Snort

Linux application that can be used to enhance the security of computers is Snort. Generally, Snort is a program that has three three-function or mode of operation. Snort can be used in a packet sniffer mode so it works as a sniffer like Wireshark. Just like Wireshark, Snort can also save every packet that is captured into a storage medium in packet logger mode mode. But in contrast to Wireshark, Snort NIDS can be used as components by running it on Network Intrusion Detection System (NIDS) mode. In this latter mode, Snort will analyze the packet based on the existing rule to recognize the efforts of hacker attacks.

To start using Snort, Snort requirement, as well as download the source, then build & install. For those who use Ubuntu distro, libdnet in the distribution is a library that is different from the required Snort. In Ubuntu, libdnet is DECNet libraries, while required by Snort renamed menjadilibdumpnet. We recommend that you download the source from Google Code, and then install to the location/usr instead of/usr/local. The trick is to add the--prefix argument =/usr when calling the script configure.

Here is a sample run Snort as a packet sniffer:

$ sudo snort-v

Running in packet dump mode

--= = ==-Initializing The Snort-
Initializing Output Plugins!
This pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

--= = ==--Initialization Complete-

,, _-* > Snort! <*-
o ") ~ Version 2.9.0.5 (Build 135)


' ' ' ' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE long version: 2011-01-15

Commencing packet processing (pid = 31839)
06/05-12: 07: 03.524481: 45263-192.168.1.200 > 192.168.1.5: 53
TTL: 64 UDP TOS 0x0: ID: 63753 IpLen: 20 DgmLen: 73 DF
Len: 45
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/05-12: 07: 03.582863 192.168.1.5: 53-> 192.168.1.200: 45263
UDP: TTL 255 TOS: 4887 ID: 0x0 IpLen: 20 DgmLen: 186 DF
Len: 158
...
===============================================================================
Run time for packet processing was 27.619079 seconds
Snort 19 processed packets.
Snort ran for 0 days 0 hours 0 minutes 27 seconds
Pkts/sec: 0


===============================================================================
Packet I/o Totals:
Received: 19
Analyzed: 19 (100,000)
Dropped: 0 (0000)
Filtered: 0 (0000)
Outstanding: 0 (0000)
Injected: 0
===============================================================================
...

To record footage of the packet into a text file, Snort can be run with a command like:

Snort-dev-l./log

The above command will write a packet into the recording log directory (this directory must have been created earlier).
And for an extra argument, NIDS mode-c that refer to the Snort configuration file, as follows:

Snort-d-l./log snort-c/etc/proftpd.conf

In the above command, the configuration file named snort. conf.
To run Snort as a daemon (background process which goes on), add the-D argument as in this example:

Snort-d-l/var/log/snort.log-c/etc/snort.conf-D

Speaking of configuration files, here is a sample configuration file content:

var LOG_IP 100.10.12.13

alert tcp any IP-_ $LOG > any any (msg: "access from him"; sid: 1)

The above configuration file causes the Snort generates alerts in the alert every time a file called IP TCP access 100.10.12.13, with a message of "access from him." Of course this is an example of a simple configuration that is not much useful, but enough to show that the Snort configuration file syntax is quite complicated. The example above contains a variable named IP LOG_IP. These variables can be used to write the IP _ $LOG will be disubstitusi with the real value.

The arguments are usually given when calling Snort can also be written to a configuration file so it does not need to be manually at the moment running Snort, as in the following example:

#as with arguments-D
config daemon

#as with arguments-d
config dump_payload

#as with the argument-l
logdir config:/var/log/snort

var LOG_IP 192.168.1.2
alert tcp any IP-_ $LOG > any any (msg: "access from him"; sid: 1)

Use the preprocessor to wear the processor already provided by Snort. For example, to detect the occurrence of port scanning, add the following configuration:

preprocessor stream5_global: \
track_tcp yes, yes, yes track_icmp track_udp

preprocessor stream5_tcp: \

policy first

preprocessor stream5_udp

preprocessor stream5_icmp

preprocessor sfportscan: \
proto {all} \
scan_type {all} \
sense_level {high}

The above configuration will use preprocessor sfPortScan from Source Fire. The requirement for using sfPortScan are using the Stream5 preprocessor. Now, when someone performs port scanning (which is the initial stage in the attack), for example, by using tool Nmap:

$ nmap-A-v 192.168.1.22

Then, Snort will generate alerts as follows:

[**] [122: 1: 0] (portscan) TCP Portscan [* *]

[Priority 3]

06/06-03: 34: 13.052153 192.168.1.49-> 192.168.1.22

PROTO: TTL 255: 64: TOS 0x0 ID: 0 IpLen: 20 DgmLen: 158 DF

This alert indicates that an IP from 192.168.1.49 perform port scanning to a computer with IP ADDRESS 192.168.1.22.

thanks...hope helpful