Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or a full-blown network intrusion prevention system.
Here's an example of its usage, if we just wanted to run it in sniffer mode we would use the following;
snort -v
This will just show the headers, if you would like to see the data you can use this command;
snort -v -d
This will display the packets data, but you can also see the data link layers header you can add a "-e" and in addition you can set it to log the packets by issuing the following;
mkdir slog
snort -d -e -v -l ./slog
or you can use -L to log to a file rather than a directory.
This will automatically run it in sniffing mode. If you want to use snort as an IDS, you must set up a snort config file which once completed can be used as shown below;
snort -c snort.conf
And that's the very basics of snort, this tool is very configurable and extremely useful. To download it or read more you can visit the site here. You can also use the apt-get or yum command.
No comments:
Post a Comment