PeterHarding at 05:06, 25 April 2008

2008-04-25T05:06:59Z

← Older revision		Revision as of 15:06, 25 April 2008
Line 76:		Line 76:

	[[Category:Technet]]		[[Category:Technet]]
	[[Category:~~Whitepages~~]]		[[Category:Whitepapers]]

PeterHarding: New page: by Vincent Danen, TechRepublic Snort (http://www.snort.org/) is a Network Intrusion Detection System (NIDS), which can view and analyse packets on a network to determine whether ...

2008-04-25T05:06:39Z

New page: <i>by Vincent Danen, TechRepublic</i> Snort (http://www.snort.org/) is a Network Intrusion Detection System (NIDS), which can view and analyse packets on a network to determine whether ...

New page

<i>by Vincent Danen, TechRepublic</i>

Snort (http://www.snort.org/) is a Network Intrusion Detection System
(NIDS), which can view and analyse packets on a network to determine
whether or not a system is being attacked by remote. Most Linux
distributions come with Snort, so it's simply a matter of installing Snort
via urpmi, apt-get, or yum. Snort can write its collected information to a
variety of different sources for later analysis, be it flat files or a
database such as PostgreSQL or MySQL. As well, Snort can be used as a
simple packet logger, sniffer, or a full-blown NIDS.

Once Snort is installed, it can be used right away. Simply executing:

# snort -v

will put Snort into packet sniffing mode; traffic will be scrolled on the
screen showing what packets Snort is seeing. To exit, hit CTRL-C and you
will see a brief analysis of what Snort detected. To see even more
information -- like you might with tcpdump -- use the -vd option instead.

To have Snort log data, simply tell it where to log the information. In
the next example, Snort will log information to the /usr/local/log/snort
directory, so make sure it exists first.

# snort -l /usr/local/log/snort -d

Snort will log packets in a binary file, such as
/usr/local/log/snort/snort.log.1199665001. To view the log, use the -r
option with Snort in order to replay the captured data.

# snort -r /usr/local/log/snort/snort.log.1199665001

Using Snort as an NDIS takes a little more work; you must configure Snort
appropriately, using the configuration file /etc/snort/snort.conf. Be
warned, this configuration file can be quite hefty! Some of the rules
available on the Snort Web site may be packaged with Snort, depending on
the Linux distribution.

The Snort rules can be downloaded from
http://www.snort.org/pub-bin/downloads.cgi. The community rules are
available for anyone to use and are most likely to be bundled with any
prepackaged vendor-supplied copies of Snort. You can also subscribe to
receive updated rules from Sourcefire on a regular basis.

Once you have downloaded a rules package, such as the
Community-Rules-CURRENT.tar.gz file, unpack it on the system with Snort
installed in the directory where the Snort configuration is:

# cd /etc/snort
# tar xvzf Community-Rules-CURRENT.tar.gz

The new rules will now be in the rules/ directory.

To enable them, edit snort.conf and add:

var RULE_PATH rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules
...

Include whichever rules you like. Snort can now be started to load the
configuration file /etc/snort/snort.conf , which will, in turn, load the
downloaded rules:

# snort -c /etc/snort/snort.conf

Snort will then print information about its initialisation to the screen
and then start logging packets that match the defined rules. The rules
will determine what Snort will log and what it will ignore, so unlike
running Snort as a sniffer, the generated logs will be much smaller as
only packets "of consequence" will be logged. These logs will be stored,
by default, in /var/log/snort/ and can be analysed by Snort using the -r
option as noted previously.

[[Category:Technet]]
[[Category:Whitepages]]

Detect intruders on your network with Snort - Revision history

PeterHarding at 05:06, 25 April 2008

PeterHarding: New page: by Vincent Danen, TechRepublic Snort (http://www.snort.org/) is a Network Intrusion Detection System (NIDS), which can view and analyse packets on a network to determine whether ...