Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Packages with Snort intrusion monitoring light     - Docker manage data (Linux)

- Fatal NI connect error 12170 error in Alert Log (Database)

- To set up the printer use Nagios Monitoring Server (Server)

- Linux cut Command Study Notes (Linux)

- How to upgrade to Ubuntu 14.04 Ubuntu 14.10 (Linux)

- How to ensure the Linux SSH login security with one-time password (Linux)

- To establish a secure and reliable Linux operating system (Linux)

- Fedora10 use Git version Configuration Management (Linux)

- C # Future: Method Contract (Programming)

- How linux network security configuration (Linux)

- Oracle 11g tracking and monitoring system-level triggers to drop misuse (Database)

- Linux systems dmesg command processing failures and system information collected seven usage (Linux)

- You may not know the Linux command-line network monitoring tool (Linux)

- Understanding the type in C ++ bitset (Programming)

- Linux network security probing tools Hping2 (Linux)

- Zabbix API and PHP configuration (Server)

- Inxi: Get Linux system and hardware information (Linux)

- Spring declarative transaction management (Programming)

- How to use Android Studio development / debugging Android source code (Linux)

- Copy U disk files to the Linux system on a virtual machine (Linux)

  Packages with Snort intrusion monitoring light
  Add Date : 2016-12-09      
  Snort is designed to fill the expensive, heavy network intrusion detection system case left vacant. Snort is a free, cross-platform software package used to monitor small TCP / IP network sniffer, logging, intrusion detectors. It can run on Linux / UNIX and Win32 systems, you only need a few minutes to install and ready to start using it.

Snort some of the features:

- Real-time traffic analysis and packet logging information

- Packaging payload inspection

- Protocol analysis and content match the query

- Detection of buffer overflows, stealth port scans, CGI attacks, SMB detection, operating system intrusion attempts

- A system log, specify a file, Unixsocket or real-time alerts via Samba's WinPopus

Snort has three primary modes: packet sniffer, packet logger or sophisticated intrusion detection system. Follow the development / the most important free software convention, Snort supports various forms of plug-ins, extensions and customization, including XML or database records, small frame detection and statistical anomaly detection and the like. Packet payload detection Snort is the most useful features, which means a lot of extra types of hostile behavior can be detected.

Snort.org some RPM and tarball. I usually recommend to establish based on the demand, but I have a problem in the latest stable version of the tarball. When this version of the end-use deadline was approaching, I have no time to describe what I was awkward or Snort problem. RPM installation without any problems.

To make Snort work, libpcap is required to install your system. Use locate to check:

$ Locatelibpcap

The output of some of the following elements:





Without these, the tcpdump.org or find your Linux installation disk.

Install a security software without verifying the signature is unwise. Test your download checksum:

# Md5snort-1.8.6.tar.gz


# Md5snort-1.8.6-1snort.i386.rpm

Decompress tarball:

$ Tar-xvzfsnort-1.8.6.tar.gz

Install as root

#. / Configure



This installation process is a simple form. Some of the options are selected to run Snort pre-installed self-test; binary and object files removed from the installation directory, there is a clear operation unloading plant option.

Other installation options and need to use configuration:


Allow SNMP Alarm Code

--with-mysql = DIR

Mysql support

--with-postgresql = DIR

Support Postgresql database

--with-openssl = DIR

Support openssl

There are many more options that can be found in your documents tarball

RPM installation itself is very simple:

# Rpm-ivhsnort-1.8.6-1snort.i386.rpm

You can see on the download page of Snort, precompiled binaries have been packaged, to maintain compatibility with other programs, such as mySQL and PostgreSQL

# Snort-?

The most commonly used print options

Test-drive is used to ensure proper installation. Only monitors the local machine, -I = interface:

# Snort-vdeieth0

Use CTRL + C to stop the test. Do not forget your network card is set to promiscuous mode. Snort daemon will run form, and will stop to open the form.

PacketSniffer mode

In this mode, only the TCP / IP header is printed out

# Snort-v

View application-layer data

# Snort-vd

Data link layer header

# Snort-vde


Unless you are very familiar with hex, you still have to be written to disk

# Snort-vdel / var / log / snort

Here the "-l" indicates "log", recorded. Tell Snort record anything local network, -h local representation:

# Snort-vdel / var / log / snort-h192.168.1.0 / 24

This creates a separate directory for each host. If you want everything into a binary file, use -b to switch

# Snort-l / var / log / snort-b

Specify any other option is meaningless if you need Snort installation option or use tcpdump, please parse out the file, -r for read and process the file.


BerkeleyPacketFilter parsed for specific projects




Check with the man on BerkeleyPacketFilter snort and tcpdump of other options.

Network intrusion detection mode

Now we enter the real Snort tool. Look /etc/snort/snort.conf, global profile. Snort rules also set up as a text file stored in the / etc / snort. Finally, a closer look at this line:


This is in accordance with the local network card set to initialize Snort.

In order to ensure the speed, recording each individual package and displayed on the screen it is not possible. Packets are dropped, and the log file can become very large. Use the -v switch, so it will not appear on the screen, we can not -e, data link header:

# Snort-dl / var / log / snort-h192.168.1.0 / 24-c / etc / snort / snort.conf

-h represents the local network, -c indication rule set. This is the most basic, using ASCII recording setup rules define the package. Use -b switch is recorded as a binary file. Note that the definition of subnet ranges in CIDR notation.

These mysterious set of rules come get it? Two sources: from Snort.org, including the RPM or download binary files; from MartinRoesch, Snort creator, he designed Snort very rapidly in all aspects: installation, operation and response to attacks. If you have the ability to analyze a unique attack and a confirmation signal, you can write a rule to detect and record it. See you download the Snort User's Manual (SnortUsersManual.pdf), this is a very good write custom rules guidelines. (These documents are available online) Snort.org daily update rule set, you can download to make you satisfied. You can Snort on Snort.org the / contrib directory to find snortpp, you can use it to incorporate new rules

Where to configure Snort?

If you have the time and resources to put Snort sides of a firewall it is the best. Compare what hit your firewall, which smoothly through your firewall, you will be very surprised there are so many malicious attacks on the Internet. Snort takes up little space, so that you can run a simple Snort is behind a firewall to add a layer of protection, easier to manage,





- How to make Linux a non-root user uses less than 1024 ports (Linux)
- Oracle creates split and splitstr functions (Database)
- Linux System Getting Started Learning: Using yum to download the RPM package without installing (Linux)
- C ++ based socket communication TCP and UDP (Programming)
- Install KVM on Ubuntu and build a virtual environment (Linux)
- Linux, Chrome browser font settings beautification (Linux)
- Help you to see Linux system architecture type 5 Common Commands (Linux)
- CentOS 6 Install Linux kernel source (Linux)
- Installation and deployment of Hadoop 2.7.1 on Ubuntu 14.04 LTS (Server)
- Why not use the ifconfig command under RedHat Linux 5 (Linux)
- Ubuntu installation under Scrapy (Linux)
- Android Action Compendium (Programming)
- Linux server disk expansion and Oracle tablespace file migration operations (Database)
- CentOS 7.0 Close firewall is enabled by default iptables firewall (Linux)
- Ubuntu Slingscold (Linux)
- Git and GitHub use of Eclipse and Android Studio (Programming)
- C ++ class implementation date operator overloading (Programming)
- iptables allow only specific ip address to access the specified port (Linux)
- Linux initialization init systems - Systemd (Linux)
- Python Basics: Search Path (Programming)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.