>> In network intrusion detection system mode,snort records only packets defined by a set of rules.Rules are stored in a configuration file, loaded by snort with the dash C option.Here's a file I just made.The first line declares the home net variable and assignsto it my subnet ID, 192.168.1.0/24 as a value.The second line is the rule itself.The rule header starts off with the word alert, which will alertand log when packets contain TCP segments from any source IP address and any source port sentto an IP address on my home network with a destination port of 4444.The rule option contains MSG, message, logging the string possible metasploit attackand the SID, snort rules ID, to uniquely identify this rule.Remember in our metasploit activities, a source port of 4444 was usedfor the reverse TCP meterpreter shell.To simulate an IEDS detecting this, we're going to use port 4444 as a destination porton the victim machine and not a source port on the attacker machine.[silence]And now we're ready to start snort.We're going to be logging to C snort log,and we'll use the Jonathan.conf file which contains our rule.Now we're going to switch on over to the kali box.First I'm going to send a ping to the Windows machine running snort.Next I'll try to access a web server on port 4444 of the machine running snort.I'm doing this to generate TCP traffic to a destination portof 4444 on the machine running snort.Now let's stop snort with control C.Looking in C snort log, we see two files.When we open up alert.ieds, we see the text entry generated possible metasploit attack.When we open up the log file in Wireshark, we see just the offending packet.[silence]
>> We're going to run snort in network intrusion detection system mode again.Think back to our port scanning activities.I've got a configuration file that will be telling snort to look for the FIN scanwith the FIN flag; the Xmas scan with the FIN, urge,and push flags; and the Null scan with no flags.Let's start snort with logging and the Scott.conf filethat contains these three port scanning rules.Now let's head over to kali.We'll scan port 80 of the Windows machine running snort with the FIN scan ---- the Xmas scan ---- and the Null scan.Back on the Windows machine running snort in C snort log, there are two files.When we open up alert.ieds, we see the text entries regarding the detected scans.[silence]And when we open up the log file in Wireshark,we see just the offending packets encapsulating the TCP segment headers.[silence]
>> We're going to run snort in network intrusion detection system mode one final time.This time, however, we're going to use some files that come with snort,starting with classification.conf, which can be foundin C snort etc. The following includes information for prioritizing rules.Each classification includes a short name, a description,and a default priority for that classification.This allows alerts to be classified and prioritized.You can specify what priority each classification has.Any rule can override the default priority for that rule.[silence]The second file, preprocessor.rules, can be found in C snort preproc underscore rules.[silence]The third file, decoder.rules, can be found in the same location as preprocessor.rules,which is C snort preproc underscore rules.[silence]We're also going to be using SF port scan to detect port scanning.Check out the read me page on snort.org.[silence]Let's start snort with logging and the weissman.conf file.[silence]Back in Kali, we're going to send some scans to the Windows machine running snort.SYN.[silence]Connect.[silence]FIN.[silence]Xmas.And Null.A look at alert.ieds is very revealing.[silence]Back on the read me page, in order to get all the port scan information logged with the alert,snort generates a pseudopacket and uses the payload portionto store the additional port scan information.When I open up the log file in Wireshark, I see two such payloads ---- in addition to the scans.[silence]
转载于:https://www.cnblogs.com/sec875/articles/10028757.html
相关资源:Snort_2_8_6_Installer.exe