Use Snort to detect light intrusion

Snort is designed to fill the gaps left by systems that are designed to detect expensive and heavy network intrusions. Snort is a free, cross-platform software package that monitors small TCP/IP network sniffer, logging, and intrusion detectors. It can run on Linux/UNIX and Win32 systems. You only need to install it in a few minutes and start using it.

Some functions of Snort:

-Real-time communication analysis and information package records

-Packaging payload check

-Protocol Analysis and Content Query matching

-Detects buffer overflow, secret port scanning, CGI attacks, SMB detection, and operating system intrusion attempts

-Real-Time alerts for system logs, specified files, Unix sockets, or WinPopus using Samba

Snort has three main modes: information packet sniffer, information packet recorder or mature intrusion detection system. Following the most important practices of development/Free Software, Snort supports various forms of plug-ins, extensions and customization, including database or XML records, small frame detection, and statistical exception detection. Information Package payload detection is one of the most useful features of Snort, which means that many additional types of hostility can be detected.

Snort.org provides RPM and tarball. I usually recommend that you set up it as needed, but I encountered a problem on the latest stable version of tarball. When the final term of use of this version is approaching, I don't have time to describe whether it is too stupid or Snort. There is no problem with RPM installation.

To make Snort work, libpcap must be installed in your system. Use locate to check:

$ Locate libpcap

This will output the following content:

/Usr/lib/libpcap. so.0

/Usr/lib/libpcap.

/Usr/lib/libpcap. so

/Usr/lib/libpcap. so.0.6.2

If you do not have these, go to tcpdump.org or your Linux installation disk.

It is unwise to install a security software without verifying the signature. Verify the checksum you downloaded:

# Md5 snort-1.8.6.tar.gz.

Or

# Md5 snort-1.8.6-1snort.i386.rpm.

Decompress the tarball:

$ Tar-xvzf snort-1.8.6.tar.gz

Install as root

#./Configure

# Make

# Make install

This is a simple installation process. Some options are selected to run the Snort pre-installation for self-testing; the binary and target files are cleared from the installation directory, and the clear operation also has a unload option.

Other installation options and required configurations:

-- With-snmp

Allow SNMP alarm code

-- With-mysql = DIR

Support for mysql

-- With-postgresql = DIR

Support for Postgresql databases

-- With-openssl = DIR

Support openssl

For more options, see your tarball document.

Installing RPM is very simple:

# Rpm-ivh snort-1.8.6-1snort.i386.rpm

On the Snort download page, you can see that pre-compiled binary files have been encapsulated to maintain compatibility with other programs, such as mySQL and PostgreSQL.

# Snort -?

Print out the most common options

Test-drive is used to ensure correct installation. Only monitor local machines.-I = interface:

# Snort-vdei eth0

Use CTRL + C to stop the test. Do not forget to set your network card to the hybrid mode. The Snort program runs in the form of a later program and appears in the form of an enabled stop.

Packet Sniffer Mode

In this mode, only the TCP/IP header is printed.

# Snort-v

View application layer data

# Snort-vd

Data Connection layer Header

# Snort-vde

Record

Unless you are familiar with hexadecimal, write it to the disk.

# Snort-vdel/var/log/snort

Here "-l" indicates "log", record. Tell Snort to record everything on the local network.-h indicates local:

# Snort-vdel/var/log/snort-h 192.168.1.0/24

This generates a separate directory for each host. If you want to put all these data in a binary file, use-B to switch.

# Snort-l/var/log/snort-B

It does not make sense to specify any other options. If you need the Snort Installation option or use tcpdump, parse the file.-r indicates reading and processing the file.

# Snort-vder/var/log/snort/snort-0629@1600.log

Parse a specific project for the Berkeley Packet Filter

# Snort-vder/var/log/snort/snort-0629@1600.log udp

# Snort-vr/var/log/snort/snort-0629@1600.log tcp

# Snort-ver/var/log/snort/snort-0629@1600.log icmp

For Berkeley Packet Filter, use man to view other options of snort and tcpdump.

Network Intrusion Detection Mode

Now let's go to the real Snort tool. Check the global configuration file/etc/snort. conf. Snort rule settings are also stored in/etc/snort as text files. Finally, take a closer look at this line:

Var HOME_NET $ eth0_ADDRESS

This is to initialize Snort according to the network settings of the local Nic.

To ensure speed, it is impossible to record each single package and display it on the screen. The package will be discarded, and the record file will become very large. Use-v switch so that it will not be displayed on the screen. We do not need-e, data connection header:

# Snort-dl/var/log/snort-h 192.168.1.0/24-c/etc/snort. conf

-H indicates the local network, and-c indicates using Rule settings. This is the most basic. use ASCII to record the packages defined by the installation rules. Use-B to switch the record to a binary file. Note that CIDR is used to define the subnet range.

Where do these mysterious rules come from? Two sources: From Snort.org, including RPM or downloaded binary files; from Martin Roesch, Snort producer, he designed Snort quickly in all aspects: install, run, and respond to attacks. If you have the ability to analyze an attack and identify a unique signal, you can write a rule by yourself to discover and record it. See your downloaded snortuser manual (snortusersmanual.pdf). This is a good guide for writing custom rules. (These files can be obtained online) Snort.org updates rule settings every day and you can download them to your satisfaction. You can find snortpp In the Snort/contrib directory on Snort.org and use it to merge new rules.

Where can I configure Snort?

If you have time and resources, it is best to put Snort on both sides of the firewall. By comparing what hits your firewall and what passes through your firewall, you will be surprised that there are so many malicious attacks on the Internet. Snort occupies a small amount of space, so that you can run a simple Snort behind the firewall to add a protective layer for easier management,