Wednesday, 4 September 2013

How to setup snort in linux

Problem: you want to set up snort, a network-intrusion detection system(NIDS)

# tar -xvjf snort-*.tar.gz
# cd snort
# ./configure
# make
# make install

next create a logging directory, if it should not be publically readable, since it will contain potentially sensitive data,

# mkdir -p -m go-rwx /var/log/snort

Finally, install the configuration files and rules database:

# mkdir -p /usr/local/share/rules
# cp etc/* rules/* .rules /usr/local/share/rules

Packet sniffing with snort

To format and print network trace information
# snort -v [-d|-X] [-C] [-e] [filter-expression]

To sniff packets from the network:
# snort [-i interface] [-P snap-length] [filter-expression]

To read network trace data you hae saved previously
# snort -r filename [filter-expression]

Detecting intrusions with snort

Problem: You want to notice if your system is under attack from the network

Solution: To run as a network intrusion detection system, with binary logging, and alerts sent to the system logger:

# snort -c /usr/local/share/rules/snort.conf -b -s
To run snort in the background, as a daemon:
# snort -D [-u user] [-g group] [-m umask] -c

snort -c /usr/local/share/rules/snort.conf

The configuration file includes a large number of pattern matching rules that control logging and alerts,

Decoding snort alert messages

Consult the snort signature database at, using the signature ID as an index, or searching based on the text message. NIDS database @

Loggin with snort

want to manage snorts output and log files in a efficient, effective manner

To log network trace data for latter analysis:
# snort -b [-l logging-directory] [-L basename]

To examine the network trace data:
# snort -r logfile

To manage the logs, don't use logrotate. Instead periodically tell snort to close all of its files and restart, by sending it a SIGHUP signal,
# kill -HUP `pidof snort`

Remove all files that are older that a week,
# find /var/log/snort -type f -mtime +7 -printo | xargs -o -r rm

Remove empty sub-directories
# find /var/log/snort -mindepth 1 -depth -type d -printo | xargs -o -r rmdir -v --ignore-fail-on-non-empty

put those in chrone script....

No comments:

Post a Comment