Wednesday, 4 September 2013

How to setup snort in linux

Problem: you want to set up snort, a network-intrusion detection system(NIDS)

Installation:
# tar -xvjf snort-*.tar.gz
# cd snort
# ./configure
# make
# make install

next create a logging directory, if it should not be publically readable, since it will contain potentially sensitive data,

# mkdir -p -m go-rwx /var/log/snort

Finally, install the configuration files and rules database:

# mkdir -p /usr/local/share/rules
# cp etc/* rules/* .rules /usr/local/share/rules



Packet sniffing with snort

To format and print network trace information
# snort -v [-d|-X] [-C] [-e] [filter-expression]

To sniff packets from the network:
# snort [-i interface] [-P snap-length] [filter-expression]

To read network trace data you hae saved previously
# snort -r filename [filter-expression]


Detecting intrusions with snort

Problem: You want to notice if your system is under attack from the network

Solution: To run as a network intrusion detection system, with binary logging, and alerts sent to the system logger:

# snort -c /usr/local/share/rules/snort.conf -b -s
To run snort in the background, as a daemon:
# snort -D [-u user] [-g group] [-m umask] -c

snort -c /usr/local/share/rules/snort.conf


The configuration file includes a large number of pattern matching rules that control logging and alerts,


Decoding snort alert messages

Consult the snort signature database at http://www.snort.org/snort-db, using the signature ID as an index, or searching based on the text message. NIDS database @ http://www.whitehats.com

Loggin with snort

want to manage snorts output and log files in a efficient, effective manner

To log network trace data for latter analysis:
# snort -b [-l logging-directory] [-L basename]

To examine the network trace data:
# snort -r logfile

To manage the logs, don't use logrotate. Instead periodically tell snort to close all of its files and restart, by sending it a SIGHUP signal,
# kill -HUP `pidof snort`

Remove all files that are older that a week,
# find /var/log/snort -type f -mtime +7 -printo | xargs -o -r rm

Remove empty sub-directories
# find /var/log/snort -mindepth 1 -depth -type d -printo | xargs -o -r rmdir -v --ignore-fail-on-non-empty

put those in chrone script....


No comments:

Post a Comment