Wireshark is great. Personally, I prefer tcpdump from the command line with my own scripts to extract specific results I am looking for. If you want to become dangerous with tcpdump, you should check out Daniel Miessler’s tutorial on the subject and start experimenting. That being said, my ideas of how to see what is actually going on in networks that I manage are constrained to my limited knowledge base, experience and imagination, and I am sure it is not terribly hard to outsmart me:
- is my LAMP server getting hit with SQL injection attacks?
- is there some (unknown to me) vulnerability to a package on my system that I am not aware of yet?
- is a device on my network compromised by some type of malware?
- is the NSA all up in my biz?
- am I getting port-scanned? If so, by whom? What are they looking for?
- is someone trying really hard with nmap scripts or other penetration tools to hack me?
- some kinds of attacks I can’t even fathom?
I’m pretty sure at this point, the answer to all of these questions is YES! Well, I want to know what the heck is going on, and even with decent tcpdump skills, I am not sure how to tell if, for instance, I am being hit with an OS detection scan or something like that. Snort is the perfect tool for problems like this.
Snort sniffer mode
Snort’s sniffer mode is pretty cool.
sudo snort -i enp1s0 -dev
This command will basically show every frame on the wire whether IPv4, IPv6, et. al, with the hex and ascii output to the console. Here is the output from this command:
If I just want to see frames moving on my LAN in this manner, snort is definitely not my tool of choice; tcpdump is. However, in sniffer mode, I can capture and log network traffic in binary (which is incredibly fast) and analyze it later. But, I want to be alerted about intrusions…..
Snort Network Intrusion Detection Mode
This is what I think makes snort special. I installed snort as an NIDS on a few machines in my lab by following this awesome turorial. I intend to attack my snort machines and post the results soon.