70 Chapter 2 • Installing Snort and Getting Started

2.8.7 Sending Alerts to Windows

Snort can send alerts to Microsoft Windows machines in the form of pop-up windows. These pop-up windows are controlled by Windows Messenger Service. Windows Messenger Service must be running on your Windows machine for pop-up windows to work. You can go to Control Panel and start the Services applet to find out if Windows Messenger Service is running. The Services applet is found in the Administrative Tools menu on your Windows system. Depending on your version of Microsoft Windows, it may be found in Control Panel or some other place. The SAMBA client package must be installed on your UNIX machine. SAMBA is an open source software suite that allows UNIX file and printer sharing with Microsoft Windows machines. SAMBA software runs on UNIX platforms. It can work with any other operating sys- tem that understands Common Internet File System CIFS or Server Message Block SMB protocol. More information about SAMBA is available from http:www.samba.org. The Snort alert mechanism uses smbclient program on the UNIX machine to connect to the Windows machines and send the alerts. Make sure that the SAMBA client is working prop- erly before trying to use this service. SAMBA operations are dependent upon its configuration file etcsambasmb.conf on a RedHat system. This file may be located at a different place on other UNIX systems. Although detailed discussion on SAMBA is beyond the scope of this book, a sample SAMBA configuration file is listed below. This file can be used to jump start SAMBA. The file creates a workgroup REHMAN which you can view from “Network Neighborhood” part of your Windows machines.

2.8.7.1 Sample Samba Configuration File

A sample etcsambasmb.conf file is as follows: [global] workgroup = REHMAN server string = REHMAN file server log file = varlogsambalog.m max log size = 50 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no domain logons = no unix password sync = no map to guest = never password level = 0 null passwords = no os level = 0 preferred master = yes domain master = yes wins support = yes dead time = 0 Running Snort in Stealth Mode 71 debug level = 0 load printers = yes [homes] comment = Home Directories browseable = yes writable = yes available = yes public = yes only user = no [htmldir] comment = html stuff path = homehttpdhtml public = yes writable = yes printable = no write list = rehman [virtualhosting] comment = html stuff path = usrvirt_web public = yes writable = yes printable = no write list = rehman [printers] [netlogon] available = no More information about SMB alerts will be presented in later chapters. Note that you should compile Snort with --with-smbalerts option in the configure script if you want to use this option. Without this option in the configure script, SAMBA ser- vices can’t be used with Snort.

2.9 Running Snort in Stealth Mode

Sometimes you may want to run Snort in stealth mode. In stealth mode, other hosts are not able to detect the presence of the Snort machine. In other words, the Snort machine is not visible to intruders or other people. There are multiple ways to run Snort in stealth mode. One of these methods is to run Snort on a network interface where no IP address is assigned. Running Snort on a network interface without an IP address is feasible in the following two cases: 1. A stand-alone Snort sensor with only one network adapter. 2. A Snort sensor with two network adapters: one to access the sensor from an isolated network and the other one connected to the public network and running