Snort: A Network Based Intusion Detection System(IDS)
Snort is an open source network-based intrusion detection system (NIDS). That can analyses the real-time traffic and can log packets on Internet Protocol (IP) networks. Snort can perform protocol analysis, content searching, and content matching. It also can be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans
There are three modes in which the can be configured:
1)Sniffer
2)Packet logger
3)Network intrusion detection.
In sniffer mode, It reads the network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.
In this Article, we will learn how to configure snort on backtrack.
Snort is installed in backtrack by default. So you only need to configure it according to your infra
First of all Start Snort Service to test if there is any problem with the installation.
Step1
To accomplish this, Click on Application menu,=> click on backtrack menu, => click on services and then click on snort service.
Snort is an open source network-based intrusion detection system (NIDS). That can analyses the real-time traffic and can log packets on Internet Protocol (IP) networks. Snort can perform protocol analysis, content searching, and content matching. It also can be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans
There are three modes in which the can be configured:
1)Sniffer
2)Packet logger
3)Network intrusion detection.
In sniffer mode, It reads the network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.
In this Article, we will learn how to configure snort on backtrack.
Snort is installed in backtrack by default. So you only need to configure it according to your infra
First of all Start Snort Service to test if there is any problem with the installation.
Step1
To accomplish this, Click on Application menu,=> click on backtrack menu, => click on services and then click on snort service.
Step2
Now edit the configuration file named snort.conf located in /etc/snort directory using vim or any other text editor and change...
var HOME_NET any to var HOME_NET <target ip/nw add>
var EXTERNAL_NET any to var EXTERNAL_NET <attacker ip address>
save the file and restart snort service using /etc/init.d/snort restart command on terminal
Now edit the configuration file named snort.conf located in /etc/snort directory using vim or any other text editor and change...
var HOME_NET any to var HOME_NET <target ip/nw add>
var EXTERNAL_NET any to var EXTERNAL_NET <attacker ip address>
save the file and restart snort service using /etc/init.d/snort restart command on terminal
Step3
Now open terninal and type the command below
snort -q -A console -i eth0 -c /etc/snort/snort.conf
Where -
-q is for quiet:- not to show banner and status report
-A is to set alert mode in this case, it is console
-i is to specify interface and
-c is to tell snort the location of configuration file
Now open terninal and type the command below
snort -q -A console -i eth0 -c /etc/snort/snort.conf
Where -
-q is for quiet:- not to show banner and status report
-A is to set alert mode in this case, it is console
-i is to specify interface and
-c is to tell snort the location of configuration file
Step4
Now to test the functionality of snort, perform a DOS attack using LOIC..
Now to test the functionality of snort, perform a DOS attack using LOIC..
Your Snort alarm should ring
Note:You can download LOIC from the link below
http://sourceforge.net/projects/loic/files/latest/download
Now perform Nmap scan,,,,
snort should display the logs again...
http://sourceforge.net/projects/loic/files/latest/download
Now perform Nmap scan,,,,
snort should display the logs again...
For more information on configuring Intrusion Prevention System (IPS) using SNORT, please visit link below:
http://www.aboutdebian.com/snort.htm
No comments:
Post a Comment