Problem: you want to set up snort, a network-intrusion detection system(NIDS)
Installation:
# tar -xvjf snort-*.tar.gz
# cd snort
# ./configure
# make
# make install
next create a logging directory, if it should not be publically readable, since it will contain potentially sensitive data,
# mkdir -p -m go-rwx /var/log/snort
Finally, install the configuration files and rules database:
# mkdir -p /usr/local/share/rules
# cp etc/* rules/* .rules /usr/local/share/rules
Packet sniffing with snort
To format and print network trace information
# snort -v [-d|-X] [-C] [-e] [filter-expression]
To sniff packets from the network:
# snort [-i interface] [-P snap-length] [filter-expression]
To read network trace data you hae saved previously
# snort -r filename [filter-expression]
Detecting intrusions with snort
Problem: You want to notice if your system is under attack from the network
Solution: To run as a network intrusion detection system, with binary logging, and alerts sent to the system logger:
# snort -c /usr/local/share/rules/snort.conf -b -s
To run snort in the background, as a daemon:
# snort -D [-u user] [-g group] [-m umask] -c
snort -c /usr/local/share/rules/snort.conf
The configuration file includes a large number of pattern matching rules that control logging and alerts,
Decoding snort alert messages
Consult the snort signature database at http://www.snort.org/snort-db, using the signature ID as an index, or searching based on the text message. NIDS database @ http://www.whitehats.com
Loggin with snort
want to manage snorts output and log files in a efficient, effective manner
To log network trace data for latter analysis:
# snort -b [-l logging-directory] [-L basename]
To examine the network trace data:
# snort -r logfile
To manage the logs, don't use logrotate. Instead periodically tell snort to close all of its files and restart, by sending it a SIGHUP signal,
# kill -HUP `pidof snort`
Remove all files that are older that a week,
# find /var/log/snort -type f -mtime +7 -printo | xargs -o -r rm
Remove empty sub-directories
# find /var/log/snort -mindepth 1 -depth -type d -printo | xargs -o -r rmdir -v --ignore-fail-on-non-empty
put those in chrone script....
Installation:
# tar -xvjf snort-*.tar.gz
# cd snort
# ./configure
# make
# make install
next create a logging directory, if it should not be publically readable, since it will contain potentially sensitive data,
# mkdir -p -m go-rwx /var/log/snort
Finally, install the configuration files and rules database:
# mkdir -p /usr/local/share/rules
# cp etc/* rules/* .rules /usr/local/share/rules
Packet sniffing with snort
To format and print network trace information
# snort -v [-d|-X] [-C] [-e] [filter-expression]
To sniff packets from the network:
# snort [-i interface] [-P snap-length] [filter-expression]
To read network trace data you hae saved previously
# snort -r filename [filter-expression]
Detecting intrusions with snort
Problem: You want to notice if your system is under attack from the network
Solution: To run as a network intrusion detection system, with binary logging, and alerts sent to the system logger:
# snort -c /usr/local/share/rules/snort.conf -b -s
To run snort in the background, as a daemon:
# snort -D [-u user] [-g group] [-m umask] -c
snort -c /usr/local/share/rules/snort.conf
The configuration file includes a large number of pattern matching rules that control logging and alerts,
Decoding snort alert messages
Consult the snort signature database at http://www.snort.org/snort-db, using the signature ID as an index, or searching based on the text message. NIDS database @ http://www.whitehats.com
Loggin with snort
want to manage snorts output and log files in a efficient, effective manner
To log network trace data for latter analysis:
# snort -b [-l logging-directory] [-L basename]
To examine the network trace data:
# snort -r logfile
To manage the logs, don't use logrotate. Instead periodically tell snort to close all of its files and restart, by sending it a SIGHUP signal,
# kill -HUP `pidof snort`
Remove all files that are older that a week,
# find /var/log/snort -type f -mtime +7 -printo | xargs -o -r rm
Remove empty sub-directories
# find /var/log/snort -mindepth 1 -depth -type d -printo | xargs -o -r rmdir -v --ignore-fail-on-non-empty
put those in chrone script....
No comments:
Post a Comment