Wednesday, July 15, 2009

Snort NIDS

Features:
1. Packet Capturing - libpcap.a(tcpdump.org)
2. Packet Logging - Captures are stored to disk (ASCII/TCPDump Formats)
3. Network Intrusion Detection Mode

Note: Software Companion DVD includes Snort 2.0(older version)

Requirements:
1. libpcap
2. libpcre

###Configuring Snort###
./configure --with-libpcap-libraries=/opt/sfw/lib --with-libpcre-includes=/opt/sfw/include --with-libpcre-libraries=/opt/sfw/lib

Appended to PATH: /usr/sfw/bin:/usr/ccs/bin

make
make install

###Snort as a Sniffer###
snort -v - Dumps link headers(Layers 3(IPs) & 4(Ports) of the OSI Model)
snort -v -i e1000g0
snort -vd -i e1000g0 - Dumps Application Layer (Layer-7 of OSI Model)
snort -ve -i e1000g0 - Dumps data-link layer (Layer-2 of OSI Model)
snort -vde -i e1000g0 - Dumps Layers 2,3,4,7 of OSI Model

###Snort as a Packet Logger###
Note: Identical to sniffer, except, data is directed to file. Improves I/O.
snort -L snortlog.1
Note: Snort defaults to '/var/log/snort' to store binary log and alert file

snort -L snortlog.1 -l ./log

Note: Snort supports TCPDump's Boolean primitives and operators.
Additionally, Snort support Berkeley Packet Filters (BPFs)
snort options BPFs


Readers who read this page, also read:




Bookmark and Share My Zimbio http://www.wikio.com
Posted by Rhycel at Wednesday, July 15, 2009
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)