Basic Configuration for Snort IDS on Windows OS
What wikipedia says about Snort (https://en.wikipedia.org/wiki/Snort_(software))
Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. These basic services have many purposes including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use. [1]
The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.[10]
Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.[11] In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.[12]
Before we begin to configure snort let's see firstly what we need
- Register to snort website
- Download and Setup the program (Snort)
- Download rules (snort rules)
1)Move to this directory C:\Snort\etc and open with notepad++ or another text editor snort.conf file to make some changes
Line 45: You can change any with your network address or you can leave it as is.
Line 48: You can change any with your DNS server
Line 104,105,106: They should have Path of your rules files
Line 247,250: Configure your dynamic load libraries as the image above
Line 532,535,536: Don't modify these line and also create with a text editor alert.ids file into C:\Snort\log directory.Check the image below
2)Extract the snortrules which already have downloaded into Snort root directory.Replace files except snort.conf
3) Let's try to run snort and create a pcap file inside c:\snort\log directory which we will open in our next step
4)Open captrured file with wireshark and observe ICMP protocol
I hope to find this article helpful at least for your first step into Snort. Of course you can move forward beyond this and adjust it into your standar.Personally i use snort for pentesting reasons and nothing more
References:
- https://www.snort.org
- https://www.youtube.com/watch?v=7Pg_ZJV4cSY
Comments
Post a Comment