Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "NIDS"

From NetSec
Jump to: navigation, search
(Snort)
(Snort)
Line 14: Line 14:
 
snort -i wlan0
 
snort -i wlan0
 
}}
 
}}
 +
 +
By default, the packets will be displayed to STDOUT as packets are capture, which isn't particularly useful. In order to log to a tcpdump-syntax file, you can use the -l option, for example:
 +
 +
{{code|text=
 +
snort -l /var/log/sniff/
 +
}}
 +
 +
In order to read the logs, use a program capable of reading tcpdump-style logs - with tcpdump, use the -r option to read - you may wish to pipe it through less for readability:
 +
 +
{{code|text=
 +
tcpdump -r /var/log/sniff/snort.log.03229112 | less
 +
}}
 +
 +
 +
Some other useful options:
 +
 +
* -v: show only packet headers
 +
* -vd: show bothc packet headers and data
  
 
===Rules===
 
===Rules===

Revision as of 05:05, 29 November 2011

Network layer Intrusion Detection Systems

NIDS are an IDS that monitor all traffic to and from all network devices. It will read incoming packets looking for suspicious patterns. Popular NIDs such as snort and Cisco IDS are used often-times in conjunction with a firewall to form an IPS. Also commonly used to send information to a SIM or SIMS

Snort

Snort is a packet sniffer and intrusion detection system that can be used to add a layer of surveillance to your system. In this way, it is similar to tcpdump, but with some more advanced rule-setting capabilities for detecting certain forms of packets. Snort is one of the most widely used IDSes under Linux, and a port exists for the Windows Operating System.

Basic Packet Sniffing Utilities

Once installed, snort can be set up with basic packet sniffing functionality simply by typing "snort" into a terminal or command prompt. It will run in the default mode using the default interface - for me, this is eth0, the wired connection. A new interface can be specified with the -i option. For example, to run snort on the wireless interace:

snort -i wlan0

By default, the packets will be displayed to STDOUT as packets are capture, which isn't particularly useful. In order to log to a tcpdump-syntax file, you can use the -l option, for example:

snort -l /var/log/sniff/

In order to read the logs, use a program capable of reading tcpdump-style logs - with tcpdump, use the -r option to read - you may wish to pipe it through less for readability:

tcpdump -r /var/log/sniff/snort.log.03229112


Some other useful options:

  • -v: show only packet headers
  • -vd: show bothc packet headers and data

Rules