When you actually run NIDS, need to snort to run in daemon mode.
If you are installing the rpm, so rpm file already contains a snortd files and will help you to install in/etc/rc.d/init.d/below. When you set the snort's configure file, just use the chkconfig put snortd open: join snortd chkconfig--addsnortd open snortd chkconfigsnortdon or chkconfig--level level3snortdon here, change to your race's runlevel you can use cat/etc/inittab | grepid come to see themselves in which runlevel. Cat/etc/inittab | grepid id: 5: initdefault: here is running at runlevel5 above. Set the server we need to do some settings on the server, so that the server to log into our logger server. First, we need to set the/etc/syslog.conf to log to a valid, but does not exist in the ip. For example, our network is 192.168.1.0/24 which did 192.168.1.123 this machine, which means that the ip is actually empty. We'll log point to here. You can point to any valid IP a null. Vim/etc/syslog.con joined * .info @ 192.168.1.123 if your system is used if vim/syslog-ng etc/syslog-ng/syslog-ng.con destinationd_loghost {udp (ip (192.168.123) port (514));}; filterf_info {level (info);}; log {filter (f_info); destination (d_loghost);}; we also need to join staticARPentry. If your network just took note of a Hub, it can seem like ARP address ip, set to false. If you have a link to switch, you need to log the real Mac address of the server. We are here to join our logger Server real Mac address. Arp-s192.168.1.12300: D0: B7: DB: BF: 95 in Logger server set snort/etc/snort/snort.con varEXTERNAL_NETany # equals snort-d configdump_payload # equals snort-C configdump_chars_only # set log kept by pat configlogdir:/var/log/snort # frag2 do action is fragmented to us re-assembly preprocessorfrag2 logudp192.168.1.1/32any-> 192.168.1.123/32514 (logto: "logged-packets";) last line need a little explanation: we here to do the snort packetlogger. in other words, not all things are written to/var/log/snort/alert. But loganypacketswithmatchtherulewithoutwritinganalert. Udp: is that we're using UDP protocol.systemlog usually use udp. 192.168.1.1/32: it is only our server, that is sent to the machine log. If you are from the entire collection in a network link log can also be used 192.168.1.0/24. Any: any port-anysourceport >: this is directionoperator members know 192.168.1.123/35514 is given the empty ip, port514 logto: if not specified, the log will be saved in separate files. And specify logto, will log all deposited to our specified file looks more convenient. Safer save log to a more secure protection of the server. Snort functionality is actually pretty powerful, here is a simple presentation. If you are interested in on these things. You can go to see very many www.snort.org/docs/of useful files.
No comments:
Post a Comment