getting started with snort

 snort IPS
snort IPS

Wireshark is great.  Personally, I prefer tcpdump from the command line with my own scripts to extract specific results I am looking for.  If you want to become dangerous with tcpdump, you should check out Daniel Miessler’s tutorial on the subject and start experimenting.  That being said, my ideas of how to see what is actually going on in networks that I manage are constrained to my limited knowledge base, experience and imagination, and I am sure it is not terribly hard to outsmart me:

  • is my LAMP server getting hit with  SQL injection attacks?
  • is there some (unknown to me) vulnerability to a package on my system that I am not aware of yet?
  • is a device on my network compromised by some type of malware?
  • is the NSA all up in my biz?
  • am I getting port-scanned?  If so, by whom? What are they looking for?
  • is someone trying really hard with nmap scripts or other penetration tools to hack me?
  • some kinds of attacks I can’t even fathom?

I’m pretty sure at this point, the answer to all of these questions is YES!  Well, I want to know what the heck is going on, and even with decent tcpdump skills, I am not sure how to tell if, for instance, I am being hit with an OS detection scan or something like that.  Snort is the perfect tool for problems like this.

Snort sniffer mode

Snort’s sniffer mode is pretty cool.

sudo snort -i enp1s0 -dev

This command will basically show every frame on the wire whether IPv4, IPv6, et. al,  with the hex and ascii output to the console.  Here is the output from this command:

snort sniffer mode
snort sniffer mode

If I just want to see frames moving on my LAN in this manner, snort is definitely not my tool of choice; tcpdump is.  However, in sniffer mode, I can capture and log network traffic in binary  (which is incredibly fast) and analyze it later.  But, I want to be alerted about intrusions…..

Snort Network Intrusion Detection Mode

This is what I think makes snort special.  I installed snort as an NIDS on a few machines in my lab by following this awesome turorial. I intend to attack my snort machines and post the results soon.

Leave a Reply

Your email address will not be published. Required fields are marked *