Basic Configuration for Snort IDS on Windows OS




What wikipedia says about Snort (https://en.wikipedia.org/wiki/Snort_(software))

Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. These basic services have many purposes including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use. [1]

The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.[10]

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.[11] In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.[12]




Before we begin to configure snort let's see firstly what we need

  • Register to snort website
  • Download and Setup the program (Snort
  • Download rules (snort rules)


1)Move to this directory C:\Snort\etc and open with notepad++ or another text editor snort.conf file to make some changes



Line 45: You can change any with your network address or you can leave it as is.
Line 48: You can change any with your DNS server




Line 104,105,106: They should have Path of your rules files


Line 247,250: Configure your dynamic load libraries as the image above



Line 532,535,536: Don't modify these line and also create with a text editor alert.ids file into C:\Snort\log directory.Check the image below





2)Extract the snortrules which already have downloaded into Snort root directory.Replace files except snort.conf







3) Let's try to run snort and create a pcap file inside c:\snort\log directory which we will open in our next step







4)Open captrured file with wireshark and observe ICMP protocol




 




I hope to find this article helpful at least for your first step into Snort. Of course you can move forward beyond this and adjust it into your standar.Personally i use snort for pentesting reasons and nothing more


References:

Comments

Post a Comment

Popular posts from this blog

Unhide a Hidden GPO

Image
Lately, i read on a very good write-up regarding to GPO's abuse. The name of the article is "GPO abuse - You can't see me" and you can read it  here  . The first question that came to my mind was "Why i can't see you?". Many times GUI is more convenient than PowerShell but in that case i found PowerShell better for me as well as i didn't want to use PowerView. I wanted to create something from the scratch and the biggest motivation is education. So i started to ask myself "if you compromise a host during an assessment, how you can enumerate GPOs without PowerView?". Remember that you are a low privileged user, so may you are not be able to import modules and you can't import ActiveDirectory to Windows 10 and use Get-AD****. The correct answer is "ADSI" and luckily for me, doesn't need to be an expert to use it for simple requests as mine. On this post i will try enumerate domain's GPO using ADSI as well as to unhide h
Read more

Hiding Data Using White Space (Steganography)

Image
Steganography is a technique of hiding  a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data. An attacker can use steganography to hide messages such as  source code for hacking tools, usernames and passwords, plans for future attacks and many more. Below i will explain how could this achieved in practice using Snow tool. 1)Create a simple txt file and browse to snow directory with command prompt and write the command below.   2)After creating the encrypt txt file you can open it and observe the differences.Have they got the same size?No. What else you could see ? 3)Decrypt the file and extract the hidden message. References: https://en.wikipedia.org/wiki/Steganography
Read more

Basic Pivoting with Cobaltstrike and Metasploit

Image
Last week we participated in a virtual network pentest in order to test our skills and the security of the network as well. During the pentest we encountered various problems during the host pivoting, so we wrote down the difficulties that we faced and how to solve them. Among various problems that we have faced was the initial beacon from the DMZ zone. Since, the web delivery could not executed, we have moving into https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 , a powershell script from nishang tool which is created from Nikhil Mittal. As the most real case scenarios so and this, the internal network seating behind a DMZ zone. So our first objective is to compromise somehow the external DMZ network and then we will use MSF and CobaltStrike to hope between hosts.   CobaltStrike Pivoting After enumerating the external network which we managed to upload a php file and execute system commands on the remote m
Read more