Linux: Snort

From RHS Wiki
Revision as of 20:41, 19 April 2015 by Rafahsolis (talk | contribs)
Jump to navigation Jump to search

Snort

Intrusion detection system
https://www.youtube.com/watch?v=cQeeko9J_Yw

Instalation

https://www.youtube.com/watch?v=ptIzGv1b9GQ

  1. .- sudo apt-get install snort
  2. .- sudo dpkg-reconfigure snort
  3. .- sudo apt-get install mysql-server
  4. .- mysql -u root -localhost -p adminPassword
  5. .- create user 'snort'@'localhost' identified by 'snort';
  6. .- grant all privileges on *.* to 'snort'@'localhost' identified by 'snort';
  7. .- flush privileges;
  8. .- quit
  9. .- sudo apt-get install snort-mysql
  10. .- sudo dpkg-reconfigure -plow snort-mysql
  11. .- cd /usr/share/doc/snort/snort-mysql/
  12. .- zcat create_mysql.gz
  13. .- sudo apt-get install acidbase
  14. .- sudo gedit /etc/acidbase/database.php
  15. .- sudo su
  16. .- snort -v

Modes

  • Packet sniffer (snort -dev)
  • Log Mode (snort -de -l <log_dir> | to view log use: tcpdump -r <log_file>)
  • Intrusion detection sniffer (snort -c /etc/snort/snort.conf)

Intrusion detection mode

Config file

/etc/snort/snort.conf
snort -A full -d -c /etc/snort/snotr.conf -l <log_dir>
/etc/snort/reference.config --> display additional information on alerts.

Snort rules

https://www.youtube.com/watch?v=RUmYojxy3Xw

Retrieved from "https://wiki.herrerosolis.com/index.php?title=Linux:_Snort&oldid=489"