Posted by : Muhammad Haseeb Javed Wednesday, January 5, 2011
There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system.
- Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console.
- Packet logger mode logs the packets to the disk.
- Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set
The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching.
Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host. In our lab, we start using Snort as a packet sniffer and a packet analyzer. Apart from running in a promiscuous mode, we will also see how it will help us log interesting IPs. Using Snort as a packet sniffer and packet analyzer is an easy process. The man pages are very helpful.
From the command line prompt we set Snort to a verbose display of the packets sniffed and analyzed. e.g. - The command given below captures all the packets belonging to the class C internal IP's of the type 192.168.20.*.
C:\>snort -v -d -e -i etho -h 192.168.20.0/24 -1 log
The '-v' switch brings forth a verbose response.
The '-d' switch helps in dumping the decoded application layer data
While '-e' shows the decoded Ethernet headers.
The '-i' switch specifies the interface to be monitored for packet analysis.
The '-h' switch specifies which class of network packets has to be captured.
The -l option tells snort to dump the packets in the log file.
The packets are captured in hex format by default (this can be changed to binary -b) and sorted by IP address to facilitate easy mapping and decoding of data.
06/22-16:36:44.959860 0:C1:26:E:AF:10 -> 0:A0:C5:4B:52:FC type:0x800 len:0x4D
192.168.2.96:1629 -> 22.214.171.124:53 UDP TTL:128 TOS:oxo ID:38429 IpLen:20 DgmLen:63
00 02 0100 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www
09 61 69 72 6C 69 6E 65 72 73 03 6E 65 74 00 00 .airliners.net..
01 00 01 ...