TCPdump & Snort - Intrusion Detection Systems

More documents

Recommendations

Info

Output I Various output modules available for flexible logging and alerting Logging to syslog Allows specification of facility, priority, options (‘official’ syslog interface, see man 3 syslog for details) Example output alert_syslog: log_auth, log_warning Logging to remote syslog daemon output alert_syslog: 192.168.5.2:514, log_auth, log_warning Logging to files output alert_fast: filename logs one-liners to a file output alert_full: filename logs full packet headers TCPdump & Snort Thomas Fischer February 3, 2010 Page 26
Output II Logging to Unix socket output alert_unixsock logs to sock /var/log/snort/snort_alert Perl Example 1 #!/usr/bin/perl 2 use IO::Socket; 3 my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, 4 Local => "/var/log/snort/snort_alert") Logging to TCPdump file output log_tcpdump: filename logs to TCPdump-like logfile can be opened with Wireshark More logging modules writing to SQL databases, csv files, compact binary formats (unified2) TCPdump & Snort Thomas Fischer February 3, 2010 Page 27
Page 1 and 2: TCPdump & Snort Intrusion Detection
Page 3 and 4: Starting with TCPdump TCPdump is a
Page 5 and 6: Wireshark Previously know as Ethere
Page 7 and 8: Writing TCPdump Filters II Bitmask
Page 9 and 10: About Snort Network Intrusion Detec
Page 11 and 12: Configuring Snort Central configura
Page 13 and 14: Preprocessors II Stream5 tracks ses
Page 15 and 16: Snort Rules I General syntax of rul
Page 17 and 18: Internal Rule Options msg: "some lo
Page 19 and 20: Rule Options for Payload II Modifie
Page 21 and 22: Rule Options for Non-Payload I frag
Page 23 and 24: Rule Options after Detection I logt
Page 25: Tips for Writing Rules Rules should
Page 29 and 30: Inline Mode with IPtables Inline Mo
Page 31 and 32: Visual Examples FTP security proble
Page 37 and 38: Visual Example: Byte Jump content:"
Page 47 and 48: Examples II alert tcp $EXTERNAL_NET
Page 49 and 50: Examples IV alert tcp $EXTERNAL_NET

TCPdump & Snort - Intrusion Detection Systems

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?