Pick a Free OS

Intrusion Detection System Part 3: Snort

Download the libcap headers and untar the archive using the tar command with the similar switches as mentioned above. Enter the directory and carry out the following steps.

bash# ./configure

bash# make

Though we do not need any of the binaries, this is just a precautionary measure. Now, we'll compile Snort. Change into the directory in which Snort lies and issue the following command.

bash# ./configure --with-libpcap-includes=/path/to/your/libcap/headers

bash# make

bash# make install

Using

Now Snort is installed on your system. Let's start using Snort on your system. We'll start with the basics of using Snort as a Packet Sniffer and a Packet Analyser. Apart from running in a promiscuous mode, we will also discover rules that will help us log alerts to our Snort logs or redirect them to syslog.

Using Snort as a packet sniffer and packet analyzer is a pretty simple process. The man pages are very helpful as far as information regarding using Snort is concerned. Let's basically start with a simple command that makes Snort display all the command switches and then exit.

bash# snort -?

The output of the command is as follows.

-*> Snort! <*-

Version 1.6.3

By Martin Roesch (roesch@clark.net, www.snort.org)

USAGE: snort [-options]

Options:

-A Set alert mode: fast, full, or none (alert file alerts only)

'unsock' enables UNIX socket logging (experimental).

-a Display ARP packets

-b Log packets in tcpdump format (much faster!)

-c Use Rules File

-C Print out payloads with character data only (no hex)

-d Dump the Application Layer

-D Run Snort in background (daemon) mode

-e Display the second layer header info

-F Read BPF filters from file

-g Run snort gid as 'gname' user or uid after initialization

-h Home network =

-i Listen on interface

-l Log to directory