Snort is designed to fill the expensive, heavy network intrusion detection system case left vacant. Snort is a free, cross-platform software package used to monitor small TCP / IP network sniffer, logging, intrusion detectors. It can run on Linux / UNIX and Win32 systems, you only need a few minutes to install and ready to start using it.
Snort some of the features:
- Real-time traffic analysis and packet logging information
- Packaging payload inspection
- Protocol analysis and content match the query
- Detection of buffer overflows, stealth port scans, CGI attacks, SMB detection, operating system intrusion attempts
- A system log, specify a file, Unixsocket or real-time alerts via Samba's WinPopus
Snort has three primary modes: packet sniffer, packet logger or sophisticated intrusion detection system. Follow the development / the most important free software convention, Snort supports various forms of plug-ins, extensions and customization, including XML or database records, small frame detection and statistical anomaly detection and the like. Packet payload detection Snort is the most useful features, which means a lot of extra types of hostile behavior can be detected.
Snort.org some RPM and tarball. I usually recommend to establish based on the demand, but I have a problem in the latest stable version of the tarball. When this version of the end-use deadline was approaching, I have no time to describe what I was awkward or Snort problem. RPM installation without any problems.
To make Snort work, libpcap is required to install your system. Use locate to check:
The output of some of the following elements:
Without these, the tcpdump.org or find your Linux installation disk.
Install a security software without verifying the signature is unwise. Test your download checksum:
Install as root
#. / Configure
This installation process is a simple form. Some of the options are selected to run Snort pre-installed self-test; binary and object files removed from the installation directory, there is a clear operation unloading plant option.
Other installation options and need to use configuration:
Allow SNMP Alarm Code
--with-mysql = DIR
--with-postgresql = DIR
Support Postgresql database
--with-openssl = DIR
There are many more options that can be found in your documents tarball
RPM installation itself is very simple:
You can see on the download page of Snort, precompiled binaries have been packaged, to maintain compatibility with other programs, such as mySQL and PostgreSQL
The most commonly used print options
Test-drive is used to ensure proper installation. Only monitors the local machine, -I = interface:
Use CTRL + C to stop the test. Do not forget your network card is set to promiscuous mode. Snort daemon will run form, and will stop to open the form.
In this mode, only the TCP / IP header is printed out
View application-layer data
Data link layer header
Unless you are very familiar with hex, you still have to be written to disk
# Snort-vdel / var / log / snort
Here the "-l" indicates "log", recorded. Tell Snort record anything local network, -h local representation:
# Snort-vdel / var / log / snort-h192.168.1.0 / 24
This creates a separate directory for each host. If you want everything into a binary file, use -b to switch
# Snort-l / var / log / snort-b
Specify any other option is meaningless if you need Snort installation option or use tcpdump, please parse out the file, -r for read and process the file.
BerkeleyPacketFilter parsed for specific projects
Check with the man on BerkeleyPacketFilter snort and tcpdump of other options.
Network intrusion detection mode
Now we enter the real Snort tool. Look /etc/snort/snort.conf, global profile. Snort rules also set up as a text file stored in the / etc / snort. Finally, a closer look at this line:
varHOME_NET $ eth0_ADDRESS
This is in accordance with the local network card set to initialize Snort.
In order to ensure the speed, recording each individual package and displayed on the screen it is not possible. Packets are dropped, and the log file can become very large. Use the -v switch, so it will not appear on the screen, we can not -e, data link header:
# Snort-dl / var / log / snort-h192.168.1.0 / 24-c / etc / snort / snort.conf
-h represents the local network, -c indication rule set. This is the most basic, using ASCII recording setup rules define the package. Use -b switch is recorded as a binary file. Note that the definition of subnet ranges in CIDR notation.
These mysterious set of rules come get it? Two sources: from Snort.org, including the RPM or download binary files; from MartinRoesch, Snort creator, he designed Snort very rapidly in all aspects: installation, operation and response to attacks. If you have the ability to analyze a unique attack and a confirmation signal, you can write a rule to detect and record it. See you download the Snort User's Manual (SnortUsersManual.pdf), this is a very good write custom rules guidelines. (These documents are available online) Snort.org daily update rule set, you can download to make you satisfied. You can Snort on Snort.org the / contrib directory to find snortpp, you can use it to incorporate new rules
Where to configure Snort?
If you have the time and resources to put Snort sides of a firewall it is the best. Compare what hit your firewall, which smoothly through your firewall, you will be very surprised there are so many malicious attacks on the Internet. Snort takes up little space, so that you can run a simple Snort is behind a firewall to add a layer of protection, easier to manage,