More IDS sensors: /opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i eth0 -l /var/log/snort0 /opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i eth1 -l /var/log/snort1 Snort Modes: ----------- 1) Network Sniffer Mode [root@conformix snort]# /opt/snort/bin/snort -v <- Network Sniffer Mode [root@conformix snort]# /opt/snort/bin/snort -dv <- Shows more data (application data payload) [root@conformix snort]# /opt/snort/bin/snort -dev <- Displays in "hexadecimal" and "ASCII" format snort -dev -l /var/log/snort <- Log data in *text* formart snort -l /tmp -b <- Log data in *binary* format (We can read them after with TCPDUMP: # tcpdump -r /tmp/snort.log.1037840514 ) 2) NIDs Mode snort -c /opt/snort/etc/snort.conf <- snort -dev -l /var/log/snort -c /etc/snort/snort.conf Alert Modes: ----------- 1) Fast Mode (Timestamp, Alert message (configurable through rules), Source and destination IP addresses, Source and destination ports) /opt/snort/bin/snort -c /opt/snort/etc/snort.conf -q -A fast 2) Full Mode *Default Mode* /opt/snort/bin/snort -c /opt/snort/etc/snort.conf -q -A full 3) UNIX Socket Mode "-a unsock" 4) No Alert Mode "-A none" 5) Sending Alerts to Syslog /opt/snort/bin/snort -c /opt/snort/etc/snort.conf -s Testing Rules: ------------ alert ip any any -> any any (msg: "IP Packet detected";) alert icmp any any -> any any (msg: "ICMP Packet found";) alert icmp 192.168.1.4 any -> 192.168.1.1 any (msg: "HEARTBEAT";) [*] Snort_IP> 192.168.1.4 ... add to CRON every 10 min. "ping -n 1 192.168.1.1" to log if Snort is active. alert icmp any any -> 192.168.1.113/32 any \ (msg: "Ping with TTL=100"; ttl:100;) alert tcp 192.168.2.0/24 23 -> any any \ (content: "confidential"; msg: "Detected confidential";) alert tcp 192.168.2.0/24 23 <> any any \ (content: "confidential"; msg: "Detected confidential";) alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any \ (content: "GET"; msg: "GET matched";) alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any \ (content: "|47 45 54|"; msg: "GET matched";) alert icmp any any -> any any (logto:my_log3; ttl: 100;) <- Log to file: my_log3 alert tcp 192.168.1.0/24 any -> any 80 (msg: "Outgoing \ HTTP connection"; react: block;) <- Send TCP FIN to sending & receiving hosts (Needs: --enable-flexresp), <- *react:* should be always at the end. alert tcp any any -> 192.168.1.0/24 8080 (resp: rst_snd;) <- Send TCP RST to sender when attempting to connect to port 8080 (Needs: --enable-flexresp) Preprocessors: ------------- preprocessor arpspoof: -unicast <- will detect unicast anomalies preprocessor arpspoof_detect_host: 192.168.1.13 \ 34:45:fd:3e:a2:01 <- adds an IP address and MAC address pair which can be used later on to detect ARP spoofing attempts. ==================== MySQL ==================== $ ls -lh /var/lib/mysql/snort <- All DB files are here mysql> optimize table data; mysql> optimize table ... mysql> optimize table ... # mysql -h localhost -u snortuser -p snortpass snortDB < optimize.sql ==================== SnortSnarf ==================== http://www.silicondefense.com/software/snortsnarf/index.htm. $ snortsnarf.pl /var/log/snort/alert -d /var/www/html/snortsnarf MySQL: $ snortsnarf.pl user:userpass@snort@localhost -d /var/www/html/snortsnarf [*] DB> snort ; [*] HOST> localhost. Resources: http://www.activeworx.org/ <- Snort IDS GUI policy manager from Windows http://www.snortsam.net/ <- Snort integration with CheckPoint