Addon : Snort

Several tutorials

Addon : Snort

Mensagempor BrazilFW » Seg Dez 24, 2007 7:38 pm

Note: i have converted the document from other place to here,
read and understand before you installing, at your own risk


What it is SNORT? The SNORT is a tool NIDS (Network Intrusion Detection System)

developed originally for Martin sufficiently popular Roesch "open-source" for its flexibility in the

configurations of rules and constant update front to the new tools of invasion.

Another strong point of this tool is the fact to have the greater registers in cadastre of signatures,

to be light, small, to make escaneamento of the micron and to verify anomalies inside of all the net to

which its computer belongs. The code source is optimized, developed in modules using programming

language C and together with the documentation, they are of public domain.

The monitorial Snort the traffic of packages in nets IP, carrying through analyses in

real time on diverse protocols (level of net and application) and on the content

(hexa and American National Standard Code for Information Interchange).

Another positive point of this software is the great number of possibilities of treatment of alerts them generated.

The subsystem of alert register and is selected in time of execution through arguments in the command line,

is three options of register and five of alert.

The register can be configured to store packages decoded and legible in a structure of directory based on IP,

or the binary format of tcpdump in an only archive. For a performance increment,

the register can completely be off, remaining alerts them. Already you alert them can, to be sent to syslog,

registered in an archive of pure text in two different formats, or to be sent as WinPopup messages using smbclient.

http://www.clm.com.br/snort/snort.asp http://www.snort.org/

Sniffer Mode

* snort - v # only shows heading of package TCP/IP in the screen.

* snort - vd # only shows heading of the IP, TCP, UDP and ICMP.

* snort - vde # also shows to all heading and the data contained in them.

Packet Logger Mode

* snort - dev - l /dirdolog//log.txt # snort generates an archive called log.txt all the packages seen by it. Considering that the directory "dirdolog" already exists, in case that I oppose must creates it.

* snort - dev - l /log - h 192.168.1.0/24 # makes with that snort captures heading TCP/IP,

dates link and 192.168.1.0 data related to host (Classroom C) and stores the result in the subdiretório log. OBS.

the collected data will be stored in archives correspondente/nomeado with each captured address IP.

* snort - l /log - b # snort executed with the option (- b) makes the total capture of the packages

instead of only capturing heading or only given.

* snort - dv - r packet.log # a time bred the archive with the option (- b), can be used any to sniffer that it supports
binary format tcpdump such as, snort, tcpdump or Ethereal to manipulate the collected data.

* snort - dvr packet.log ICMP # of ownership of the binary archive generated by the option (- b), can then be created new
filterings of type BPF interface. In our example we are only making the filtering of the packages of ICMP contained in the
binary archive. \


Network Intrusion Detection Mode - (NIDS)

* snort - b - fast - c /etc/snort.conf * snort - dev - l /log - h 192.168.1.0/24 - c /etc/snort.conf # /partition/snort/etc/snort.conf is the name of the configuration archive.

This archive will count to the rules and action to be taken for each package collected and collated with it.

The result of the NIDS will be generated in the directory /partition/snort/log, or another directory previously stipulated.

the O archive snort.conf must be present in the current directory or must be typed the directory where it meets.

the A option - v above makes with that snort also shows the results in the monitor. This cause with that snort is a little

slow being able ties to lose some packages for cause of this.

the A option - and to capture heading of the date link to layer the times is so important being able to be emitted.

* snort - d - h 192.168.1.0/24 - l /log - c /etc/snort.conf # snort twirling with the basic options; or either,

without the options of - v = shows in the screen and - e = heading Link Date.

* snort - c /etc/snort.conf - l /log - s - h 192.168.1.0/24 # sends alerts for syslog option (- s).

* snort - c /etc/snort.conf - s - h 192.168.1.0/24 # creates archive log in the directory default and sends alerts.

* snort - c /etc/snort.conf - b - M WORKSTATIONS # generates archive of log in the binary format and sends alert for the
Windows Workstation.

* snort - c /etc/snort.conf - b - fast - l /log # creates binary archive and uses alert fast and creates archive log in
/partition/snort/log.

* snort - b - fast - c /etc/snort.conf # generates archive of log in the binary format and uses alert fast.

* snort - d - c /etc/snort.conf - l /log - h 192.168.1.0/24 - r snort.log # generates archives in format American National

Standard Code for Information Interchange from an archive in the binary format.

* snort - d - v - r snort.log - - h 192.168.1.0/24 # the option (-) simply occults its address IP. This option if becomes
very useful in the cases where we want to send archives of logs for newsgroup or any another public place.

* snort with the option - D plays the process for background, Deamon.

Code:

EXAMPLES:

/snort - v

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/03-15:36:08.156945 201.14.78.XXX:2228 - 199.107.65.XXX:80
TCP TTL:63 TOS:0X0 ID:16048 IPLEN:20 DGMLEN:40 DF
*** **** Seq: 0x7E860C06 Ack: 0xF0FF744B Win: 0x7540 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

/snort - vd

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/03-15:37:07.860654 201.14.78.XXX:4518 - 199.107.65.XXX:80
TCP TTL:63 TOS:0X0 ID:58151 IPLEN:20 DGMLEN:598 DF
*** AP *** Seq: 0x835703F3 Ack: 0xA296E99A Win: 0x1920 TcpLen: 20
47 45 54 20 2F 69 6D 61 67 65 73 2F 73 6E 6F 72 54 37 67 74 /IMAGES/SNOR
GET 5F 6F 72 5F 30 2E 67 69 66 20 48 54 50 T_ORG_07.GIF 77 74 48 31 31 HTT 2F 2E 0D 0A 6F 73 3A 20 77 77 P/1.1..HOST: www 2E 73 6E 6F 72 74 2E 6F 72 67 0D 0A 55 73 65 72 snort.org..User 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F - Agent: Mozilla/ 35 2E 30 20 28 58 31 31 3B 20 55 3B 20 4C 69 6E 5,0 (X11; U; Lin 75 78 20 69 36 38 36 3B 20 70 74 2D 42 52 3B 20 ux i686; pt-BR; 72 76 3A 31 2E 37 2E 31 30 29 20 47 65 63 6B 6F rv:1.7.10) Gecko 2F 32 30 30 36 30 35 30 35 20 46 69 72 65 66 6F /20060505 Firefo 78 2F 31 2E 30 2E 34 20 28 44 65 62 69 61 6E 20 x/1.0.4 (Debian 70 61 63 6B 61 67 65 20 31 2E 30 2E 34 2D 32 73 package 1.0.4-2s 61 72 67 65 37 29 0D 0A 41 63 63 65 70 74 3A 20 arge7)..Accept: 69 6D 61 67 65 2F 70 6E 67 2C 2A 2F 2A 3B 71 3D image/png, */*;q = 30 2E 35 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 0.5..Accept-Lang 75 61 67 65 3A 20 70 74 2D 62 72 2C 70 74 3B 71 uage: pt-br, pt;q 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D 45 6E 63 = 0.5..Accept-Enc 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64 65 66 6C oding: gzip, defl 61 74 65 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 to ate..Accept-Char 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C set: ISO-8859-1, 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A 3B 71 3D utf-8;q=0.7, *;q = 30 2E 37 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 0.7..Keep-Alive: 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 300..Connection 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 52 65: keep-alive..Re 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 to ferer: http://ww 77 2E 73 6E 6F 72 74 2E 6F 72 67 2F 64 6F 63 73 w.snort.org/docs 2F 73 6E 6F 72 74 5F 68 74 6D 61 6E 75 61 6C 73 /snort_htmanuals 2F 68 74 6D 61 6E 75 61 6C 5F 32 36 30 2F 6E 6F /htmanual_260/no 64 65 34 2E 68 74 6D 6C 0D 0A 49 66 2D 4D 6F 64 de4.html..If-Mod 69 66 69 65 64 2D 53 69 6E 63 65 3A 20 57 65 64 ified-Since: Wed 2C 20 31 36 20 4D 61 72 20 32 30 30 35 20 31 37, 16 Sea 2005 17 3A 33 37 3A 33 36 20 47 4D 54 0D 0A 49 66 2D 4E:37:36 GMT..If-N 6F 6E 65 2D 4D 61 74 63 68 3A 20 22 61 37 65 38 one-Match: "a7e8 63 32 2D 31 38 37 2D 39 39 64 31 37 38 30 30 22 c2-187-99d17800" 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A..Cache-Control: 20 6D 61 78 2D 61 67 65 3D 30 0D 0A 0D 0A max-age=0.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Summary:

===============================================================================
Snort received 182 packets
Analyzed: 182(100.000%)
Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
TCP: 162 (89.011%)
UDP: 6 (3.297%)
ICMP: 14 (7.692%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)

===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting YOU ALERT:
# cat /partition/snort/log/alert
[ * * ] [ 1:2925:4 ] INFO web bug 1x1 GIF attempt [ * * ]
[ Classification: Misc activity ] [ Priority: 3]
08/04-13:17:36.646011 66.249.83.19:80 - 192.168.0.2:2443
TCP TTL:55 TOS:0x0 ID:43432 IpLen:20 DgmLen:310
*** AP *** Seq: 0x910385C Ack: 0xA214B69A Win: 0x1F10 TcpLen:
20 # cat /partition/snort/doc/signatures/2925.txt
* In this archive a detailed description of the detected imperfection exists, with affected systems, type of impact, and links with references you add.

IMPORTANT:

- the Snort works of passive form, then it does not have to influence in the performance of firewall.

- It has in mind that the memory consumption RAM is directly proportional to the amount of loaded rules in the Snort.
In my tests, using all the available rules, the Snort arrived to use 256MB more than. Adapte the rules to its necessities with caution. I disactivated almost all. To activate a set of rules, simply he edits the archive /snort/etc/snort.conf the set of rules is well in the end of the archive. # comments the line with one to disactivate and erases # to activate. It reads the manual! http://www.snort.org/docs/snort_htmanuals/htmanual_260/ the rules are in constant update. It sees http://www.snort.org/rules/

- the Snort is a powerful tool for net administrators. It does not waste its hardware if really it does not need it.

- to install the Snort, the BFW must be installed in the HD. It is necessary that the second partition is activated.
INSTALLATION: (EDITED)

- To copy snort.tgz for /mnt as of custom.

- BOOT

NOTES ON the INSTALLATION:

- its version of the BFW will be the 2,28 or previous, the package is necessary partition.tgz. If the installer to detect the second partition (/partition - standard of BFW 2,29 and above) mounted everything will be installed without intervention of the user.

- you have a version of the previous BFW WITH INSTALLED 2,29 SQUID and for some reason she does not want to change the point of assembly of its second partition for /partition, executes the installer after boot, typing in the console and follows the instructions.

- you do not have Squid nor partition, but she wants to use a partition in existing record, executes the installer after boot, typing in the console and follows the instructions.

- the Snort will not be initiated after boot automatically. If thus desiring, simply edits the archive /etc/rc.d/pkgs/rc.snort removing "#" commentary of the line. It makes the necessary adaptations. Backup does not forget it!
BrazilFW
 

Voltar para Several tutorials

Quem está online

Usuários navegando neste fórum: Nenhum usuário registrado e 0 visitantes