Chapter 10. Intrusion Detection
93
02:05:53.702706 ns1.rdu.redhat.com.domain > pinky.exampledomain.com.55828: \
6077 NXDomain* 0/1/0 (103) (DF)
02:05:53.886395 shadowman.exampledomain.com.netbios ns > \
172.16.59.255.netbios ns: NBT UDP PACKET(137): QUERY; BROADCAST
02:05:54.103355 802.1d config c000.00:05:74:8c:a1:2b.8043 root \
0001.00:d0:01:23:a5:2b pathcost 3004 age 1 max 20 hello 2 fdelay 15
02:05:54.636436 konsole.exampledomain.com.netbios ns > 172.16.59.255.netbios ns:\
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
02:05:56.323715 pinky.exampledomain.com.1013 > heavenly.exampledomain.com.860:\
udp 56 (DF)
02:05:56.323882 heavenly.exampledomain.com.860 > pinky.exampledomain.com.1013:\
udp 28 (DF)
Notice that packets that were not intended for our machine (
pinky.exampledomain.com
) are still
being scanned and logged by
tcpdump
.
10.3.1.
snort
While
tcpdump
is a useful auditing tool, it is not considered a true IDS because it does not analyze
packets for anomalies; it only dumps them to the output screen or to a log file. A proper IDS will
analyze the packets and then tag and log suspicious activity.
Snort is an IDS designed to be comprehensive and accurate in successfully logging malicious network
activity and notifying administrators when potential breaches occur. Snort uses the standard
libcap
library, and
tcpdump
as a packet logging backend.
The most prized feature of Snort is not in its functionality, but in its flexible attack signature sub 
system. Snort has a constantly updated database of attacks that can be added to and updated via the
Internet. Users can create signatures based on new network attacks and submit them to the Snort signa 
ture mailing lists (located at http://www.snort.org/lists.html), so that all Snort users will benefit. This
community ethic of sharing has grown Snort into one of the most up to date and robust network based
IDSes available.
Note
Snort is not included with Red Hat Linux and is not supported. It has been included in this document
as a reference to users who may be interested in evaluating it.
For more information about using Snort, refer to the official website at http://www.snort.org.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved