Difference between revisions of "Linux: Snort"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) (→Snort) |
Rafahsolis (talk | contribs) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
https://www.youtube.com/watch?v=cQeeko9J_Yw | https://www.youtube.com/watch?v=cQeeko9J_Yw | ||
=== Instalation === | === Instalation === | ||
| + | https://www.youtube.com/watch?v=ptIzGv1b9GQ<br /> | ||
| + | |||
#.- sudo apt-get install snort | #.- sudo apt-get install snort | ||
#.- sudo dpkg-reconfigure snort | #.- sudo dpkg-reconfigure snort | ||
| Line 19: | Line 21: | ||
#.- sudo su | #.- sudo su | ||
#.- snort -v | #.- snort -v | ||
| − | === | + | === Modes === |
| − | https:// | + | * Packet sniffer (snort -dev) |
| + | * Log Mode (snort -de -l <log_dir> | to view log use: tcpdump -r <log_file>) | ||
| + | * Intrusion detection sniffer (snort -c /etc/snort/snort.conf) | ||
| + | === Intrusion detection mode === | ||
| + | ==== Config file ==== | ||
| + | /etc/snort/snort.conf<br /> | ||
| + | snort -A full -d -c /etc/snort/snotr.conf -l <log_dir><br /> | ||
| + | /etc/snort/reference.config --> display additional information on alerts.<br /> | ||
| + | ==== Snort rules ==== | ||
| + | https://www.youtube.com/watch?v=RUmYojxy3Xw | ||
| + | ==== output plugins examples ==== | ||
| + | <nowiki> | ||
| + | output alert_syslog: LOG_AUTH LOG_ALERT | ||
| + | output log_tcpdump: tcpdump.log | ||
| + | output database: log, mysql, user=root password=test dbname=db | ||
| + | host=localhost | ||
| + | output alert_unified: filename snort.alert, limit 128 | ||
| + | output log_unified: filename snort.log, limit 128 | ||
| + | |||
| + | output alert_fast /var/log/snort/fast_alert | ||
| + | output log_dump /var/log/snort/dump_output | ||
| + | output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip, | ||
| + | sport,dstip,dport,protoname,itype,icode | ||
| + | output alert_syslog | ||
| + | output log_pcap /var/log/snort/pcap_log | ||
| + | |||
| + | # database: log to a variety of databases | ||
| + | # --------------------------------------- | ||
| + | # See the README.database file for more information about configuring | ||
| + | # and using this plugin. | ||
| + | # | ||
| + | # output database: log, mysql, user=root password=test dbname=db | ||
| + | # host=localhost | ||
| + | # output database: alert, postgresql, user=snort dbname=snort | ||
| + | # output database: log, odbc, user=snort dbname=snort | ||
| + | # output database: log, mssql, dbname=snort user=snort password=test | ||
| + | # output database: log, oracle, dbname=snort user=snort password=test<nowiki> | ||
| + | === view unified2 files === | ||
| + | use: u2spewfoo | ||
Latest revision as of 03:51, 24 April 2015
Snort[edit]
Intrusion detection system
https://www.youtube.com/watch?v=cQeeko9J_Yw
Instalation[edit]
https://www.youtube.com/watch?v=ptIzGv1b9GQ
- .- sudo apt-get install snort
- .- sudo dpkg-reconfigure snort
- .- sudo apt-get install mysql-server
- .- mysql -u root -localhost -p adminPassword
- .- create user 'snort'@'localhost' identified by 'snort';
- .- grant all privileges on *.* to 'snort'@'localhost' identified by 'snort';
- .- flush privileges;
- .- quit
- .- sudo apt-get install snort-mysql
- .- sudo dpkg-reconfigure -plow snort-mysql
- .- cd /usr/share/doc/snort/snort-mysql/
- .- zcat create_mysql.gz
- .- sudo apt-get install acidbase
- .- sudo gedit /etc/acidbase/database.php
- .- sudo su
- .- snort -v
Modes[edit]
- Packet sniffer (snort -dev)
- Log Mode (snort -de -l <log_dir> | to view log use: tcpdump -r <log_file>)
- Intrusion detection sniffer (snort -c /etc/snort/snort.conf)
Intrusion detection mode[edit]
Config file[edit]
/etc/snort/snort.conf
snort -A full -d -c /etc/snort/snotr.conf -l <log_dir>
/etc/snort/reference.config --> display additional information on alerts.
Snort rules[edit]
https://www.youtube.com/watch?v=RUmYojxy3Xw
output plugins examples[edit]
<nowiki>
output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: tcpdump.log output database: log, mysql, user=root password=test dbname=db host=localhost output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
output alert_fast /var/log/snort/fast_alert output log_dump /var/log/snort/dump_output output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip, sport,dstip,dport,protoname,itype,icode output alert_syslog output log_pcap /var/log/snort/pcap_log
- database: log to a variety of databases
- ---------------------------------------
- See the README.database file for more information about configuring
- and using this plugin.
- output database: log, mysql, user=root password=test dbname=db
- host=localhost
- output database: alert, postgresql, user=snort dbname=snort
- output database: log, odbc, user=snort dbname=snort
- output database: log, mssql, dbname=snort user=snort password=test
- output database: log, oracle, dbname=snort user=snort password=test<nowiki>
view unified2 files[edit]
use: u2spewfoo