How to use Snort! --IDS

xiaoxiao2021-03-06  105

How to use Snort!

Create time: 2001-03-02

Article attribute: original

Article submission:

Xundi (xundi_at_xfocus.org)

How to use Snort!

By xundi

-------------------------------------------------- ------------------

installation method:

If you have LibPCAP installed, it will be very simple for Snort installations, about the installation instructions for libpcap.

You can see Blackfire.

Http://go.163.com/~bobdai/ Some articles about Windows

Winpcap, you can see the installation instructions on the Sniffer for NT on my station. After installing libpcap,

You can use the usual command:

1.) ./configure

2.) Make

3.) Make Install

After you are ready, you can use Make Clean to clear some files generated during installation.

(Some systems such as FreeBSD have supported libpcap, so it is easy, no need to install it).

And Windows is simpler, just unpacking it;

-------------------------------------------------- --------------------

Parameter introduction:

Command line is Snort - [Options]

Option:

-A Setting is Full, FAST, or None; Full mode is a record

Standard Alert mode into the Alert file; FAST mode is only written to timestamp, Messages,

In the IPS, Ports to file, NONE mode turns off alarm.

-a is a display ARP package;

-b is to record the log's packet into TCPDUMP format, and all packets are recorded as

Two-in-law, name, Snort-0612@1385.log, this option for FAST

The recording mode is better because it does not need to turn the information that is spended into the text.

Snort uses "-b" in the 100Mbps network.

-C Using the configuration file , this rule file is to tell the system what kind of information is to log,

Or to alarm, or pass.

-C The information package information uses the ASCII code to display instead of hexdump,

-d decoding application layer.

-D to run the Snort in a daemon method, by default alert record sends

Go to the /var/log/snort.alert file.

-e Displays and records data of 2 packet headers.

-F Read BPF Filter from file, Filters here is standard

BPF format filter, you can see in tcpdump, you can view TCPDUMP

How to use this filter in the Man page.

-H Setting up network address, such as a Class C IP address 192.168.0.1 or other, use this

Options, the direction of the way the arrow will be used.

-I Using Network Interface Parameters

-l log packet records to the directory.

-M Send WinPopup information to the list of workstations that contain files,

This option requires Samba support, the WKSTN file is simple, each line is added to the host name included in the SMB. (Note No // Two slashs).

-N is specified to exit after processing packet.

-N Turns the log record, but the alert function is still normal.

-O Change the record file used, such as using alert-> pass-> log order under normal conditions,

And this option is such a order: pass-> alert-> log order, where Pass

It is the rules that allow pass-by, and Alert is the rules that are not allowed.

Log refers to the log record, because some people like the strange blame, like casper, quack likes

In turn, it will be operated.

-p Turn off messy mode sniffings, generally used to debug networks.

-r Read the file generated by TCPDump mode, this method is used to handle

Get a shadow (shadow ids) file because these files cannot

Edit it with a general Edit.

-s log alarm record to syslog, on the Linux machine, these warning information

Will appear in / var / log / secure, will appear on / var / log / message on / var / log / message on other platforms.

-S This is setting a variable value, which can be used to define the Snort Rules file in the command line.

The variables in the Snort Rules file, you want to define the variable home_net, you

It can be predefined in the command line.

-v is used as Verbose mode, printing the packet in Console, after which this option is used

It will make the speed slow, so that the results will appear in the record.

-V Displays the SNORT version and exits;

-? Display list and exit;

-------------------------------------------------- --------------------

Here is a combination of some commands, of course, more combinations you can test themselves:

Snort has more command options and parameters, first introduce some basic commands, if you

If you want to display the header of the packet on the screen, you can use:

./snort -v

This command runs SNORT and displays IP and TCP / UDP / ICMP header information.

I used ping 192.168.0.1 as shown below:

06 / 10-10: 21: 13.884925 192.168.0.2 -> 192.168.0.1

ICMP TTL: 64 TOS: 0x0 ID: 4068

ID: 20507 SEQ: 0 echo

06 / 10-10: 21: 13.885081 192.168.0.1 -> 192.168.0.2

ICMP TTL: 128 TOS: 0x0 ID: 15941

ID: 20507 SEQ: 0 echo reply

06 / 10-10: 21: 14.884874 192.168.0.2 -> 192.168.0.1

ICMP TTL: 64 TOS: 0x0 ID: 4069

ID: 20507 SEQ: 256 Echo

06 / 10-10: 21: 14.885027 192.168.0.1 -> 192.168.0.2

ICMP TTL: 128 TOS: 0x0 ID: 15942

ID: 20507 SEQ: 256 echo reply

Use it if you want to decode the application layer:

Snort -VD

Use ping 192.168.0.1 again, as follows: 06/10-10: 26: 39.894493 192.168.0.2 -> 192.168.0.1

ICMP TTL: 64 TOS: 0x0 ID: 4076

ID: 20763 SEQ: 0 echo

58 13 42 39 E0 BB 05 00 08 09 0A 0B 0C 0D 0E 0F X.b9 .........

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ..............

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /

30 31 32 33 34 35 36 37 01234567

06 / 10-10: 26: 39.894637 192.168.0.1 -> 192.168.0.2

ICMP TTL: 128 TOS: 0x0 ID: 15966

ID: 20763 SEQ: 0 echo reply

58 13 42 39 E0 BB 05 00 08 09 0A 0B 0C 0D 0E 0F X.b9 .........

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ..............

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /

30 31 32 33 34 35 36 37 01234567

If you want to see more detailed information about the Ethernet header, you should use:

Snort -VDE

Use ping 192.168.0.1 to show the following information:

- *> Snort! <* -

Version 1.6-Win32

By Martin Roesch (Roesch@clark.net,

Www.clark.net/~roesch

Win32 port by michael davis (muker@eeye.com,

Www.dataasurge.net/~mike)

06 / 10-10: 32: 01.345962 0: 50: 94: F9: 5E: 17 -> 0: 50: BA: BB: 4A: 54 TYPE: 0X800 LEN: 0X62

192.168.0.2 -> 192.168.0.1 ICMP TTL: 64 TOS: 0x0 ID: 4079

ID: 21787 SEQ: 0 echo

99 14 42 39 47 4C 0C 00 08 09 0A 0B 0C 0D 0E 0F ..b9gl ........

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ..............

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /

30 31 32 33 34 35 36 37 01234567

06 / 10-10: 32: 01.346164 0: 50: BA: BB: 4A: 54 -> 0: 60: 94: F9: 5E: 17 TYPE: 0X800 LEN: 0X62

192.168.0.1 -> 192.168.0.2 ICMP TTL: 128 TOS: 0x0 ID: 16090

ID: 21787 SEQ: 0 echo reply

99 14 42 39 47 4C 0C 00 08 09 0A 0B 0C 0D 0E 0F ..b9gl .......... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1e 1f ..... ...........

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. /

30 31 32 33 34 35 36 37 01234567

Of course, some of the commands you just see on the screen, if you want to record on the log file, you can

Build a log directory first, use the following command:

./snort -dev -l./log -h 192.168.0.1/24

This command enables Snort to record the Ethernet header information and application layer data ./log directory is always, and

The record is about 192.168.0.1 Class C,

If you want to take advantage of some rule files (some records of specific data, such as Syn Attack, etc.)

Use:

./snort -dev -l ./log -h 192.168.1.0/24 -c Snort-lib

The Snort-Lib here is the file name of your rule file, which will be set in the snort-lib file.

Rules to decide whether to log a packet. and

./snort -d -h 192.168.1.0/24 -l ./log -c Snort-lib can not record some Ethernet header information

For example, I use ./nmap -ss 192.168.0.1 -p 21 is recorded in /log/alert.ids:

[**] IDS246 - MISC - Large ICMP Packet [**]

06 / 12-13: 48: 31.992395 192.168.0.1 -> 192.168.0.2

ICMP TTL: 128 TOS: 0x0 ID: 36579

ID: 46802 SEQ: 0 echo reply

I deliberately use Rules, PHP.CGI /?, Such as 192.168.0.1/cgi-bin/php.cgi/ ?, to show:

[**] IDS232 - WEB-CGI-PHP CGI Access Attempt [**]

06 / 12-13: 53: 35.106323 192.168.0.2:23 192.168.0.2:2:1789 -> 192.168.0.1:80

TCP TTL: 64 TOS: 0x0 ID: 8945 DF

***** pa * SEQ: 0xa070c880 Ack: 0xf113872 win: 0x7d78

./snort -d -h 192.168.1.0/24 -l ./log -c Snort-lib -s will record the log in you

The log file defined in the rule file, not the default alert.ids.

./snort -d -h 192.168.1.0/24 -l ./log -c Snort-lib -o This command is the order of reading rule files,

Some people are very strange, need to read the allowed rules, read the Alert rule file, and then log record, then

Operate according to the command above.

If your network request is quite, you can use:

./snort -b -a fast -c Snort-LIB

Thus, the warning message in each rule is recorded separately, and the record can be lost for multi-synchronous detection and attack.

Of course, the log file that is recorded is two-in-kind, similar to TCPDUMP format, you can use this way to view

These logs:

./snort -d -c snort-lib -l ./log -h 192.168.1.0/24 -r snort.log ----------------------- -------------------------------------------------- -------

Finally, the meaning of the options in the rules file is not translated, because it is dull, some things are incorrect:

# Msg => Message to Output in the alert / log files

# Flags => TCP Flags, Use 0 for no flags at all

# TTL => The Ttl value you want to key on (nice for catching traceroutes)

# Content => The Packet Application Layer, Look for Buffer Overflows Here

# Ieype => The number of the icmp type

# Icode => The number of the icmp code

# Minfrag => minimum fragment payload size

# SEQ => TCP Sequence Number

# Ack => TCP ACK NUMBER

# Id => ip Header fragment id Number

# Logto => file to log specific alerts to

# Dsize => match on the packet payload size

# Offset => Start a content search Bytes Into the payload

# Depth => Only search Bytes Into the payload for a pattern match

# Session => Record the session traffic from Clear Text Protocols Like

# Ftp or telnet

# Ipopts => Check for a specific IP option

-------------------------------------------------- -------------------------

reference:

Main site:

Www.snort.org

Rules file reference:

http://www.clark.net/~roesch/snort_rules.html

Winpcap:

Http://netgroup-serv.polito.it/winpcap/install/default.htm

How to install WinPCAP:

http://focus.silversand.net/newsite/skill/sniffitfornt.txt

Part of this use of Snort to find the information post-attacked information:

http://focus.silversand.net/newsite/skill/foresic.txt

Xundi@xfocus.org 2000-06-12

http://focus.silversand.net

转载请注明原文地址:https://www.9cbs.com/read-124655.html

New Post(0)