Tutorial of Snort to protect the network
Snort is basically known as Intrusion Detection System, it has lots of functions to perform.
Snort really isn’t very hard to use, but there are a lot of command line options to play with, and it’s not always obvious
which ones go together well. This article aims to make using Snort easier for new users.
Before we proceed, there are a few basic concepts you should understand about Snort. Snort can be configured to run
in four modes:
1. Sniffer Mode: It can capture the traffic which is travelled through the network
2. Packet Logger mode: It logs the packets in the disk.
3. Network Intrusion Detection System (NIDS) mode: It allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions based upon what it sees.
4. Inline mode: It obtains packets from iptables instead of from libpcap and then causes iptables to drop or
pass packets based on Snort rules that use inline-specific rule types.
Sniffer Mode:
Basic command for sniffing by Snort:
snort -v
If you want to see the application data in transit, try the following:
snort -v -d
If you want an even more descriptive display, showing the data link layer headers, do this:
snort -v -d -e
Packet Logger mode:
if you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode:
snort -dev -l ./log
In this command, /log is the logging directory.
In order to log relative to the home network, you need to tell Snort which network is the home network:
snort -dev -l ./log -h 192.168.1.0/24
If you’re on a high speed network or you want to log the packets into a more compact form for later analysis, you should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single binary file in the logging directory:
snort -l /log -b
Now you have created packet.log file in /log directory, if you wanted to run a binary log file through Snort in sniffer mode to dump the packets to the screen, you can try something like this:
snort -dv -r packet.log
Network Intrusion Detection System Mode:
To enable Network Intrusion Detection System (NIDS) mode so that you don’t record every single packet sent down the wire, try this:
snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
where snort.conf is the name of your rules file. This will apply the rules configured in the snort.conf file to
each packet to decide if an action based upon the rule type in the file should be taken.
This is not the full tutorial of Snort, If you want the full tutorial on how to use and configure Snort, mail me or comment here.
Download Snort here.
IMPORTANT: DO NOT FORGET TO DOWNLOAD RULES OF SNORT.
