Snort


Configuration:

Snort -dev

-v Be verbose.  Prints packets out to the console.  There is one big problem with verbose mode: it’s slow.  If you are doing IDS work with Snort, don’t use the ‘-v’ switch, you WILL drop packets.
-d Dump the application layer data (Packet Payload) when displaying packets in verbose or packet logging mode.
-e Display/log the link layer packet headers.
-X Dump the raw packet data starting at the link layer (Entire Packet). This switch overrides the ‘-d’ switch. The whole file will be dumped, which means dummy bits included.
-K logging-mode Select a packet logging mode. The default is pcap.
<loggin-mode> Valid logging modes include pcap, ascii, and none. Pcap logs packets through the pcap library into pcap (tcpdump) format. Ascii logs packets in the old “directories and files” format with packet printouts in each file. None Turns off packet logging.
-l log-dir. Set the output logging directory to log-dir. All plain text alerts and packet logs go into this directory. If this option is not specified, the default logging directory is set to /var/log/snort.
-A alert-mode. Alert using the specified alert-mode. Valid alert modes include fast, full, none, and unsock. Fast writes alerts to the default “alert” file in a single-line, syslog style alert message. Full writes the alert to the “alert” file with the full decoded header as well as the alert message. None turns off alerting. Unsock is an experimental mode that sends the alert information out over a UNIX socket to another process that attaches to that socket.

The default conf for snort is in /etc/snort/snort.conf.
You can test your newly created conf by using “snort -T -c new.conf”, where -T means self test mode.

Snort rules:

action protocol SIP SPT ->(<>)DIP DPT (options)

Action: Alert (alert and log packet), Log (only log, no alert), pass (drop packet)

SIP DIP: 192.168.1.1/24

Direction: only two, -> or <>

Options: specific words that we are looking for, could be set as (flag:SF; msg:”SYN-FIN scan”; sid:100001). Sid is the snort rule id.

msg and sid are used for notification when alarm is triggered; while content is used for when you want to search some specific payload content in a packet message, such as (content: “what’s in your ass(|0x units|)”; msg: “ass found”; sid: 100001)

 
1、 msg – 在报警和包日志中打印一个消息
2、 logto – 把包记录到用户指定的文件中而不是记录到标准输出
3、 ttl – 检查ip头的ttl的值
4、 tos- 检查ip头的tos域的值
5、 id – 检查ip头的分片id值
6、 ipoption- 检查ip头的option域
7、 fragbits- 检查ip头的分片标志位
8、 dsize – 检查包的数据部分大小
9、 content – 在包的数据部分中搜索指定的样式
10、 offset – content选项的修饰符,设定开始搜索的位置
11、 depth – content选项的修饰符,设定搜索的最大深度
12、 nocase – 指定对content字符串大小写不敏感
13、 content-list – 在数据包中搜索多种可能匹配
14、 flags -检查tcp flags的值
15、 seq – 检查tcp顺序号的值
16、 ack – 检查tcp应答(acknowledgement)的值
17、 itype – 检查icmp type的值
18、 icode – 检查icmp code的值
19、 session – 记录指定会话的应用层信息的内容
20、 icmp_id – 检查ICMP ECHO ID的值
21、 icmp_seq – 检查ICMP ECHO 顺序号的值
22、 ipoption – 监视IP option的特定代码
23、 rpc – 监视特定应用/进程调用的RPC服务
24、 resp – 主动反应(切断连接等)
25、 reference- 外部参考id
26、 sid- snort的规则id
27、 rev- 规则的修正号
28、 classtype- 规则的分类号
29、 priority- 规则的优先级
30、 uricontent- 在数据包的URI部分搜索指定的匹配
31、 tag- 高级记录动作
32、 ip_proto- ip头的协议值
33、 sameip- 源地址和目标地址相同
34、 stateless- 无状态连接
35、 regex- 通配符模式匹配

Advertisements
By Ctrl | Alt | Del Posted in Linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s