Snort

Hello Dear readers

Today my tutorial is about Snort, Snort is an Network Intrusion Detection System, In addition to IDS it can be configured as Sniffer and as Packet Logger. This tutorial is about using snort as IDS.

Download snort from its website http://www.snort.org/, I will be using snort that comes with backtrack 5, so boot in to backtrack and lets get started

To start snort Service, go to Application Menu -> Backtrack -> Services -> SNORT Services -> Snort Start

   snort_start

Alternatively you can use the command

#service snort start

once snort starts, you will have to configure it for the networks you want to monitor, to do this, edit its configuration file, type the command

#vi /etc/snort/snort.conf

and set the value of $HOME_NET from any to the range of IPs you want to monitor.

snort_conf

Restart the snort service in order for changes to take place.

#service snort restart

Now Launch the Snort IDS using the Following command.

#snort -q -A console -i eth0 -c /etc/snort/snort.conf

where:

-q    means quite mode

-A   means set Alert Mode to Console

-i   Set listening interface

-c   Set Rules located in this file

Now lets launch a DOS attack against the the system and lets see whether SNORT detects the attack or not. To this I will use the utility called LOIC (Low Orbit Ion Canon). To set up LOIC,

Type in the in the Victims IP in target section and click Lock on.

Then in attack Options, Select the Method as UDP

Set the thread Some range such as 1000

Then click The main massive button IMMA CHARGIN MAH LAZER to launch the attack.

snort_dos

Now you will notice that SNORT IDS detects the attack and prints it on the console.

snort_output_dos

Now lets run an NMAP scan on the victim system and see whether it picks it up, I will use ZENMAP which a graphical utility that runs nmap in the background. To set up zenmap

Type IP of victim in Target field

Set Profile as Intense

and Hit scan

The zenmap will generate appropriate commands, now lets check snort in the background to see if it has detected the scan against it.

snort_mmap

As you can see Snort has detected the scan even though most of the scan was stealth.

snort_output_mmap

I hope this was useful, Leave your questions and suggestions in comment field.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s