How to use Snort!
Create time: 2001-03-02
Article attribute: original
Article submission:
Xundi (xundi_at_xfocus.org)
How to use Snort!
By xundi
-------------------------------------------------- ------------------
installation method:
If you have LibPCAP installed, it will be very simple for Snort installations, about the installation instructions for libpcap.
You can see Blackfire.
Http://go.163.com/~bobdai/ Some articles about Windows
Winpcap, you can see the installation instructions on the Sniffer for NT on my station. After installing libpcap,
You can use the usual command:
1.) ./configure
2.) Make
3.) Make Install
After you are ready, you can use Make Clean to clear some files generated during installation.
(Some systems such as FreeBSD have supported libpcap, so it is easy, no need to install it).
And Windows is simpler, just unpacking it;
-------------------------------------------------- --------------------
Parameter introduction:
Command line is Snort - [Options]
Option:
-A
Standard Alert mode into the Alert file; FAST mode is only written to timestamp, Messages,
In the IPS, Ports to file, NONE mode turns off alarm.
-a is a display ARP package;
-b is to record the log's packet into TCPDUMP format, and all packets are recorded as
Two-in-law, name, Snort-0612@1385.log, this option for FAST
The recording mode is better because it does not need to turn the information that is spended into the text.
Snort uses "-b" in the 100Mbps network.
-C
Or to alarm, or pass.
-C The information package information uses the ASCII code to display instead of hexdump,
-d decoding application layer.
-D to run the Snort in a daemon method, by default alert record sends
Go to the /var/log/snort.alert file.
-e Displays and records data of 2 packet headers.
-F
BPF format filter, you can see in tcpdump, you can view TCPDUMP
How to use this filter in the Man page.
-H
Options, the direction of the way the arrow will be used.
-I
-l
-M
This option requires Samba support, the WKSTN file is simple, each line is added to the host name included in the SMB. (Note No // Two slashs).
-N
-N Turns the log record, but the alert function is still normal.
-O Change the record file used, such as using alert-> pass-> log order under normal conditions,
And this option is such a order: pass-> alert-> log order, where Pass
It is the rules that allow pass-by, and Alert is the rules that are not allowed.
Log refers to the log record, because some people like the strange blame, like casper, quack likes
In turn, it will be operated.
-p Turn off messy mode sniffings, generally used to debug networks.
-r
Get a shadow (shadow ids) file because these files cannot
Edit it with a general Edit.
-s log alarm record to syslog, on the Linux machine, these warning information
Will appear in / var / log / secure, will appear on / var / log / message on / var / log / message on other platforms.
-S
The variables in the Snort Rules file, you want to define the variable home_net, you
It can be predefined in the command line.
-v is used as Verbose mode, printing the packet in Console, after which this option is used
It will make the speed slow, so that the results will appear in the record.
-V Displays the SNORT version and exits;
-? Display list and exit;
-------------------------------------------------- --------------------
Here is a combination of some commands, of course, more combinations you can test themselves:
Snort has more command options and parameters, first introduce some basic commands, if you
If you want to display the header of the packet on the screen, you can use:
./snort -v
This command runs SNORT and displays IP and TCP / UDP / ICMP header information.
I used ping 192.168.0.1 as shown below:
06 / 10-10: 21: 13.884925 192.168.0.2 -> 192.168.0.1
ICMP TTL: 64 TOS: 0x0 ID: 4068
ID: 20507 SEQ: 0 echo
06 / 10-10: 21: 13.885081 192.168.0.1 -> 192.168.0.2
ICMP TTL: 128 TOS: 0x0 ID: 15941
ID: 20507 SEQ: 0 echo reply
06 / 10-10: 21: 14.884874 192.168.0.2 -> 192.168.0.1
ICMP TTL: 64 TOS: 0x0 ID: 4069
ID: 20507 SEQ: 256 Echo
06 / 10-10: 21: 14.885027 192.168.0.1 -> 192.168.0.2
ICMP TTL: 128 TOS: 0x0 ID: 15942
ID: 20507 SEQ: 256 echo reply
Use it if you want to decode the application layer:
Snort -VD
Use ping 192.168.0.1 again, as follows: 06/10-10: 26: 39.894493 192.168.0.2 -> 192.168.0.1
ICMP TTL: 64 TOS: 0x0 ID: 4076
ID: 20763 SEQ: 0 echo
58 13 42 39 E0 BB 05 00 08 09 0A 0B 0C 0D 0E 0F X.b9 .........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ..............
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /
30 31 32 33 34 35 36 37 01234567
06 / 10-10: 26: 39.894637 192.168.0.1 -> 192.168.0.2
ICMP TTL: 128 TOS: 0x0 ID: 15966
ID: 20763 SEQ: 0 echo reply
58 13 42 39 E0 BB 05 00 08 09 0A 0B 0C 0D 0E 0F X.b9 .........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ..............
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /
30 31 32 33 34 35 36 37 01234567
If you want to see more detailed information about the Ethernet header, you should use:
Snort -VDE
Use ping 192.168.0.1 to show the following information:
- *> Snort! <* -
Version 1.6-Win32
By Martin Roesch (Roesch@clark.net,
Www.clark.net/~roesch
Win32 port by michael davis (muker@eeye.com,
Www.dataasurge.net/~mike)
06 / 10-10: 32: 01.345962 0: 50: 94: F9: 5E: 17 -> 0: 50: BA: BB: 4A: 54 TYPE: 0X800 LEN: 0X62
192.168.0.2 -> 192.168.0.1 ICMP TTL: 64 TOS: 0x0 ID: 4079
ID: 21787 SEQ: 0 echo
99 14 42 39 47 4C 0C 00 08 09 0A 0B 0C 0D 0E 0F ..b9gl ........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ..............
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /
30 31 32 33 34 35 36 37 01234567
06 / 10-10: 32: 01.346164 0: 50: BA: BB: 4A: 54 -> 0: 60: 94: F9: 5E: 17 TYPE: 0X800 LEN: 0X62
192.168.0.1 -> 192.168.0.2 ICMP TTL: 128 TOS: 0x0 ID: 16090
ID: 21787 SEQ: 0 echo reply
99 14 42 39 47 4C 0C 00 08 09 0A 0B 0C 0D 0E 0F ..b9gl .......... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1e 1f ..... ...........
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /
30 31 32 33 34 35 36 37 01234567
Of course, some of the commands you just see on the screen, if you want to record on the log file, you can
Build a log directory first, use the following command:
./snort -dev -l./log -h 192.168.0.1/24
This command enables Snort to record the Ethernet header information and application layer data ./log directory is always, and
The record is about 192.168.0.1 Class C,
If you want to take advantage of some rule files (some records of specific data, such as Syn Attack, etc.)
Use:
./snort -dev -l ./log -h 192.168.1.0/24 -c Snort-lib
The Snort-Lib here is the file name of your rule file, which will be set in the snort-lib file.
Rules to decide whether to log a packet. and
./snort -d -h 192.168.1.0/24 -l ./log -c Snort-lib can not record some Ethernet header information
For example, I use ./nmap -ss 192.168.0.1 -p 21 is recorded in /log/alert.ids:
[**] IDS246 - MISC - Large ICMP Packet [**]
06 / 12-13: 48: 31.992395 192.168.0.1 -> 192.168.0.2
ICMP TTL: 128 TOS: 0x0 ID: 36579
ID: 46802 SEQ: 0 echo reply
I deliberately use Rules, PHP.CGI /?, Such as 192.168.0.1/cgi-bin/php.cgi/ ?, to show:
[**] IDS232 - WEB-CGI-PHP CGI Access Attempt [**]
06 / 12-13: 53: 35.106323 192.168.0.2:23 192.168.0.2:2:1789 -> 192.168.0.1:80
TCP TTL: 64 TOS: 0x0 ID: 8945 DF
***** pa * SEQ: 0xa070c880 Ack: 0xf113872 win: 0x7d78
./snort -d -h 192.168.1.0/24 -l ./log -c Snort-lib -s will record the log in you
The log file defined in the rule file, not the default alert.ids.
./snort -d -h 192.168.1.0/24 -l ./log -c Snort-lib -o This command is the order of reading rule files,
Some people are very strange, need to read the allowed rules, read the Alert rule file, and then log record, then
Operate according to the command above.
If your network request is quite, you can use:
./snort -b -a fast -c Snort-LIB
Thus, the warning message in each rule is recorded separately, and the record can be lost for multi-synchronous detection and attack.
Of course, the log file that is recorded is two-in-kind, similar to TCPDUMP format, you can use this way to view
These logs:
./snort -d -c snort-lib -l ./log -h 192.168.1.0/24 -r snort.log ----------------------- -------------------------------------------------- -------
Finally, the meaning of the options in the rules file is not translated, because it is dull, some things are incorrect:
# Msg => Message to Output in the alert / log files
# Flags => TCP Flags, Use 0 for no flags at all
# TTL => The Ttl value you want to key on (nice for catching traceroutes)
# Content => The Packet Application Layer, Look for Buffer Overflows Here
# Ieype => The number of the icmp type
# Icode => The number of the icmp code
# Minfrag => minimum fragment payload size
# SEQ => TCP Sequence Number
# Ack => TCP ACK NUMBER
# Id => ip Header fragment id Number
# Logto => file to log specific alerts to
# Dsize => match on the packet payload size
# Offset => Start a content search
# Depth => Only search
# Session => Record the session traffic from Clear Text Protocols Like
# Ftp or telnet
# Ipopts => Check for a specific IP option
-------------------------------------------------- -------------------------
reference:
Main site:
Www.snort.org
Rules file reference:
http://www.clark.net/~roesch/snort_rules.html
Winpcap:
Http://netgroup-serv.polito.it/winpcap/install/default.htm
How to install WinPCAP:
http://focus.silversand.net/newsite/skill/sniffitfornt.txt
Part of this use of Snort to find the information post-attacked information:
http://focus.silversand.net/newsite/skill/foresic.txt
Xundi@xfocus.org 2000-06-12
http://focus.silversand.net