Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace:
snort_2.9.6.1_centos_6.5

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
snort_2.9.6.1_centos_6.5 [2014/05/08 19:34] adminsnort_2.9.6.1_centos_6.5 [2014/06/10 12:04] admin
Line 1: Line 1:
 +{{tag>[security snort centos6.5]}}
 +=====Snort 2.9.6.1 on CentOS 6.5=====
 ====Install prerequisites==== ====Install prerequisites====
   * EPEL repo   * EPEL repo
Line 10: Line 12:
 ====Configure Snort==== ====Configure Snort====
   * Edit **/etc/sysconfig/snort**   * Edit **/etc/sysconfig/snort**
 +<code>
 +mkdir -p /usr/local/lib/snort_dynamicrules
 +chown -R snort:snort /usr/local/lib/snort_dynamicrules
 +chmod -R 700 /usr/local/lib/snort_dynamicrules
 +</code>
 +Copy any dynamic rulesets you have or are using to the above directory.
 +
 +====Test rule====
 +Put as last line in snort.conf
 +  alert icmp any any -> 1.2.3.4 any (msg: "Gateway ping"; sid:10000001;)
 +
 +Find the alerts in the log
 +<code>
 +05/09-09:00:07.648953  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
 +05/09-09:00:07.654956  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
 +05/09-09:00:07.660981  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
 +05/09-09:00:07.666729  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
 +</code>
 +
 +You can even show contents of the packets with tcpdump
 +  tcpdump -r snort.log.1399615922
  
  
snort_2.9.6.1_centos_6.5.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1