66
Chapter 2     Installing Snort and Getting Started
If you modify the snort.conf file, or any other file included in this file, you have to
restart Snort for the changes to take effect.
Other command line options and switches can be used when Snort is working in
IDS mode. For example, you can log data into files as well as display data on the com 
mand line. However if Snort is being used for long term monitoring, the more data you
log, the more disk space you need. Logging data to the console also requires some pro 
cessing power and the processing power of the host where Snort is running becomes a
consideration. The following command will log data to /var/log/snort directory
and will display it on the console screen in addition to acting as NIDS:
snort  dev  l /var/log/snort  c /etc/snort/snort.conf
However in most  real life situations, you will use  D command line switch with
Snort so that it does not log on the console but runs as a daemon.
In a typical scenario, you will also want to log Snort data into a database. Logging
data into MySQL database is discussed in Chapter 5.
2.8 Snort Alert Modes
When Snort is running in the Network Intrusion Detection (NID) mode, it generates
alerts when a captured packet matches a rule. Snort can send alerts in many modes.
These modes are configurable through the command line as well as through
snort.conf file. Common alert modes are explained in this section. To explain the
alert modes, I have used a rule that creates an alert when Snort detects an ICMP packet
with TTL 100. This rule is listed below.
alert icmp any any  > any any (msg: "Ping with TTL=100"; \
   ttl:100;)
Rules will be explained in the next chapter in detail. For this discussion, it is suffi 
cient to understand that this rule will create an alert with the text message  Ping with
TTL=100  whenever such an ICMP packet is captured. The rule does not care about
source or destination address in the packet. I have used the following command on my
Windows PC to send one ICMP echo packet with TTL=100.
C:\rrehman>ping  n 1  i 100 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.1.3:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved