Difference between revisions of "Install Snort Intrusion Detection System"
Jump to navigation
Jump to search
(Created page with 'Installing Snort Intrusion Detection System. Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users ar...') |
|||
| Line 1: | Line 1: | ||
Installing Snort Intrusion Detection System. | Installing Snort Intrusion Detection System. | ||
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network. | Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network. | ||
<pre>apt-get install snort</pre> | <pre>apt-get install snort</pre> | ||
When snort asks for the interface, enter: br0<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules) | When snort asks for the interface, enter: br0<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules) | ||
<pre>nano /etc/snort/snort.conf</pre> | <pre>nano /etc/snort/snort.conf</pre> | ||
Uncomment the lines below and save the file. | Uncomment the lines below and save the file. | ||
<pre># Policy related rules: | <pre># Policy related rules: | ||
# include $RULE_PATH/policy.rules | # include $RULE_PATH/policy.rules | ||
| Line 15: | Line 15: | ||
include $RULE_PATH/p2p.rules | include $RULE_PATH/p2p.rules | ||
# include $RULE_PATH/community-game.rules | # include $RULE_PATH/community-game.rules | ||
# include $RULE_PATH/community-misc.rules</pre> | # include $RULE_PATH/community-misc.rules</pre> | ||
Example: Change the chat.rules file to get the complete MSN Message: | Example: Change the chat.rules file to get the complete MSN Message: | ||
<pre>nano /etc/snort/rules/chat.rules</pre> | <pre>nano /etc/snort/rules/chat.rules</pre> | ||
Edit the actual rule: | Edit the actual rule: | ||
<pre>alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:100; content:"Content-Type|3A|"; nocase; | <pre>alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:100; content:"Content-Type|3A|"; nocase; | ||
content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)</pre> | content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)</pre> | ||
Here we change depth:1 to 100 which means, display the first 100 bytes from the match. | Here we change depth:1 to 100 which means, display the first 100 bytes from the match. (depth is modifier for the content option which sets the maximum search depth for a pattern match attempt). | ||
Restart snort | Restart snort | ||
<pre>service snort restart</pre> | <pre>service snort restart</pre> | ||
To start snort | To start snort | ||
<pre>service snort start</pre> | <pre>service snort start</pre> | ||
To stop snort | To stop snort | ||
<pre>service snort stop</pre> | <pre>service snort stop</pre> | ||
To check snort status | To check snort status | ||
<pre>service snort status</pre> | <pre>service snort status</pre> | ||
Change snort parameters later: | Change snort parameters later: | ||
<pre>dpkg-reconfigure snort</pre> | <pre>dpkg-reconfigure snort</pre> | ||
Check snort alerts: (For example filter all MSN traffic) | Check snort alerts: (For example filter all MSN traffic) | ||
<pre>cat /var/log/snort/alert | grep -B5 MSN | <pre>cat /var/log/snort/alert | grep -B5 MSN | ||
</pre> | </pre> | ||
Tutotial not finished yet.<br> | Tutotial not finished yet and is pending updating.<br> | ||
Revision as of 15:53, 24 December 2010
Installing Snort Intrusion Detection System.
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network.
apt-get install snort
When snort asks for the interface, enter: br0
When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)
Do not select yes to disable promiscious mode.
You may enter an email address to e-mail alerts to.
Enable missing rules (In this case we enable the the porn, chat and p2p rules)
nano /etc/snort/snort.conf
Uncomment the lines below and save the file.
# Policy related rules: # include $RULE_PATH/policy.rules # include $RULE_PATH/community-policy.rules include $RULE_PATH/porn.rules # include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules # include $RULE_PATH/community-game.rules # include $RULE_PATH/community-misc.rules
Example: Change the chat.rules file to get the complete MSN Message:
nano /etc/snort/rules/chat.rules
Edit the actual rule:
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:100; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)
Here we change depth:1 to 100 which means, display the first 100 bytes from the match. (depth is modifier for the content option which sets the maximum search depth for a pattern match attempt).
Restart snort
service snort restart
To start snort
service snort start
To stop snort
service snort stop
To check snort status
service snort status
Change snort parameters later:
dpkg-reconfigure snort
Check snort alerts: (For example filter all MSN traffic)
cat /var/log/snort/alert | grep -B5 MSN
Tutotial not finished yet and is pending updating.