Install Snort Intrusion Detection System
Installing Snort Intrusion Detection System.
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.
apt-get install snort
When snort asks for the interface, enter: br0
When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)
Do not select yes to disable promiscious mode.
You may enter an email address to e-mail alerts to.
When snort asks for special options, enter -X, that will save full packet dumps as well for later analysis.
Enable missing rules (In this case we enable the the porn, chat and p2p rules)
nano /etc/snort/snort.conf
Uncomment the lines below and save the file.
# Policy related rules: # include $RULE_PATH/policy.rules # include $RULE_PATH/community-policy.rules include $RULE_PATH/porn.rules # include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules # include $RULE_PATH/community-game.rules # include $RULE_PATH/community-misc.rules
Example: Edit the rules file:
nano /etc/snort/rules/chat.rules
Install Bleeding Edge Rules:
Create the following file with nano:
url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz path = /bin:/usr/bin:/usr/local/bin tmpdir = /tmp update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ skipfile local.rules
Run oinkmaster and add the new rules to load in snort.conf
oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules
nano /etc/snort/snort.confinclude rules/bleeding-virus.rules include rules/bleeding_attack-response.rules include rules/bleeding-policy.rules include rules/bleeding-dos.rules include rules/bleeding-exploit.rules include rules/bleeding-inappropriate.rules include rules/bleeding-malware.rules include rules/bleeding-p2p.rules include rules/bleeding-scan.rules include rules/bleeding-web.rules
Restart snort
service snort restart
To start snort
service snort start
To stop snort
service snort stop
To check snort status
service snort status
Change snort parameters later:
dpkg-reconfigure snort
Check snort alerts: (For example filter all MSN traffic)
cat /var/log/snort/alert | grep -B5 MSN
To read snort alerts in readable format:
snort -dvr /var/log/snort/tcpdump.log.1293238522 Example output (truncated): =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/25-01:59:54.555605 195.68.245.131:6667 -> 192.168.206.250:3470 TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF ***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53 :Global!Global@S 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf 20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69 :[.users.] Noti 63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg 65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27 41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:. 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@ 53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur 67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd 66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f :Please be fam 69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G 61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta 62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy. 41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the 20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 network are req 75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b 79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www 2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a 75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo 62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam 65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC 45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf :.-------- 2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG 45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu 72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga 6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302 73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf :sdf=+~sdf@c 6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx. 67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/25-02:01:41.046608 192.168.63.246:3470 -> 195.68.10.68:6667 TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20 50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Tutotial not finished yet and is pending updating.