Snort Install Windows
Zur Navigation springen
Zur Suche springen
Download
Install
Winpcap
Snort
Test
Interface Nummer herausfinden
- C:\Snort\bin>snort -W
,,_ -*> Snort! <*- o" )~ Version 2.9.8.3-WIN32 GRE (Build 383) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3 Index Physical Address IP Address Device Name Description ----- ---------------- ---------- ----------- ----------- 1 08:00:27:5A:CD:4E 0000:0000:fe80:0000:0000:0000:0c88:4afd \Device\ NPF_{769A54CE-2839-4D39-A753-C36840BB3EB3} Intel(R) PRO/1000 MT-Desktopadap ter 2 00:FF:D2:11:5E:C4 0000:0000:fe80:0000:0000:0000:2df0:da06 \Device\ NPF_{D2115EC4-8770-4D98-83E9-AC63C3480AE6} Sophos SSL VPN Adapter
Modifzierte snort.conf zu Testzwecken
Version anzeigen
- C:\snort\bin\snort -V
local.rules anlegen
C:\snort\rules\local.rules
Alert icmp any any -> any any (msg:"Snort Test"; sid:1000000001;) #Alert udp any any -> any any (msg:"Snort Test UDP"; sid:1000000002;) #Alert tcp any any -> any any (msg:"Snort Test TCP"; sid:1000000003;)
Konfiguration testen
- C:\snort\bin\snort -i 1 -c c:\Snort\etc\snort.conf -T
Snort starten und ping vom 172.18.180.1 auf die 172.18.180.157
- cd c:\snort\bin
- snort -A console -i 1 -c c:\snort\etc\snort.conf -l c:\snort\log
.... Commencing packet processing (pid=2444) 08/24-11:33:15.535069 [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.1 -> 172.18.180.157 08/24-11:33:15.535451 [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.157 -> 172.18.180.1 08/24-11:33:16.536607 [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.1 -> 172.18.180.157 08/24-11:33:16.536705 [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.157 -> 172.18.180.1 08/24-11:33:17.535307 [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.1 -> 172.18.180.157 08/24-11:33:17.535307 [**] [1:1000000001:0] Snort Test [**] [Priority: 0] {ICMP} 172.18.180.157 -> 172.18.180.1 *** Caught Int-Signal
Snort im Einsatz
Für den normalen Einsatz sollte man sich auf www.snort.org registieren und die dortigen rules runterladen und einsetzen. Es gibt 3 Varianten:
- Community
- Registered
- Subscription (kostenfplichtig)
Man muss dann in der snort.conf noch die entspechenden rules aktivieren:
#include $RULE_PATH/app-detect.rules #include $RULE_PATH/attack-responses.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/blacklist.rules #include $RULE_PATH/botnet-cnc.rules #include $RULE_PATH/browser-chrome.rules #include $RULE_PATH/browser-firefox.rules #include $RULE_PATH/browser-ie.rules #include $RULE_PATH/browser-other.rules #include $RULE_PATH/browser-plugins.rules #include $RULE_PATH/browser-webkit.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/content-replace.rules #include $RULE_PATH/ddos.rules #include $RULE_PATH/dns.rules #include $RULE_PATH/dos.rules #include $RULE_PATH/experimental.rules #include $RULE_PATH/exploit-kit.rules #include $RULE_PATH/exploit.rules #include $RULE_PATH/file-executable.rules #include $RULE_PATH/file-flash.rules #include $RULE_PATH/file-identify.rules #include $RULE_PATH/file-image.rules #include $RULE_PATH/file-java.rules #include $RULE_PATH/file-multimedia.rules #include $RULE_PATH/file-office.rules #include $RULE_PATH/file-other.rules #include $RULE_PATH/file-pdf.rules #include $RULE_PATH/finger.rules #include $RULE_PATH/ftp.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/icmp.rules #include $RULE_PATH/imap.rules #include $RULE_PATH/indicator-compromise.rules #include $RULE_PATH/indicator-obfuscation.rules #include $RULE_PATH/indicator-scan.rules #include $RULE_PATH/indicator-shellcode.rules #include $RULE_PATH/info.rules #include $RULE_PATH/malware-backdoor.rules #include $RULE_PATH/malware-cnc.rules #include $RULE_PATH/malware-other.rules #include $RULE_PATH/malware-tools.rules #include $RULE_PATH/misc.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/mysql.rules #include $RULE_PATH/netbios.rules #include $RULE_PATH/nntp.rules #include $RULE_PATH/oracle.rules #include $RULE_PATH/os-linux.rules #include $RULE_PATH/os-mobile.rules #include $RULE_PATH/os-other.rules #include $RULE_PATH/os-solaris.rules #include $RULE_PATH/os-windows.rules #include $RULE_PATH/other-ids.rules #include $RULE_PATH/p2p.rules #include $RULE_PATH/phishing-spam.rules #include $RULE_PATH/policy-multimedia.rules #include $RULE_PATH/policy-other.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/policy-social.rules #include $RULE_PATH/policy-spam.rules #include $RULE_PATH/pop2.rules #include $RULE_PATH/pop3.rules #include $RULE_PATH/protocol-dns.rules #include $RULE_PATH/protocol-finger.rules #include $RULE_PATH/protocol-ftp.rules #include $RULE_PATH/protocol-icmp.rules #include $RULE_PATH/protocol-imap.rules #include $RULE_PATH/protocol-nntp.rules #include $RULE_PATH/protocol-pop.rules #include $RULE_PATH/protocol-rpc.rules #include $RULE_PATH/protocol-scada.rules #include $RULE_PATH/protocol-services.rules #include $RULE_PATH/protocol-snmp.rules #include $RULE_PATH/protocol-telnet.rules #include $RULE_PATH/protocol-tftp.rules #include $RULE_PATH/protocol-voip.rules #include $RULE_PATH/pua-adware.rules #include $RULE_PATH/pua-other.rules #include $RULE_PATH/pua-p2p.rules #include $RULE_PATH/pua-toolbars.rules #include $RULE_PATH/rpc.rules #include $RULE_PATH/rservices.rules #include $RULE_PATH/scada.rules #include $RULE_PATH/scan.rules #include $RULE_PATH/server-apache.rules #include $RULE_PATH/server-iis.rules #include $RULE_PATH/server-mail.rules #include $RULE_PATH/server-mssql.rules #include $RULE_PATH/server-mysql.rules #include $RULE_PATH/server-oracle.rules #include $RULE_PATH/server-other.rules #include $RULE_PATH/server-samba.rules #include $RULE_PATH/server-webapp.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/smtp.rules #include $RULE_PATH/snmp.rules #include $RULE_PATH/specific-threats.rules #include $RULE_PATH/spyware-put.rules #include $RULE_PATH/sql.rules #include $RULE_PATH/telnet.rules #include $RULE_PATH/tftp.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/voip.rules #include $RULE_PATH/web-activex.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-client.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web-frontpage.rules #include $RULE_PATH/web-iis.rules #include $RULE_PATH/web-misc.rules #include $RULE_PATH/web-php.rules #include $RULE_PATH/x11.rules