SNORT is and Intrusion Detection System (IDS). We are given a problem statement as
"Study, Install and Configure any Intrusion Detection System (IDS)" in our lab manual.
I have just played with Snort for about 4 hours and now I am able to detect network traffic from internet to my computer and able to raise alert as specified in the rule file.
I wont talk much about anything else now, we will just begin with the tutorial for configuring snort and writing a very basic 'rule file' for snort.
1)I assume that all of you have snort installed on our systems.(if not just type 'sudo apt-get install snort'). first of all I will teach you how to write a rule file for detecting a specific type of intrusion from a certain host.
1.1create a plain document named 'rule' at the path /home/your_username
1.2 Now I will explain you the syntax of writing a rule file.
e.g alert tcp any any -> 192.168.1.4 any (msg:"JaysComp anyTCP intrusion detected ...!!";sid:1000984;)
A. rule_header consists of following fields
(rule action) (protocol) (src address & port)->(destination address & port)
rule action= this is an 'alert' that is raised when some intrusion occurs protocol= this may be tcp, udp, icmp, vlan etc. I have used tcp for pinging GOOGLE. src address and port= address and port number of intruder. you can take this value to be 'any any' dest address & port=this is usually your address. I have used my LAN address(192.168.1.4). you can take this value to be 'any any'
keyword:argument; keyword:argument; ...
The keywords that I have used in my rule file are msg and sid.
e.g. msg:"Hey Intrusion detected"
sid:1000983 (I think this can be anything but I am not sure.)
2) Now we are ready to run snort and detect tcp intrusion on any of our port from internet.
open a terminal and type
'sudo snort -d -h 192.168.1.0/24 -N -c /home/jayz/rule -i eth0'
sudo= super user previledges.
snort= command to run snort
-d= Dump the Appication layer
-h= home network address
-N=Turn off logging (alerts still work)
-c=Use Rules File at this location
-i= Monitor the given network interface
for most wired connections the value for -i=eth0 for rest it may change.
When you run this command, you will see an output like this
now open up the web browser and
just surf for few seconds.
Now again switch back to your
terminal and press 'Ctrl+C'
Now the terminal looks pretty mcuh like this
Now just open the path /var/log/snort
here you will find an 'alert file'
To this alert file all the alerts, as specified
in the 'rule file' are logged.
Now you can play with Snort to try out
different protocols' and hosts' intrusion
into your system.
May be there are some spelling mistakes here but just ignore them.