daily pastebin goal
82%
SHARE
TWEET

Untitled

a guest Dec 11th, 2018 49 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Snort Lab
  2. Background
  3. The Snort program (www.snort.org) is an open source IDS and intrusion prevention system (IPS) that provides extensive rule sets that are frequently updated with new attack vectors. Any questionable activity can be sent to a logging host, and several open source log-processing tools are available to help make sense of the information gathered (for example, the Basic Analysis and Security Engine, or BASE). Running Snort on a Linux system that is located at a key entry/exit point in your network is a great way to track the activity without your having to set up a proxy for each protocol that you want to support.
  4.  
  5. 1.  Get and install Snort:
  6. From Source:
  7. wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz                      
  8. wget https://snort.org/downloads/snort/snort-2.9.12.tar.gz
  9. tar xvzf daq-2.0.6.tar.gz
  10. sudo apt install bison
  11. sudo apt install flex
  12. cd daq-2.0.6
  13. ./configure && make && sudo make install
  14. cd ..
  15. tar xvzf snort-2.9.12.tar.gz                      
  16. cd snort-2.9.12
  17. ./configure --enable-sourcefire && make && sudo make install
  18.  
  19. Easy way:
  20. sudo apt install snort
  21. tab OK -> replace eth0 with enp0s3
  22. tab OK
  23.  
  24. 2.  Sniffer Mode
  25. a.  Run Snort and just show the IP and TCP/UDP/ICMP header:
  26.  
  27. ./snort -v
  28.  
  29. b.  Display the packet data as well as the headers.
  30.  
  31. ./snort -vde or ./snort -d -v -e
  32.  
  33. 3.  Packet Logger Mode
  34. a.  Create a directory named log in the current directory.
  35. b.  Print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host.
  36.  
  37. ./snort -dev -l ./log
  38.  
  39. c.  In order to log relative to the home network, you need to tell Snort which network is the home network:
  40.    
  41. ./snort -dev -l ./log -h 192.168.1.0/24
  42.        
  43. d.  Binary mode logs the packets in tcpdump format to a single binary file in the logging directory:
  44.  
  45. ./snort -l ./log -b
  46.  
  47. Note the command line changes here. We don’t need to specify a home network any longer because binary mode logs everything into a single file, which eliminates the need to tell it how to format the output directory structure.
  48. e.  Snort can read the packets back out of the file with the -r switch (playback mode).
  49.  
  50.     ./snort -dv -r packet.log
  51.  
  52. f.  You can manipulate the data in the file in a number of ways through Snort’s packet logging and intrusion detection modes, as well as with the BPF interface that’s available from the command line. Show the ICMP packets from the log file. Specify a BPF filter at the command line:
  53.  
  54. ./snort -dvr packet.log icmp
  55.  
  56. 4.  Network Intrusion Detection System (NIDS) mode, which performs detection and analysis on network traffic. This is the most complex and configurable mode.
  57. a.  Enable NIDS mode in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure:
  58.  
  59. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
  60.  
  61. Six modes accessed with the -A command line switch are:
  62.  
  63. b.  Use the following command line to log to default (decoded ASCII) facility and send alerts to syslog:
  64.  
  65. ./snort -c snort.conf -l ./log -h 192.168.1.0/24 -s
  66.  
  67. c.  As another example, use the following command line to log to the default facility in /var/log/snort and send alerts to a fast alert file:
  68.  
  69. ./snort -c snort.conf -A fast -h 192.168.1.0/24
  70.  
  71. 5.  Running Snort as a Daemon Running Snort as a Daemon. Add the -D switch to any combination. If you want to be able to restart Snort by sending a SIGHUP signal to the daemon, you must specify the full path to the Snort binary when you start it  Relative paths are not supported due to security concerns. Try this:
  72.  
  73. /usr/local/bin/snort -d -h 192.168.1.0/24 \
  74. -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s –D
  75.  
  76.  
  77. sudo apt update
  78. sudo apt install libpcap-dev
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top