Linux: Snort

From RHS Wiki
Jump to navigation Jump to search

Snort[edit]

Intrusion detection system
https://www.youtube.com/watch?v=cQeeko9J_Yw

Instalation[edit]

https://www.youtube.com/watch?v=ptIzGv1b9GQ

  1. .- sudo apt-get install snort
  2. .- sudo dpkg-reconfigure snort
  3. .- sudo apt-get install mysql-server
  4. .- mysql -u root -localhost -p adminPassword
  5. .- create user 'snort'@'localhost' identified by 'snort';
  6. .- grant all privileges on *.* to 'snort'@'localhost' identified by 'snort';
  7. .- flush privileges;
  8. .- quit
  9. .- sudo apt-get install snort-mysql
  10. .- sudo dpkg-reconfigure -plow snort-mysql
  11. .- cd /usr/share/doc/snort/snort-mysql/
  12. .- zcat create_mysql.gz
  13. .- sudo apt-get install acidbase
  14. .- sudo gedit /etc/acidbase/database.php
  15. .- sudo su
  16. .- snort -v

Modes[edit]

  • Packet sniffer (snort -dev)
  • Log Mode (snort -de -l <log_dir> | to view log use: tcpdump -r <log_file>)
  • Intrusion detection sniffer (snort -c /etc/snort/snort.conf)

Intrusion detection mode[edit]

Config file[edit]

/etc/snort/snort.conf
snort -A full -d -c /etc/snort/snotr.conf -l <log_dir>
/etc/snort/reference.config --> display additional information on alerts.

Snort rules[edit]

https://www.youtube.com/watch?v=RUmYojxy3Xw

output plugins examples[edit]

<nowiki>

output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: tcpdump.log output database: log, mysql, user=root password=test dbname=db host=localhost output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128

output alert_fast /var/log/snort/fast_alert output log_dump /var/log/snort/dump_output output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip, sport,dstip,dport,protoname,itype,icode output alert_syslog output log_pcap /var/log/snort/pcap_log

  1. database: log to a variety of databases
  2. ---------------------------------------
  3. See the README.database file for more information about configuring
  4. and using this plugin.
  6. output database: log, mysql, user=root password=test dbname=db
  7. host=localhost
  8. output database: alert, postgresql, user=snort dbname=snort
  9. output database: log, odbc, user=snort dbname=snort
  10. output database: log, mssql, dbname=snort user=snort password=test
  11. output database: log, oracle, dbname=snort user=snort password=test<nowiki>

view unified2 files[edit]

use: u2spewfoo

Retrieved from "https://wiki.herrerosolis.com/index.php?title=Linux:_Snort&oldid=523"