Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Packages with Snort intrusion monitoring light     - Ubuntu 14.10 / 14.04 / 12.04 installation GNOME Pie 0.5.6 (Linux)

- MySQL development common query summary (Database)

- Let CentOS6 yum upgrade to support more source rpm package (Linux)

- Bash How to read a file line by line (Programming)

- Python script file directory traversal examples (Programming)

- RHEL7 Apache MPM configuration (Server)

- Use Tmux and Vim to make IDE (Linux)

- High-performance Linux system firewall detailed analysis of double-effect (Linux)

- Mounting Windows shared directory system under the Linux (Linux)

- Eclipse-4.4 crash problem solving under Debian-7.6 (Linux)

- Write perfect printf (Programming)

- Linux System Tutorial: Fix ImportError: No module named wxversion error (Linux)

- Use Docker / LXC quickly launch a desktop system (Linux)

- Linux upgrade GCC 4.8.1 clear and concise tutorials (Ubuntu 12.04 64-bit version as an example) (Linux)

- Zabbix installation and configuration process (Server)

- Java Foundation - The relationship between abstract classes and interfaces (Programming)

- A brief description of Java 8 new features introduced syntax (Programming)

- CentOS 6.x and CentOS7 install MPlayer (Linux)

- Talk about Java in the collection (Programming)

- High-performance JavaScript DOM programming (Programming)

  Packages with Snort intrusion monitoring light
  Add Date : 2016-12-09      
  Snort is designed to fill the expensive, heavy network intrusion detection system case left vacant. Snort is a free, cross-platform software package used to monitor small TCP / IP network sniffer, logging, intrusion detectors. It can run on Linux / UNIX and Win32 systems, you only need a few minutes to install and ready to start using it.

Snort some of the features:

- Real-time traffic analysis and packet logging information

- Packaging payload inspection

- Protocol analysis and content match the query

- Detection of buffer overflows, stealth port scans, CGI attacks, SMB detection, operating system intrusion attempts

- A system log, specify a file, Unixsocket or real-time alerts via Samba's WinPopus

Snort has three primary modes: packet sniffer, packet logger or sophisticated intrusion detection system. Follow the development / the most important free software convention, Snort supports various forms of plug-ins, extensions and customization, including XML or database records, small frame detection and statistical anomaly detection and the like. Packet payload detection Snort is the most useful features, which means a lot of extra types of hostile behavior can be detected.

Snort.org some RPM and tarball. I usually recommend to establish based on the demand, but I have a problem in the latest stable version of the tarball. When this version of the end-use deadline was approaching, I have no time to describe what I was awkward or Snort problem. RPM installation without any problems.

To make Snort work, libpcap is required to install your system. Use locate to check:

$ Locatelibpcap

The output of some of the following elements:





Without these, the tcpdump.org or find your Linux installation disk.

Install a security software without verifying the signature is unwise. Test your download checksum:

# Md5snort-1.8.6.tar.gz


# Md5snort-1.8.6-1snort.i386.rpm

Decompress tarball:

$ Tar-xvzfsnort-1.8.6.tar.gz

Install as root

#. / Configure



This installation process is a simple form. Some of the options are selected to run Snort pre-installed self-test; binary and object files removed from the installation directory, there is a clear operation unloading plant option.

Other installation options and need to use configuration:


Allow SNMP Alarm Code

--with-mysql = DIR

Mysql support

--with-postgresql = DIR

Support Postgresql database

--with-openssl = DIR

Support openssl

There are many more options that can be found in your documents tarball

RPM installation itself is very simple:

# Rpm-ivhsnort-1.8.6-1snort.i386.rpm

You can see on the download page of Snort, precompiled binaries have been packaged, to maintain compatibility with other programs, such as mySQL and PostgreSQL

# Snort-?

The most commonly used print options

Test-drive is used to ensure proper installation. Only monitors the local machine, -I = interface:

# Snort-vdeieth0

Use CTRL + C to stop the test. Do not forget your network card is set to promiscuous mode. Snort daemon will run form, and will stop to open the form.

PacketSniffer mode

In this mode, only the TCP / IP header is printed out

# Snort-v

View application-layer data

# Snort-vd

Data link layer header

# Snort-vde


Unless you are very familiar with hex, you still have to be written to disk

# Snort-vdel / var / log / snort

Here the "-l" indicates "log", recorded. Tell Snort record anything local network, -h local representation:

# Snort-vdel / var / log / snort-h192.168.1.0 / 24

This creates a separate directory for each host. If you want everything into a binary file, use -b to switch

# Snort-l / var / log / snort-b

Specify any other option is meaningless if you need Snort installation option or use tcpdump, please parse out the file, -r for read and process the file.


BerkeleyPacketFilter parsed for specific projects




Check with the man on BerkeleyPacketFilter snort and tcpdump of other options.

Network intrusion detection mode

Now we enter the real Snort tool. Look /etc/snort/snort.conf, global profile. Snort rules also set up as a text file stored in the / etc / snort. Finally, a closer look at this line:


This is in accordance with the local network card set to initialize Snort.

In order to ensure the speed, recording each individual package and displayed on the screen it is not possible. Packets are dropped, and the log file can become very large. Use the -v switch, so it will not appear on the screen, we can not -e, data link header:

# Snort-dl / var / log / snort-h192.168.1.0 / 24-c / etc / snort / snort.conf

-h represents the local network, -c indication rule set. This is the most basic, using ASCII recording setup rules define the package. Use -b switch is recorded as a binary file. Note that the definition of subnet ranges in CIDR notation.

These mysterious set of rules come get it? Two sources: from Snort.org, including the RPM or download binary files; from MartinRoesch, Snort creator, he designed Snort very rapidly in all aspects: installation, operation and response to attacks. If you have the ability to analyze a unique attack and a confirmation signal, you can write a rule to detect and record it. See you download the Snort User's Manual (SnortUsersManual.pdf), this is a very good write custom rules guidelines. (These documents are available online) Snort.org daily update rule set, you can download to make you satisfied. You can Snort on Snort.org the / contrib directory to find snortpp, you can use it to incorporate new rules

Where to configure Snort?

If you have the time and resources to put Snort sides of a firewall it is the best. Compare what hit your firewall, which smoothly through your firewall, you will be very surprised there are so many malicious attacks on the Internet. Snort takes up little space, so that you can run a simple Snort is behind a firewall to add a layer of protection, easier to manage,





- iOS development -Launch Image and Launchscreen (Programming)
- Linux-- sub-volume compression and decompression (Linux)
- For the FreeBSD install Adobe Flash plug-in (Linux)
- CentOS 6.5 installation and simple configuration Nginx (Server)
- Getting Started Linux Shell Scripting (Programming)
- How to manage KVM virtual environments with command-line tools in Linux (Server)
- OpenNMS compile under Linux (Server)
- EChart simple and practical control on chart (Programming)
- PostgreSQL Source Customization: Online global read only (Database)
- The method of MySQL two kinds of incomplete recovery (Database)
- Docker deployment practices in Ubuntu (Server)
- Linux System Administrator common interview questions and answers 30 (Linux)
- Use OpenSSL for RSA encryption and decryption (Linux)
- JDK installation under CentOS (Linux)
- Ubuntu 14.04 forget solution root password (Linux)
- How to clear the DNS query cache under Linux / Unix / Mac (Linux)
- Fedora && Arch Linux - the most romantic thing to happen now (Linux)
- Configure shared library PCRE (Linux)
- Ubuntu Server security risk checks (Linux)
- DRBD + Heartbeat solve NFS single point of failure (Server)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.