of performing packet logging and real-time traffic analysis on IP networks. Snort was written by Martin Roesch and is now
developed by Sourcefire, of which Roesch is the founder and CTO. Integrated enterprise versions with purpose built hardware
and commercial support services are sold by Sourcefire.
Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect
a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS
fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by
dropping attacks as they are taking place. Snort can be combined with other software such as SnortSnarf, sguil, OSSIM,
and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data. With patches for
the Snort source from Bleeding Edge Threats, support for packet stream antivirus scanning with ClamAV and network
abnormality with SPADE in network layers 3 and 4 is possible with historical observation. ( These patches seem to be no
longer maintained)
http://sguil.sourceforge.net/
http://base.secureideas.net/
http://www.sourcefire.com/
http://www.activeworx.org/
http://www.appliedwatch.com/
http://www.aanval.com/
http://www.skynet-solutions.net/easyids/
Gathering the Required Software
Snort www.snort.org
This paper is based on the most recent version of Snort, v2.8.2.1
Snort requires lipbcap for packet capturing. BSD derivatives typically include libpcap; Linux typically does not, so libpcap
should be installed before proceeding to install snort
Installation
# cd /usr/src
# wget http://www.snort.org/dl/current/snort-2.8.2.1.tar.gz
# tar zxvf snort-2.8.2.1.tar.gz
# cd snort-2.8.2.1/
# ./configure
# make
# make check --to run any self tests
# make install
Using Snort
To see how snort can be used to read packets off the wire try the following command:
Snort works in 3 Modes but i describe 2 modes and 3rd mode will be upload shorlty
1. Packet Sniffer Mode
- snort -v (TCP/UDP/ICMP/IP) Headers
- snort -vd (application layer)
- snort -vde (data-link layer (MAC))
- snort -vde -i interface src host ipaddress and dst host ipaddress # see the example on very next line
snort -vde -i eth0 src host 192.168.2.30 and dst host 192.168.2.31
- snort -vde -i interface src host ipaddress and dst port portno # see the exaple on very next line
snort -vde -i eth0 src host 192.168.2.31 and dst port 22
2. Packet Logger Mode
ASCII Logging
- mkdir /temp
- cd /temp
- snort -vde -l ./
- snort -vde -l ./ -i interface src host ipaddress and dst port portno
- snort -vde -l ./ -i interface src host ipaddress
Binary Logging
- snort -b -L snort_binary.log -l ./ -i interface src host ipaddress
- snort -dev -r snort_binary.log.no =Read Binary file
- snort -dev -r snort_binary.log.no src host ipaddress and dst port portno =Read Binary file
- snort -dev -r snort_binary.log.no src host ipaddress and dst port not portno =Read Binary file
- Tie Snort to multiple interfaces
- snort -b -L snort_eth0 -i eth0 <BPFs>
- snort -b -L snort_eth1 -i eth1 <BPFs>
Notice snort even generates a nice table of statistics. Unfortunately, snort cannot provide packet loss statistics under
Linux but is able to do so under both FreeBSD and Solaris.
NIDS and NIPS mode will be upload very shortly, be paitent
For any comments, feedback and correction, kindly mail me nafees29@gmail.com
Regards