TCPdump & Snort - Intrusion Detection Systems

More documents

Recommendations

Info

Redirecting Output Log messages can be redirected to different outputs Overrides general output statements ruletype panic { } type alert output alert_syslog: LOG_AUTH LOG_CRIT output log_tcpdump: panic.log panic ip any any -> any any (msg:"Land attack"; sameip;) TCPdump & Snort Thomas Fischer February 3, 2010 Page 28
Inline Mode with IPtables Inline Mode Snort uses IPtables to receive packets, injects new rules to IPtables to accept or drop packets Integration in Snort: New rule types drop like IPtables’ drop target reject like IPtables’ reject target sdrop like IPtables’ drop target, but silently Integration in IPtables Redirect packets to user space using QUEUE target Example iptables -A INPUT -p tcp --dport 25 -j QUEUE Start Snort with Queue flag: snort -Q System has to be configured/compiled accordingly TCPdump & Snort Thomas Fischer February 3, 2010 Page 29
Page 1 and 2: TCPdump & Snort Intrusion Detection
Page 3 and 4: Starting with TCPdump TCPdump is a
Page 5 and 6: Wireshark Previously know as Ethere
Page 7 and 8: Writing TCPdump Filters II Bitmask
Page 9 and 10: About Snort Network Intrusion Detec
Page 11 and 12: Configuring Snort Central configura
Page 13 and 14: Preprocessors II Stream5 tracks ses
Page 15 and 16: Snort Rules I General syntax of rul
Page 17 and 18: Internal Rule Options msg: "some lo
Page 19 and 20: Rule Options for Payload II Modifie
Page 21 and 22: Rule Options for Non-Payload I frag
Page 23 and 24: Rule Options after Detection I logt
Page 25 and 26: Tips for Writing Rules Rules should
Page 27: Output II Logging to Unix socket ou
Page 31 and 32: Visual Examples FTP security proble
Page 37 and 38: Visual Example: Byte Jump content:"
Page 47 and 48: Examples II alert tcp $EXTERNAL_NET
Page 49 and 50: Examples IV alert tcp $EXTERNAL_NET

TCPdump & Snort - Intrusion Detection Systems

Create successful ePaper yourself

Delete template?

Save as template?