Difference between revisions of "Install Snort Intrusion Detection System"
Line 16: | Line 16: | ||
# include $RULE_PATH/community-game.rules | # include $RULE_PATH/community-game.rules | ||
# include $RULE_PATH/community-misc.rules</pre> | # include $RULE_PATH/community-misc.rules</pre> | ||
Example: Edit the rules file:<br> | Example: Edit the rules file:<br> | ||
<pre>nano /etc/snort/rules/chat.rules</pre> | <pre>nano /etc/snort/rules/chat.rules</pre> | ||
Install Bleeding Edge Rules: | Install Bleeding Edge Rules: | ||
Create the following file with nano: | |||
<pre>url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz | |||
path = /bin:/usr/bin:/usr/local/bin | |||
tmpdir = /tmp | |||
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ | |||
skipfile local.rules</pre> | |||
Run oinkmaster and add the new rules to load in snort.conf<br> | |||
<pre>oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules</pre><pre>nano /etc/snort/snort.conf | |||
include rules/bleeding-virus.rules | |||
include rules/bleeding_attack-response.rules | |||
include rules/bleeding-policy.rules | |||
Restart snort | include rules/bleeding-dos.rules | ||
include rules/bleeding-exploit.rules | |||
include rules/bleeding-inappropriate.rules | |||
include rules/bleeding-malware.rules | |||
include rules/bleeding-p2p.rules | |||
include rules/bleeding-scan.rules | |||
include rules/bleeding-web.rules | |||
</pre> | |||
Restart snort | |||
<pre>service snort restart</pre> | <pre>service snort restart</pre> | ||
To start snort | To start snort | ||
Line 30: | Line 49: | ||
To check snort status | To check snort status | ||
<pre>service snort status</pre> | <pre>service snort status</pre> | ||
Change snort parameters later: | |||
<pre>dpkg-reconfigure snort</pre> | <pre>dpkg-reconfigure snort</pre> | ||
Check snort alerts: (For example filter all MSN traffic) | Check snort alerts: (For example filter all MSN traffic) |
Revision as of 00:40, 25 December 2010
Installing Snort Intrusion Detection System.
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.
apt-get install snort
When snort asks for the interface, enter: br0
When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)
Do not select yes to disable promiscious mode.
You may enter an email address to e-mail alerts to.
When snort asks for special options, enter -X, that will save full packet dumps as well for later analysis.
Enable missing rules (In this case we enable the the porn, chat and p2p rules)
nano /etc/snort/snort.conf
Uncomment the lines below and save the file.
# Policy related rules: # include $RULE_PATH/policy.rules # include $RULE_PATH/community-policy.rules include $RULE_PATH/porn.rules # include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules # include $RULE_PATH/community-game.rules # include $RULE_PATH/community-misc.rules
Example: Edit the rules file:
nano /etc/snort/rules/chat.rules
Install Bleeding Edge Rules:
Create the following file with nano:
url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz path = /bin:/usr/bin:/usr/local/bin tmpdir = /tmp update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ skipfile local.rules
Run oinkmaster and add the new rules to load in snort.conf
oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules
nano /etc/snort/snort.confinclude rules/bleeding-virus.rules include rules/bleeding_attack-response.rules include rules/bleeding-policy.rules
include rules/bleeding-dos.rules include rules/bleeding-exploit.rules
include rules/bleeding-inappropriate.rules include rules/bleeding-malware.rules include rules/bleeding-p2p.rules include rules/bleeding-scan.rules include rules/bleeding-web.rules
Restart snort
service snort restart
To start snort
service snort start
To stop snort
service snort stop
To check snort status
service snort status
Change snort parameters later:
dpkg-reconfigure snort
Check snort alerts: (For example filter all MSN traffic)
cat /var/log/snort/alert | grep -B5 MSN
Tutotial not finished yet and is pending updating.