24 October, 2013

IDS SNORT 

IDS (SNORT)

Configure /etc/snort/snort.conf

var HOME_NET 10.0.0.0/8

var EXTERNAL_NET any

configure /etc/snort/snort.debian.conf
Or  /etc/init.d/snort

DEBIAN_SNORT_HOME_NET="10.0.0.0/8"

Log Directory

cat /var/log/snort/alert

Snort is Running

ps axu | grep snort

Create Rules

Add new Rule into Snort.conf (/etc/snort/snort.conf)
 
include $RULE_PATH/www1.rules  (Where www1.rules is name of File)

TCP alarm Ejample:

alert tcp !10.0.101.0/24 any -> 10.0.220.11 any (msg:"Acceso denegado a servidor web www1"; sid:501501;)


(!10.0.101.0/24 = Only this Network)



To monitor This Alerts in Console run this command

snort -q -A console -i eth0 -c /etc/snort/snort.conf



Configure Cisco device to send Trafic (SPAN and RSPAN)



http://ittsm.blogspot.com.es/2013/04/ccnp-t-shoot-configure-span-and-rspan.html

Now we can recive monitor trafic and can analyze






Ejemplo

10/21-15:43:40.628199  [**] [1:501501:0] Accesso Denegado A Servidor Web www1 [**] [Priority: 0] {TCP} 10.0.10.111:1984 -> 10.0.220.11:80



Done!
 












At





















Tags::
,
,
,