You can also use the tcpdump program to read files generated by Snort when log

You can also use the tcpdump program to read files

This preview shows page 42 - 45 out of 51 pages.

You can also use the tcpdump program to read files generated by Snort when log- ging in this mode. The following command reads the Snort files and displays captured packets in the file: [[email protected] snort]# tcpdump -r /tmp/snort.log.1037840514 20:01:54.984286 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 4119588794 win 16960 (DF) 20:01:54.984407 192.168.1.2.ssh > 192.168.1.100.2474: P 81:161(80) ack 0 win 32016 (DF) [tos 0x10] 20:01:54.985428 192.168.1.2.ssh > 192.168.1.100.2474: P 161:241(80) ack 0 win 32016 (DF) [tos 0x10] 20:01:54.986325 192.168.1.2.ssh > 192.168.1.100.2474: P 241:321(80) ack 0 win 32016 (DF) [tos 0x10] 20:01:54.988508 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 161 win 16800 (DF) 20:01:54.988627 192.168.1.2.ssh > 192.168.1.100.2474: P 321:465(144) ack 0 win 32016 (DF) [tos 0x10] 20:01:54.990771 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 321 win 16640 (DF) 20:01:55.117890 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 465 win 16496 (DF) 20:01:55.746665 192.168.1.1.1901 > 239.255.255.250.1900: udp 269
Image of page 42
Snort Modes 65 20:01:55.749466 192.168.1.1.1901 > 239.255.255.250.1900: udp 325 20:01:55.751968 192.168.1.1.1901 > 239.255.255.250.1900: udp 253 20:01:55.754145 192.168.1.1.1901 > 239.255.255.250.1900: udp 245 20:01:55.756781 192.168.1.1.1901 > 239.255.255.250.1900: udp 289 20:01:55.759258 192.168.1.1.1901 > 239.255.255.250.1900: udp 265 20:01:55.761763 192.168.1.1.1901 > 239.255.255.250.1900: udp 319 20:01:55.764365 192.168.1.1.1901 > 239.255.255.250.1900: udp 317 20:01:55.767103 192.168.1.1.1901 > 239.255.255.250.1900: udp 321 20:01:55.769557 192.168.1.1.1901 > 239.255.255.250.1900: udp 313 20:01:56.336697 192.168.1.100.2474 > 192.168.1.2.ssh: P 0:80(80) ack 465 win 16496 (DF) [[email protected] snort]# You can use different command line options with tcpdump to manipulate the dis- play of data. For more information about tcpdump, use the “ man tcpdump ” com- mand or see Appendix A. 2.7.2 Network Intrusion Detection Mode In intrusion detection mode, Snort does not log each captured packet as it does in the network sniffer mode. Instead, it applies rules on all captured packets. If a packet matches a rule, only then is it logged or an alert is generated. If a packet does not match any rule, the packet is dropped silently and no log entry is created. When you use Snort in intrusion detection mode, typically you provide a configuration file on the command line. This configuration file contains Snort rules or reference to other files that contain Snort rules. In addition to rules, the configuration file also contains information about input and output plug-ins, which are discussed in Chapter 4. The typical name of the Snort configuration file is snort.conf . We have previously saved snort.conf configuration file in /opt/snort/etc directory along with other files. This was done during the installation procedure. 5 The following command starts Snort in the Net- work Intrusion Detection (NID) mode: snort -c /opt/snort/etc/snort.conf When you start this command, Snort will read the configuration file /opt/ snort/etc/snort.conf and all other files included in this file. Typically these files contain Snort rules and configuration data. After reading these files, Snort will build its internal data structures and rule chains. All captured packets will then be matched against these rules and appropriate action will be taken, if configured to do so. 5. If you used the RPM package to install Snort, the typical location of the Snort configuration file is /etc/snort/snort.conf.
Image of page 43
66 Chapter 2 Installing Snort and Getting Started If you modify the snort.conf file, or any other file included in this file, you have to restart Snort for the changes to take effect. Other command line options and switches can be used when Snort is working in IDS mode. For example, you can log data into files as well as display data on the com- mand line. However if Snort is being used for long-term monitoring, the more data you log, the more disk space you need. Logging data to the console also requires some pro-
Image of page 44
Image of page 45

You've reached the end of your free preview.

Want to read all 51 pages?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture