SNORT NIDS
Features:
1. Network Intrusion Detection System (NIDS)
2. Packet Sniffer
3. Packet Logger - logs using TCPDump format
Tasks:
1. Download and install Snort NIDS
•snort.org
•Confirm MD5SUM: 'md5sum snort-2.8.0.2.tar.gz' Compare to snort-2.8.0.2.tar.gz.md5
•Import GPG key used to sign the current release of Snort
•gpg --verify snort-2.8.0.2.tar.gz.sig snort-2.8.0.2.tar.gz
Requirements:
1. gcc - C compiler
2. make - creates binaries
3. libpcre - Provides access to Perl Compatible RegExes
4. mysql-devel* - provides access to MySQL
5. libpcap* - provides the TCPDump, packet capture library
•Extract and install (compile) Snort NIDS
•tar -xzvf snort-2.8.0.2.tar.gz - creates top-level directory
•./configure --with-mysql --enable-dynamicplugin - checks for
prerequisites, including: mysql-devel, libpcre, gcc, make, etc.
• make - creates binaries
• su (as 'root') and execute 'make install' - places binaries in
/usr/local/ accessible location
Usage - Packet Sniffer:
1. snort -v -i eth0 - reveals layers 3 & 4 of the OSI model
2. snort -vde -i eth0 - reveals layers 2-7
3. snort -vde -i eth0 tcp port 23
Usage - Packet Logger:
1. snort -v -i eth0 -l ./ tcp port 23 - logs binary file in current directory
with Unix Epoch suffix
2. snort -b -i eth0 - attempts to log in: /var/log/snort
3. snort -b -L test.snort.log -i
eth0 -creates: /var/log/snort/test.snort.log.UnixEpochDate
Note: Snort drops less packets when run in binary logging mode than
in verbose, dump-to-screen, mode