Presentation is loading. Please wait.

Presentation is loading. Please wait.

SNORT Tutorial Sreekanth Malladi (modifying original by N. Youngworth)

Published byIsabel Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "SNORT Tutorial Sreekanth Malladi (modifying original by N. Youngworth)"— Presentation transcript:

1 SNORT Tutorial Sreekanth Malladi (modifying original by N. Youngworth)

2 Installation Install the WinPcap File. This allows you to capture and examine packets as they flow across the network. This installs fast so don’t think you didn’t get it to work right. This is found at (http://winpcap.polito.it/) Next install the SNORT program. This allows you to do many different things according to the command line that you type in. Use all of the default settings until you get to where you need to shoes where to install it. Chose the correct location and click install. This is found at (http://www.snort.org/)

3 Understanding Snort (config file) Once you have installed everything you are ready to begin using SNORT. (optional) To understand better where everything comes from and why it happens. You should go and view the snort config file. ( in the etc folder called snort.conf) Double click on it and choose “choose file from list” and then pick a program such as notepad, wordpad, context… This is your configuration file that tells about how you what snort to run. This is probably, followed by the rule sets, probably the most important files to change and/or read. With out this file configured correctly SNORT will not work properly For this lab we will not edit the file. We will use the standard setup so we can see what SNORT does.

4 Running command line Now pull up a command prompt. This can be done many different ways. The easiest is to click START then choose RUN. In the Open line of the run box type “cmd” then click on OK. Change to the correct directory that you installed snort to.

5 Important point Snort not displaying packets? Probably listening on wrong adapter Do /> snort –W Lists all the network adapters Then choose an adapter /> snort –v –i 2 2 for second adapter in list (3 for the third..) That should work; see screen shots next…

6 Listing the adapters using the –W option.

7 Choosing the adapter to sniff: /> snort –v –i 3

8 Getting started Using SNORT Now is the fun part. We get to demonstrate some of the different ways that SNORT can be used. We might as well start at the basics. Running SNORT consists or starting it from the command line and then attaching the correct flags to the command line initiation. A flag is simply a dash with the correct character or characters following it Example -d or -v these mean the same thing as -dv

9 First command test First let’s check to see that there are packets flowing across the network that you are on. There are 3 commands that do this well. They are also used in almost every other command to so understanding them and what they do is beneficial. The easiest way is to view the TCP/IP packet headers../snort –v

10 Example

11 Stopping snort and more options In order to stop the process from running and so that you can stop it without closing the window use Ctrl +c. This will stop the process and bring you back to a command prompt. Also this will give you a display of what SNORT did. I will discuss this later. To show the IP and the TCP/UDP/ICMP headers./snort -dv

12 Example

13 Viewing the payload to show the packet information also use./snort –dev Any of these three letters can be combined to achieve any of the information that you would like to view

14 Logging your findings Next we will talk about logging mode. In logging mode you are able to log the information that you would like to using the commands above a and combing it with a new one The new flag to add is –l which is an L but you need to follow this with the directory that you want to log the files into. The directory has to already be created also or the command won’t work SNORT provides a log directory for you already conveniently called log (who would have thought huh)

15 Logging continued To do this you start out with the normal command telling what of the information you would like to log. This is followed by the –l and then the directory designating where to log the files at../snort –dev –l../log I used the “../” to denote moving back a folder since I was in the bin folder where the executable is for SNORT Be sure to log into the proper directory and also make sure the directory exists or it won’t work

16 Logged where and how When you execute it the council window will look the same but the information will now be logged into the specified folder.

17 Logged where and how There is an ARP file in here also that logs which IP talks to which IP and at what time that it does so. And in each of these folders are the packet files

18 Viewing Log Finally to view the packet file open it with notepad, wordpad, context… and you will be able to view what is in it.

19 Using SNORT as an IDS Host-based or Network-based Lets look at host-based use first: The command >snort –v –i 2 –l../log –c test.rules test.rules should be a simple text file in the current folder Could also be placed in the “rules” folder in C:\Snort For this demonstration we use the following rule in test.rules – alert tcp any 80 -> any any (msg:"Attack!";) alert tcp any any -> any 80 (msg:"Attack!";) It’s a silly rule: logs every http connection as attack Just for illustration

20 Snort as IDS Then the file alert.ids should automatically be c reated by Snort in the C:\Snort\log folder Snort can also be used as NIDS Requires Snort sensors at various points in the network (behind router, in front of network interfaces etc.) A Snort server should centrally log all alerts from sensors A front-end processor to view the alerts on the server

21 ACID and BASE ACID is a front-end analysis tool to analyze Snort logs BASE (Basic Analysis and Security Engine) is an extension of ACID A set of PHP scripts Will connect to a database as mysql which was used to log Snorts output Displays results of database analysis

Download ppt "SNORT Tutorial Sreekanth Malladi (modifying original by N. Youngworth)"

Similar presentations

Support.ebsco.com Using the Search History Feature Tutorial.

Support.ebsco.com Using the Search History Feature Tutorial.
BIBC Member ID Card System By Lizette Burger. 2 BIBC REQUIREMENTS In the interest of all employers and employees, Council has instituted a system to provide.

BIBC Member ID Card System By Lizette Burger. 2 BIBC REQUIREMENTS In the interest of all employers and employees, Council has instituted a system to provide.
Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
MySQL Installation Guide. MySQL Downloading MySQL Installer.

MySQL Installation Guide. MySQL Downloading MySQL Installer.
Assistive Technology Training Online (ATTO) University at Buffalo – The State University of New York USDE# H324M980014 Co:Writer.

Assistive Technology Training Online (ATTO) University at Buffalo – The State University of New York USDE# H324M Co:Writer.
 Use the Left and Right arrow keys or the Page Up and Page Down keys to move between the pages. You can also click on the pages to move forward.  To.

 Use the Left and Right arrow keys or the Page Up and Page Down keys to move between the pages. You can also click on the pages to move forward.  To.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
Course Introduction and Getting Started with C 1 USF - COP-2270 - C for Engineers Summer 2008.

Course Introduction and Getting Started with C 1 USF - COP C for Engineers Summer 2008.
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
1. ---------------------- Integrity Check ---------------------- As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.

Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Installing Active Directory on Windows Server 2008 R2 Installing Active Directory on a fresh Windows Server 2008 R2 machine in a home network. These instructions.

Installing Active Directory on Windows Server 2008 R2 Installing Active Directory on a fresh Windows Server 2008 R2 machine in a home network. These instructions.
Ch 8-3 Working with domains and Active Directory.

Ch 8-3 Working with domains and Active Directory.
Hosted Exchange 2007. The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science.

Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science.

Similar presentations

Ads by Google