46


Chapter 2     Installing Snort and Getting Started


    89  then


    90     echo "The log file does not exist."


    91     echo "Aborting ..."


    92     exit 1


    93  fi


    94


    95  tail  n18 /var/log/snort/alert


    96


    97  echo


    98  echo "Done"


    99  echo


This script generates alerts which you can see in the /var/log/snort/


alert file (if running in daemon mode) or on the screen where Snort is running. Alerts


are generated by sending ICMP echo packets with a predefined pattern in the data part.


The echo command is used for this purpose. This pattern triggers the following Snort


rule, generating an alert.


alert ip any any  > any any (msg:"ATTACK RESPONSES id check 


returned root"; content: "uid=0(root)"; classtype:bad unknown; 


sid:498; rev:3;)


After generating alerts, the script will display the last eighteen lines of the /var/


log/snort/alert file.


Now let us examine different parts of this script and how it works. Lines 52 to 55


prompt a user to enter an address to which ping packets should be sent. If no address is


entered, a broadcast address (255.255.255.255) is assumed and ping packets are sent as


broadcast packets.


Line 62 actually generates the ICMP packets that cause the rule to be triggered.


Note that pattern  7569643d3028726f6f74290a  is equal to  uid=0(root)  which


is the pattern required to generate alerts.


The  c3 command line parameter causes three packets to be sent. Note that stan 


dard input and standard error are redirected to /dev/null to make sure that no mes 


sages are displayed on the screen. For a detail of all options used with the ping


command, see its man pages using the  man ping  command.


Lines 64 to 73 check the result of the ping command. A message is displayed indi 


cating the success or failure of the ping command. If the command fails, the script


aborts at this point and no further processing is done.


If alerts are to be generated successfully, they must be present in the /var/log/


snort/alert file. Lines 88 to 93 verify that the file exists. If the file does not exist,


the script is aborted.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved