First, we need to change it to the specific needs of reference/etc/snort/snort.conf your own machine to set.
# Set log storage place configlogdir:/var/log/snort # set Internet varHOME_NET192.168.1.0/HOME_NETvarHTTP_SERVERS 24varEXTERNAL_NETanyvarSMTP? $? $ HOME_NETvarSQL_SERVERS? $ HOME_NETvarDNS_SERVERS192.168.1.250/32varRULE_PAT./# set preprocessors preprocessorfrag2preprocessorstream4: detect_scanspreprocessorstream4_reassembltpreprocessorportscan:? $ HOME_NET43portscan.log # set output outputdatabase: log, mysql, user = rootdbname-snorthost = localost # rules alerttcp? $ HOME_NET7161->? $ EXTERNAL_NETany (msg: "MISCCiscoCatalystRemoteAccess"; flags: SA; reference: arachnids, 129; reference: cve, CVE-1999-0430; classtype: bad-unknow; sid: 513; rev: 1;) # set patch, these are some additional rules files include? $ bad-traffic.rulesinclude RULE_PATH/? $ exploit.rulesinclude RULE_PATH/? $ scan.rulesinclude RULE_PATH/? $ RULE_PATH/ftp.rules # these rule a lot. You can write yourself, or you can find people to write good download to use. Now let's run the snort: snort-c/etc/snort/snort.conf-D-iet0 mode now run snortNIDS. In the default case, alerts will be placed at/var/log/snort/alert in port-scanning is placed in/var/log/snort/portscan.log
No comments:
Post a Comment