Snort (Intrusion Detection System)



Snort is a rule based IDS. Snort works in three different modes which is as follows:
    1) Sniffer Mode
    2) Packet Logger Mode
    3) Network Intrusion Detection Mode

1)      Sniffer Mode :
Sniffer Mode allows you to dump data in the header and body of each packet to the screen when you are running Snort. To start the snort for displaying all application data, enter the command as follows:

./snort –d                   -> works in most of the version of snort

./snort –dv                 -> for getting an error message

2)      Packet Logger Mode :
Packet Logger Mode is different from Sniffer mode because the packet data and headers are written to the hard drive of host on which the snort is running. For writing to the directory named log write the following command:

./snort –dev –l ./log

For capturing the logging data on the local network, it is necessary to enter the ip address range of the network

./snort –dev –l ./log –h 192.168.1.0/24

For viewing only one type of data, you can use bpf to filter out the unwanted traffic by entering the following command

./snort –dvr packet.log tcp

3)      Network Intrusion Detection Mode :
Network Intrusion Detection Mode does not record the packets but it allows rules that you have selected to apply. Snort.conf is default file that contains all the rules. So Snort will inspect only the traffic which is defined in snort.conf file. For starting the snort in Intrusion Detection Mode enter the following command:

./snort –dev –l ./log –h 192.168.0/24 –c snort.conf

If you failed to enter the output directory will result in the output being written in /var/log/snort

  The rules Snort uses are heart of the IDS functionality. Anyone who uses snort can define their  
Rule in a custom manner. Each rule consists of two parts: the rule header and the rule option. The rule header contains the rule action (alert, log, pass, activate, or dynamic), type of protocol, source and destination addresses, masks, source and destination ports. The rule option has the content of the alert messages and information concerning the portion of each packet.

Alert udp any any -> 192.168.1.0/24 135 (content: “| 06 4a 05 42|”; msg: ”Windows messenger service message ”;)

Comments

Post a Comment

Popular posts from this blog

Web Security

Things which can protect your system from intruders          1.  Keep platform up-to-date : It is one of best things that you can do to protect your website from intruders, you just have to make sure that installed platforms scripts are up-to-date. It is found that many of these tools are created as open-source software programs, so their code is easily available to black hat hackers. This code can be used for both in good intention by developers as well as bad intention by hackers. Developers will resolve the bugs and hackers will look for any security loopholes which will allow them to exploit the platform or any script. For an example, if anyone is running a website on WordPress, then the WordPress installation and plugins which are installed may be potentially vulnerable to attacks. Just make sure that you are using the newest version of platform and scripts, which will help minimizing the risk.   ...
Read more

Wireshark(Network Protocol Analyzer)

Wireshark and components – what does it do and how? Wireshark is a network monitoring tool which also called as network protocol analyzer or sniffer. It is free and open source tool. It is used for network trouble shooting and analysis. Wireshark is a cross platform based, it runs on many operating systems like Linux, MacOS, BSD, Solaris, Microsoft Windows etc. There is also a terminal version of wireshark which is called as TShark. Wireshark uses pcap to capture packets form the network. It is used for examining the details of traffic in the network. The information of the packet which is captured can give its transmit time, source ip address, destination ip address, protocol type, header data etc. So this information can be use in security and troubleshooting issues. The wireshark will display the information in three types of panels which are Packet list panel, Packet details panel, Packet byte panel. The packet list panel are the colored lines which are displayed at the top. ...
Read more