CEH_Snort - yenbohuang/techNotes GitHub Wiki
Perform protocol analysis and content searching/matching and is used to detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
Initialize
-
Install Snort from
Z:\CEHv12 Module 12 Evading IDS, Firewalls, and Honeypots\Intrusion Detection Tools\Snort. -
Copy files under
Z:\CEHv12 Module 12 Evading IDS, Firewalls, and Honeypots\Intrusion Detection Tools\Snort\snortrules-snapshot-29150\.
| Source | Destination |
|---|---|
\etc\snort.conf |
C:\Snort\etc\snort.conf |
\so_rules\ |
C:\Snort\so_rules\ |
\preproc_rules\ |
C:\Snort\preproc_rules\ |
\rules\ |
C:\Snort\rules\ |
- Create the following files:
C:\Snort\rules\white_list.rules
C:\Snort\rules\black_list.rules
- Run Snort (exit by
ctrl + c).
cd C:\Snort\bin
snort
Commands
| Command | Description |
|---|---|
snort -W |
Lists your machine's physical address, IP address, and Ethernet Drivers, but all are disabled by default. |
snort -dev -i 1 |
Enable the Ethernet Driver (e.g., device index number = 1) |
Running as IDS Mode
Assume:
- Host IP address is
10.10.1.19(Windows Server 2019). - Device index number =
1.
Make configuration file changes and run the following command with administrator permission:
snort -i1 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
Log files are collected under this folder. For example:
C:\Snort\log\10.10.1.11\ICMP_ECHO.ids
C:\Snort\etc\snort.conf
Make the following changes:
- Replace all of
ipvarkeyword tovar(11 occurrences).
...
Step #1: Set the network variables
...
var HOME_NET 10.10.1.19
...
var DNS_SERVERS 8.8.8.8
...
var RULE_PATH C:\Snort\rules
var SO_RULE_PATH C:\Snort\so_rules
var PREPROC_RULE_PATH C:\Snort\preproc_rules
...
var WHITE_LIST_PATH C:\Snort\rules
var BLACK_LIST_PATH C:\Snort\rules
...
Step #4: Configure dynamic loaded libraries
...
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
# Comment out this line:
# dynamicdetection ....
...
Step #5: Configure preprocessors
# Comment out multiple lines with this pattern:
# preprocessor normalize_*
...
# Remove "lzma" keyword
decompress_swf { deflate } \
...
Step #6: Configure output plugins
...
include C:\Snort\etc\classification.config
include C:\Snort\etc\reference.config
output alert_fast: alerts.ids:
...
C:\Snort\rules\icmp-info.rules
Add this rule:
alert icmp $EXTERNAL_NET any -> $HOME_NET 10.10.1.19 (msg:"ICMP-INFO PING"; icode:0; itype:8; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:7;)