SnortforWindows IDS trial
Author: gnicky URL: http://blog.9cbs.net/loconfuse
Learning Snort, also learning its working mode, Snort is the user interaction layer in Snort, including WinPCAP (Capture) under Windows, libpcap under XNIX, Snort of the interactive layer also reflects the difference in OS Different features include installation deployment, configuration, etc.
SnortFowWindows includes data sniffing, datagram records, intrusion analysis, actually as vertical division in software engineering, invading analysis uses data newspaper records, and the record acquisition should be listened, generally can also pass The mixed mode of the switch is bypass, or it can be captured through the network. The sniffer mode is only read from the network and as a continuous stream is displayed on the terminal, and / Snort -V is called / Snort -V under the folder installed with Snort. Using this command will enable Snort to output only IP and TCP / UDP / ICMP's clasp header information. If you want to see the data of the application layer, you can use: ./snort -vd this command to display the data information of the package while the SNORT is output. If you want to display the information of the data link layer, use the following command: ./snort -vde, the data link layer is located above the network physical layer, located below the network layer (TCP / IP), but UDP Data, as well as MAC address data, but don't understand this stuff.
As shown below, I hope to give this more studying heroes to the guidance: (here is not suitable for map, next time no post)
The packet recorder mode records the packet to the hard disk / SNORT. To record all the packages to your hard drive, you need to specify a log directory, Snort will automatically record the packet: ./snort -dev -l ./log of course,. / Log directory must exist, otherwise Snort will report an error Information and exit. When Snort is running in this mode, it will record all the packets that will be placed in a directory, named by the host's IP address of the packet, for example: 192.168.10.1 If you only specify the -l command Switch, without setting a directory name, Snort sometimes uses the IP address of the remote host as a directory, sometimes using the local host IP address as a directory name. In order to log only to the local network, you need to give a local network: ./snort -dev -l ./log -h 192.168.1.0/24
Analysis of 192.168.0.1/24, 24 is the setting of the subnet mask. This command tells Snort to record data links, TCP / IPs, and application layer data links, TCP / IP, and application layers in Class C network 192.168.1 ./log.
Establish a classified folder for each IP address in the same path, including an overview data file, including an overview data file, which is worth analysis for each IP address. (Not suitable for texture, no post next time)
About ARP / PACKET and other files ... It is the origin of network data analysis, so that afterward data analysis IDS, it can also be called IDS: :)
Basic situation of ARP description dialogue
01 / 14-19: 49: 14.950403 ARP WHO-HAS 192.168.0.1 Tell 192.168.0.88
01 / 14-19: 49: 15.947777 ARP WHO-HAS 192.168.0.1 Tell 192.168.0.88
01 / 14-19: 49: 22.958050 ARP WHO-HAS 192.168.0.1 Tell 192.168.0.8801/14-19:50:08.935080 ARP WHO-HAS 192.168.0.23 Tell 192.168.0.2
01 / 14-19: 50: 32.223852 ARP WHO-HAS 192.168.0.1 Tell 192.168.0.88
Another way of use: TCPDUMP processing method. TCPDUMP is strictly related to WinPCAP / LibPCAP, and I don't understand that TCPDUMP is also a sniffer.
If your network is very fast, or you want to make the log more compact, you should use the binary log file format. The so-called binary log file format is the format used by TCPDump programs. Use the following command to record all packets into a single binary: ./snort -l./log -b
TCPDUMP or ETHEREAL, the sniffer program in the binary format reads out the packet from this file, using the -R function switch, and the Snort reads the data. Snort can handle files in TCPDUMP format in all operating modes. For example: If you want to print a tcpdump format in a TCPDUMP format in the sniffer mode to the screen, you can enter the following command: ./snort -dv -r packet.log
The network intrusion detection mode is the most complicated, and it is configurable. We can let SNORT analyze the network data stream to match some of the rules defined, and take certain actions based on the test results.
Learn here first, retreat!
