH unt event format and sends the converted data to the M anH unt node During the M SA installation you specify the IP address of the M anH unt node that will receive the event data from the M SA The M SA and M anHunt node communicate over Event Dispatch Protocol EDP To do so they must share an EDP passphrase to ensure secure and encrypted communication Note The Event Dispatch Protocol for Symantec M anH unt 2 2 patch 2 has an event rate limitation of 30 events per second and the Event Dispatch Protocol for Symantec M anH
22. ring separate purchase This License does not otherwise permit Licensee to obtain and use Content U pdates 3 LIMITED WARRANTY Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty 60 days from the date of delivery of the Software to You Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error free THE ABOVE WARRANTY ISEXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY 4 DISCLAIMER OF DAMAGES SOME STATESAND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITSESSENTIAL PURPOSE
23. t have patch 2 installed you must download and install it even if you have installed patch 3 Patch 1 will not affect patch 2 If you do not havea patchleve file no patches have been installed Snort 2 0 installed on any of the following operating systems Solaris 8 SPARC or Intel Red Hat Linux 8 0 with kernel version 2 4 18 14 m MacOSX 2 ManHunt Smart Agent for Snort 0 Installation overview The M SA for Snort can be set up in seven basic steps To set up the MSA for Snort 1 Ensurethat you have installed Symantec M anH unt 2 2 patch 2 or Symantec ManHunt 3 0 2 Configure Snort See Configuring Snort on page 2 3 Install or upgrade the M SA for Snort See Installing the M SA for Snort 2 0 on page 3 or Upgrading to the M SA for Snort 2 0 on page 4 4 Install the Snort meta data on the M anH unt node See Installing Snort meta data on page 6 5 Create an external sensor node for the M SA for Snort See Configuring Symantec M anH unt on page 8 6 Configure ManHunt to receive events from the M SA for Snort See Configuring the M SA for Snort on page 9 7 Start theM SA for Snort See Starting and stopping the M SA on page 13 Configuring Snort Snort must berunning in network intrusion detection modewith alert logging in Fast Alert mode To enable alert logging to run in Fast Alert mode use the A fast Command line option when running Snort The f
24. unt 3 0 has an event rate limitation of 250 events per second Please note the event rate limit when planning multiple M SA deployments Note You must be logged in as root to run the install script Also you can view the M anH unt version number and third party M SA product name and version number in the installation log which is located in the lt MSA_install_dir gt install directory To install the MSA for Snort 1 PlacetheCD in theCD ROM drive mount the volume if necessary 2 ChangetotheCD directory and enter the install command cd Snort20MSA_MH lt version gt install lt platform gt where lt version gt is 22 or 30 and lt platform gt is linux solaris8 intel solaris8 sparc Of macos x ppc install sh 3 Typea directory where you want to install the M SA or accept the default usr msasnort directory and press Enter ManHunt Smart Agent for Snort 0 Typea directory to which the M SA will write the operational log files or accept the default lt M SA_install_dir gt logs directory and press Enter Note TheM SA cannot start properly if the log file approaches a certain size 2 3 Gigs depending on the system You can delete or rename the log file to correct the problem Type the M anHunt host IP address and press Enter This isthe IP address of the M anH unt node that will accept the Snort event data Type the Event Dispatch Protocol EDP port number used by this M anH unt node or accept the de

Symantec Manhunt Smart Agent for Snort 2.0

Contents

Download Pdf Manuals

Related Search

Related Contents