One of Linux applications that can be used to improve computer security is Snort. Broadly speaking, Snort is a program that has three functions or three modes of operation. Snort can be used in a packet sniffer mode that works as a sniffer like Wireshark. Just like Wireshark, Snort can also save any captured packet into the storage media in packet logger mode mode. However, in contrast to Wireshark, Snort NIDS can be used as a component to run on Network Intrusion Detection System (NIDS) mode. In the latter mode, Snort will analyze packet based on the rule to recognize the efforts of a hacker attack.
To start using Snort, Snort download requirement as well as the source, then build and install. For those who use the Ubuntu distro, libdnet in these distributions is a library that is different from that required Snort. In Ubuntu, is a DECnet libdnet libraries, while required by Snort was renamed libdumpnet. Should download source from Google Code, and then install to the location of / usr instead of / usr / local. The trick is to add the argument – prefix = / usr when calling the configure script.
root@server: wget 192.168.137.1/snort-18.104.22.168.tar.gz
tar zxf snort-22.214.171.124.tar.gz
Enter in to the directory using the following command:
Enter the following command:
The above command configures the makefile, compiles the code, and installs the executable in the appropriate place.
Now, enter the following commands:
It will show you the following error if the supported library is not installed.
ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h) not found
In order to install the required library, use the following command:
yum install libpcap libpcap-devel
After the library is installed, repeat the following steps:
It will successfully Install Snort on your dedicated Server.
Once the installation is done, copy the snort-126.96.36.199 /etc/snort.conf file to /etc/snort/snort.conf on your server. Edit the settings according to your requirements.
Create the following snort.conf and icmp.rules files:
# cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules # cat /etc/snort/rules/icmp.rules alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
The above basic rule does alerting when there is an ICMP packet (ping).
Following is the structure of the alert:
<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)
|Source IP Address||any|
|Destination IP Address||any|
|(rule options)||(msg:”ICMP Packet”; sid:477; rev:3;)|
Execute snort from command line, as mentioned below.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
Add -D option to run snort as a daemon.
# snort -D -c /etc/snort/snort.conf -l /var/log/snort/
Configuration file on the causes Snort generates alerts in the file named alert each time to access the TCP IP 192.168.137.223, with a message “Access is from Him”. Of course this is an example of a simple configuration that is not worth much, but enough to show the Snort configuration file syntax is rather complicated. The example above contains a variable named LOG_IP IP. These variables can be used to write $ LOG_IP to be substituted with real values.
Arguments are usually given when calling Snort can also be written to the configuration file so it does not need to be granted manually when running Snort, as shown below:
#sama dengan argumen -D config daemon #sama dengan argumen -d config dump_payload #sama dengan argumen -l config logdir: /var/log/snort var LOG_IP 192.168.137.223 alert tcp $LOG_IP any -> any any (msg: "Akses Dari Dia"; sid:1;)