Difference between revisions of "Linux: Snort"

Snort

Intrusion detection system
https://www.youtube.com/watch?v=cQeeko9J_Yw

Instalation

https://www.youtube.com/watch?v=ptIzGv1b9GQ

1. .- sudo apt-get install snort
2. .- sudo dpkg-reconfigure snort
3. .- sudo apt-get install mysql-server
4. .- mysql -u root -localhost -p adminPassword
5. .- create user 'snort'@'localhost' identified by 'snort';
6. .- grant all privileges on *.* to 'snort'@'localhost' identified by 'snort';
7. .- flush privileges;
8. .- quit
9. .- sudo apt-get install snort-mysql
10. .- sudo dpkg-reconfigure -plow snort-mysql
11. .- cd /usr/share/doc/snort/snort-mysql/
12. .- zcat create_mysql.gz
13. .- sudo apt-get install acidbase
14. .- sudo gedit /etc/acidbase/database.php
15. .- sudo su
16. .- snort -v

Modes

• Packet sniffer (snort -dev)
• Log Mode (snort -de -l <log_dir> | to view log use: tcpdump -r <log_file>)
• Intrusion detection sniffer (snort -c /etc/snort/snort.conf)

Intrusion detection mode

Config file

/etc/snort/snort.conf
snort -A full -d -c /etc/snort/snotr.conf -l <log_dir>
/etc/snort/reference.config --> display additional information on alerts.

Snort rules

https://www.youtube.com/watch?v=RUmYojxy3Xw