Snort

• Using snort

  • at the command prompt start in c:\snort\bin (options)
  • checking available interfaces c:\snort\bin snort -W example
  • capturing and viewing packets: c:\snort\bin snort -dev (press Control-C to stop the capture) example
  • capturing and saving in log file: c:\snort\bin snort -de -K ascii -l c:\snort\log examples: tcp arp
  • log the Snort alert messages to the Windows Even Viewer, Applications c:\snort\bin snort -E - l c:\snort\log -c c:\snort\etc\snort.confsee example of running in IDS mode and events in Event viewer.

• Modifying and creating rules

  • creating rules: experts only, download updates and read them.
  • modifying not a problem: typically many false positives are eliminatedexample: I got many false positives as “MISC UPnP malformed advertisement [Classification: Misc Attack] “ I looked for misc.rules and edited rule as follows:# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; In the example I just commented out the rule: added # in front of the line.

Previous slide

Next slide

Back to first slide

View graphic version