Difference between revisions of "Linux: Snort"
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) |
||
| Line 32: | Line 32: | ||
==== Snort rules ==== | ==== Snort rules ==== | ||
https://www.youtube.com/watch?v=RUmYojxy3Xw | https://www.youtube.com/watch?v=RUmYojxy3Xw | ||
| + | ==== output plugins examples ==== | ||
| + | <nowiki> | ||
| + | output alert_syslog: LOG_AUTH LOG_ALERT | ||
| + | output log_tcpdump: tcpdump.log | ||
| + | output database: log, mysql, user=root password=test dbname=db | ||
| + | host=localhost | ||
| + | output alert_unified: filename snort.alert, limit 128 | ||
| + | output log_unified: filename snort.log, limit 128 | ||
| + | |||
| + | output alert_fast /var/log/snort/fast_alert | ||
| + | output log_dump /var/log/snort/dump_output | ||
| + | output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip, | ||
| + | sport,dstip,dport,protoname,itype,icode | ||
| + | output alert_syslog | ||
| + | output log_pcap /var/log/snort/pcap_log | ||
| + | |||
| + | # database: log to a variety of databases | ||
| + | # --------------------------------------- | ||
| + | # See the README.database file for more information about configuring | ||
| + | # and using this plugin. | ||
| + | # | ||
| + | # output database: log, mysql, user=root password=test dbname=db | ||
| + | # host=localhost | ||
| + | # output database: alert, postgresql, user=snort dbname=snort | ||
| + | # output database: log, odbc, user=snort dbname=snort | ||
| + | # output database: log, mssql, dbname=snort user=snort password=test | ||
| + | # output database: log, oracle, dbname=snort user=snort password=test<nowiki> | ||
Revision as of 21:20, 23 April 2015
Snort
Intrusion detection system
https://www.youtube.com/watch?v=cQeeko9J_Yw
Instalation
https://www.youtube.com/watch?v=ptIzGv1b9GQ
- .- sudo apt-get install snort
- .- sudo dpkg-reconfigure snort
- .- sudo apt-get install mysql-server
- .- mysql -u root -localhost -p adminPassword
- .- create user 'snort'@'localhost' identified by 'snort';
- .- grant all privileges on *.* to 'snort'@'localhost' identified by 'snort';
- .- flush privileges;
- .- quit
- .- sudo apt-get install snort-mysql
- .- sudo dpkg-reconfigure -plow snort-mysql
- .- cd /usr/share/doc/snort/snort-mysql/
- .- zcat create_mysql.gz
- .- sudo apt-get install acidbase
- .- sudo gedit /etc/acidbase/database.php
- .- sudo su
- .- snort -v
Modes
- Packet sniffer (snort -dev)
- Log Mode (snort -de -l <log_dir> | to view log use: tcpdump -r <log_file>)
- Intrusion detection sniffer (snort -c /etc/snort/snort.conf)
Intrusion detection mode
Config file
/etc/snort/snort.conf
snort -A full -d -c /etc/snort/snotr.conf -l <log_dir>
/etc/snort/reference.config --> display additional information on alerts.
Snort rules
https://www.youtube.com/watch?v=RUmYojxy3Xw
output plugins examples
<nowiki>
output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: tcpdump.log output database: log, mysql, user=root password=test dbname=db host=localhost output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
output alert_fast /var/log/snort/fast_alert output log_dump /var/log/snort/dump_output output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip, sport,dstip,dport,protoname,itype,icode output alert_syslog output log_pcap /var/log/snort/pcap_log
- database: log to a variety of databases
- ---------------------------------------
- See the README.database file for more information about configuring
- and using this plugin.
- output database: log, mysql, user=root password=test dbname=db
- host=localhost
- output database: alert, postgresql, user=snort dbname=snort
- output database: log, odbc, user=snort dbname=snort
- output database: log, mssql, dbname=snort user=snort password=test
- output database: log, oracle, dbname=snort user=snort password=test<nowiki>