Post

Sws101_snort

Posted Updated
By Yonten kinley tenzin 1 min read

Snort is a leading open-source Intrusion Prevention System (IPS) worldwide. It uses rules to identify malicious network activity, generating alerts when it detects matching packets.

Interactive Material and VM

I deployed the machine and open split view.

text

After splitting the view I have opened the task exercise folder.

text

Then inside the folder I opened terminal.

text

Inside the terminal I ran this command

1

./.easy.sh

text

And found the ouput ‘ Too Easy! ‘

text

Intrusion Detection System (IDS)

IDS watches for bad stuff happening on the network and sends alerts when it finds something suspicious.

There are two tpes of IDS:

  1. Network Intrusion Detection System (NIDS): Watches network traffic across the whole subnet, aiming to spot threats. Alerts if it finds a signature.

  2. Host-based Intrusion Detection System (HIDS): Monitors traffic on a single device to catch threats. Alerts when it detects a signature.

Intrusion Prevention System (IPS)

It actively monitors and protects networks from malicious activities by blocking or preventing unauthorized access, abnormal behavior, and security threats in real-time.

There are four main types of IPS systems:

  • Network Intrusion Prevention System (NIPS)
  • Behaviour-based Intrusion Prevention System (Network Behaviour Analysis - NBA)
  • Wireless Intrusion Prevention System (WIPS)
  • Host-based Intrusion Prevention System (HIPS)

Detection/Prevention Techniques

alt text

First Interaction with SNORT

Use the following command to verify snort is installed or not

1

snort -V

we should ensure our configuration file is valid.for that we use “-T” for testing configuration, and “-c” for identifying the configuration file (snort.conf).

1

sudo snort -c /etc/snort/snort.conf -T

Following image is some common parameter used in snort

alt text

alt text

It runs Snort in verbose mode, providing detailed output.

1

sudo snort -v

It runs Snort in packet dump mode, displaying packet data.

1

sudo snort -d

It runs Snort in packet dump mode with extra data, providing additional information.

1

sudo snort -de

It runs Snort in packet dump mode with extra data and payloads, showing payload content.

1

sudo snort -X
SWS101, Defensive Security
SWS 101
This post is licensed under CC BY 4.0 by the author.

Trending Tags

101 SWS DBS INTERN JOURNAL