IDS (Intrusion Detection System) - Snort 2.9 [Linux Deb/Ubuntu]


 
What is Snort?

    Snort is the foremost Open Source Intrusion Detection System (IDS) in the world. Snort IDS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

    Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.
(apud: https://www.snort.org/)


    After digging made this script to make life more easier, you may just

[ apt install snort -y ]

to verify if your REPO got everything before, if it doesn't work, just copy and run the first script out of three:

[1] Install from tarball file manually  [2] Makes Configuration  [3] Launch App


# if you good till here, lets go to CONFIGURATION

#

Here we got the post-install script:
# if you noticed this config is also included in step 2: the second script =D # nano /etc/snort/snort.conf :: Download Link


Check the Output from last Code:


Sample of Output after PING with loaded Community Rules:

 

At the Image below you can check the plugins from Snort, OS_RULES .

###################################################
# Step #9: Customize your Shared Object Snort Rules
# For more information, see http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.h$
###################################################


 

 

 I've made a script to run SNORT and make sure that  snort.config , folder and Aplication USER:GROUP  under /ETC/SNORT enforces its owner:


 

 #################################################

You can skip this config, but is valid to dig into it:

#################################################

At line 45 in /etc/snort/snort.conf should seen like it >:

ipvar HOME_NET  any
ipvar EXTERNAL_NET  any


Note from web-page(link): 

    Change the declaration for EXTERNAL_NET to !$HOME_NET – this expression means the external network will be defined as any IP address that is not part of the home network. Important! If you leave HOME_NET declared as “any” you cannot use !$HOME_NET, as the expression will translate to “not any” and throw an error when you try to start Snort.

Line 104 should look like this:

var  RULE_PATH  /etc/snort/rules
var  SO_RULE_PATH  /etc/snort/so_rules

var PREPROC_RULE_PATH  /etc/snort/preproc_rules
var WHITE_LIST_PATH        /etc/snort/rules/iplists
var BLACK_LIST_PATH        /etc/snort/rules/iplists

#tip: my Snort got some stuff while configuring these paths, depending on your System you may have to change if it ask!  Since on Ubuntu 18.04 is working as so, not reporting any issue as up code.


KEEP READING:

securityarchitecture: https://www.securityarchitecture.com/learning/intrusion-detection-systems-learning-with-snort/configuring-snort/

Comments

Post a Comment

Popular posts from this blog

Get Info From DNS Servers and Active Hosts

Image
      Get the Authority Dns Reverse Servers with a nice tool called Whois ; so then you can start a passive gathering from Multiples Hosts in a file caught by your IDS or IPS blacklist or from some secure source database on web , either if it has 80.000 hosts file , turning it into a powerful tool with pv and grep to your toolkit.   pv is a monitor to progress of data through a pipe or source, same as a more common tool DD, but pv offers some more options to Show Progress and Monitor  data transfer. Here, I'm using grep followed with -H to bring the Source File Name and -f option to insert a match list  in a file named Matchfile. apt-cache search whois # also check other tools as dmitry # Check WHOIS Flags Enabled :                     '-a' = All mirrored databases.                    '-d' = Return the Reverse DNS delegati...
Read more

Nmap Scan Your Home Network [Linux]

Image
       To those that are new in Security Information, here is one of most popular tool which you can't left out of your toolbox.       I made this script to introduce you  Acknowledgment  scan, which grap FLAG status  from target host in the first defaults ports (1-1024) which are some of most important ports.      The OSI Protocol was made to have from 0-65535 ports (tcp/udp), you can have the additional in yout amazing SCAN ports with same script just add "-p": eg: nmap --scripts=default -p 1-65535      The "scripts=default means the  nmap is going  to activate the options "-O" and "-A" for OS (Operation System), what ever it is! And  grap  banner fingerprint from deductions or most its acctual OS running at the target and activating Advanced Scan that also makes injection of scripts to probe the data from Firawall / IDS / IPS scope. # I've also brought graphical map of som...
Read more

[IPS/IDS ] Snort 3 Plus - Installation - 32x - 64x bits

Image
          Snort 3 is a intrusion detection and prevention tool made by Cisco Talos, free and open source, one of my favorite to work with, got a simple installation and configuration compared to some others.    Here is a quick run and installation From GIT Repo to Debian / Ubuntu 32-64 Bits. ################################################## After everthing get done, type: nano /etc/snort/snort.lua    Here the configuration must be set the same of older versions of Snort eg.: Note: Change the declaration for EXTERNAL_NET to !$HOME_NET – this expression means the external network will be defined as any IP address that is not part of the home network. Important! If you leave HOME_NET declared as “any” you cannot use !$HOME_NET, as the expression will translate to “not any” and throw an error when you try to start Snort.  Noticed: the new conf seens the same at inserting new RULES, so, lets start setting it at /etc/snort/ru...
Read more