![\"\"](\"http:\/\/linuxhint.com\/wp-content\/uploads\/2018\/03\/s-2.png\")
<\/a><\/p>\nAlternatively you can also define specific IP addresses to monitor separated with comma between [ ] as shown in this screen shot:<\/p>\n
Now let\u2019s get started and run this command on the command line:<\/p>\n # snort -d -l \/var\/log\/snort\/ -h 10.0.0.0\/24 -A console -c \/etc\/snort\/snort.conf<\/p>\n Where: Lets launch a fast scan from a different device using nmap:<\/p>\n And lets see what happens in the snort console:<\/p>\n Snort detected the scan, now, also from a different device lets attack with DoS using hping3<\/p>\n # hping3 -c 10000 -d 120 -S -w 64 -p 21 \u2013flood \u2013rand-source 10.0.0.3<\/p>\n The device displaying Snort is detecting bad traffic as shown here:<\/p>\n Since we instructed Snort to save logs, we can read them by running:<\/p>\n Snort\u2019s NIDS mode works based on rules specified in the \/etc\/snort\/snort.conf file.<\/p>\n Within the snort.conf file we can find commented and uncommented rules as you can see below:<\/p>\n The rules path normally is \/etc\/snort\/rules , there we can find the rules files:<\/p>\n Lets see the rules against backdoors: There are several rules to prevent backdoor attacks, surprisingly there is a rule against NetBus, a trojan horse which became popular a couple of decades ago, lets look at it and I will explain its parts and how it works:<\/p>\n alert tcp $HOME_NET 20034 \u2013> $EXTERNAL_NET any (msg:\u201cBACKDOOR NetBus Pro 2.0 connection This rule instructs snort to alert about TCP connections on port 20034 transmitting to any source in a external network.<\/p>\n -> = specifies the traffic direction, in this case from our protected network to an external one<\/p>\n msg = instructs the alert to include a specific message when displaying<\/p>\n content = search for specific content within the packet. It can include text if between \u201c \u201c or binary data if between | | sid:115 = rule identifier<\/p>\n Now we\u2019ll create a new rule to notify about incoming SSH connections. Open \/etc\/snort\/rules\/yourrule.rules, and inside paste the following text:<\/p>\n alert tcp $EXTERNAL_NET any \u2013> $HOME_NET 22 (msg:\u201cSSH incoming\u201d; We are telling Snort to alert about any tcp connection from any external source to our ssh port (in this case the default port) including the text message \u201cSSH INCOMING\u201d, where stateless instructs Snort to ignore the connection\u2019s state.<\/p>\n Now, we need to add the rule we created to our \/etc\/snort\/snort.conf file. Open the config file in an editor and search for #7, which is the section with rules. Add an uncommented rule like in the image above by adding:<\/p>\n include $RULE_PATH\/yourrule.rules<\/p>\n Instead of \u201cyourrule.rules\u201d, set your file name, in my case it was test3.rules.<\/p>\n Once it is done run Snort again and see what happens.<\/p>\n #snort -d -l \/var\/log\/snort\/ -h 10.0.0.0\/24 -A console -c \/etc\/snort\/snort.conf<\/p>\n ssh to your device from another device and see what happens:<\/p>\n You can see that SSH incoming was detected.<\/p>\n With this lesson I hope you know how to make basic rules and use them for detecting activity on a system.<\/p>\n Full article:<\/p>\n https:\/\/linuxhint.com\/configure-snort-ids-create-rules\/<\/a><\/p>\n<\/a><\/p>\n
\nd= tells snort to show data
\nl= determines the logs directory
\nh= specifies the network to monitor
\nA= instructs snort to print alerts in the console
\nc= specifies Snort the configuration file<\/p>\n<\/a> <\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nIntroduction to Snort Rules<\/em><\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n
\n<\/a><\/p>\n
\nestablished\u201d; flow:from_server,established;
\nflowbits:isset,backdoor.netbus_2.connect; content:\u201cBN|10 00 02 00|\u201d; depth:6; content:\u201c|
\n05 00|\u201d; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;)<\/p>\n
\ndepth = Analysis intensity, in the rule above we see two different parameters for two different contents
\noffset = tells Snort the starting byte of each packet to start searching for the content
\nclasstype = tells what kind of attack Snort is alerting about<\/p>\nCreating our own rule<\/em><\/h3>\n
\nflow:stateless; flags:S+; sid:100006927; rev:1;)<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n