Difference between revisions of "Install Snort Intrusion Detection System"

From BubbaWiki
Jump to navigation Jump to search
Line 3: Line 3:
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.  
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.  
<pre>apt-get install snort</pre>  
<pre>apt-get install snort</pre>  
When snort asks for the interface, enter: br0<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN&nbsp;network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules)  
When snort asks for the interface, enter: br0<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN&nbsp;network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>When snort asks for special options, enter -X, that will save full packet dumps as well for later analysis.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules)  
<pre>nano /etc/snort/snort.conf</pre>  
<pre>nano /etc/snort/snort.conf</pre>  
Uncomment the lines below and save the file.  
Uncomment the lines below and save the file.  
Line 16: Line 16:
# include $RULE_PATH/community-game.rules
# include $RULE_PATH/community-game.rules
# include $RULE_PATH/community-misc.rules</pre>  
# include $RULE_PATH/community-misc.rules</pre>  
Example: Change the chat.rules file to get the complete MSN Message:  
Example: Edit the rules file:<br>
<pre>nano /etc/snort/rules/chat.rules</pre>  
<pre>nano /etc/snort/rules/chat.rules</pre>
Edit the actual rule:
Install Bleeding Edge Rules:
<pre>alert tcp $HOME_NET any &lt;&gt; $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:100; content:"Content-Type|3A|"; nocase;


content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)</pre>
&nbsp;  
Here we change depth:1 to 100 which means, display the first 100 bytes from the match. (depth is modifier for the content option which sets the maximum search depth for a pattern match attempt).


Restart snort  
Restart snort
<pre>service snort restart</pre>  
<pre>service snort restart</pre>  
To start snort  
To start snort  

Revision as of 22:34, 24 December 2010

Installing Snort Intrusion Detection System.

Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.

apt-get install snort

When snort asks for the interface, enter: br0
When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)
Do not select yes to disable promiscious mode.
You may enter an email address to e-mail alerts to.
When snort asks for special options, enter -X, that will save full packet dumps as well for later analysis.
Enable missing rules (In this case we enable the the porn, chat and p2p rules)

nano /etc/snort/snort.conf

Uncomment the lines below and save the file.

# Policy related rules:
# include $RULE_PATH/policy.rules
# include $RULE_PATH/community-policy.rules
include $RULE_PATH/porn.rules
# include $RULE_PATH/community-inappropriate.rules
include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
# include $RULE_PATH/community-game.rules
# include $RULE_PATH/community-misc.rules

Example: Edit the rules file:

nano /etc/snort/rules/chat.rules

Install Bleeding Edge Rules:

 

Restart snort

service snort restart

To start snort

service snort start

To stop snort

service snort stop

To check snort status

service snort status

 Change snort parameters later:

dpkg-reconfigure snort

Check snort alerts: (For example filter all MSN traffic)

cat /var/log/snort/alert | grep -B5 MSN

Tutotial not finished yet and is pending updating.