4/04/2011

Snort

Snort is also a very popular packet sniffer. It does not prevent attacks, but logs the traffic so that we can get information as to what happened.


Snort can be run in 3 different ways:
  • as a daemon, constantly running as a background process monitoring the network for intrusion attempts
  • from the command line as a packet sniffer
  • as a kind of super packet sniffer that captures data, then compares it to known attack signatures on the fly
-d         (displays the traffic)
-dev      (lot more detailed info like header,content etc.)
-A         alert mode (can be used to given an alert for example when an icmp packet arrives from a source)

If you try to to run snort -A it if gives you some error and its something about a config file missing, then do the following:
snort -A full -c /etc/snort/snort.conf
The -c flag tells snort where to find the config file, in the default installation that’s where it goes. 

Example of a snort command:

alert tcp any any -> 10.12.43.21 2123


The format is as follows
Alert- gives an alert
tcp-    packet type (if you want to sniff icmp packets, then give alert icmp)
any-    source ip
any-    destination ip
then on the other side of -> give the destination ip and the destination port number


You can also give network range like 10.23.23.12/24 as the ip


Another way is is to add the following after the alert statement

(content:"|00 01 86 a5|"; msg: "Alert Hex";) 

Snort checks the packet for the content and when it finds the given content in a packet, it writes the msg into the log. So when we check the log file, if there was the specific content in any packet, "Alert Hex" will be printed onto the log file.

This is the rule option, this tells exactly what to do with the packet once it
fits the rule header which is all the IP stuff. The content word makes snort
look for the following hex characters in the packet that statement is ended by a
; and it symbolizes that a new statement is going to begin after the ; and it
does, the next statement is msg which means to write the following alert into
the file. The words before the colon (ie. content and msg) are called option
keywords, they always appear, sometimes more than once, and always have a colon
after them, then space and the value in double quotes.


Posted by Indrajith at 18:43

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)