Nmap -D generate a very noisy scanning redering IDS's useless. To the target it looks like a bunch of 'decoy' boxes scanning and the real source is masked among the fake ones. Newsham-Ptacek paper by the Fragroute author explains stealth attacks farther. File Integrity Checker: AIDE, Tripwire log-monitoring tool: logwatcher, swatch running snort as a packet sniffer
Note: v tells it to run as normal sniffer, d gives the data in packet and e is for displaying headers of the packets
just runs as normal sniffer but not as verbose as -dev if we wanted to save our logfiles to the directory /home/snortlogs/kobayashi, and our home network was 10.1.1.0/24, we'd use the command:
What if you would rather log your packets in binary format? Not hard. Instead of using -dev as command line options to Snort, use -b for binary format. If you want to change the name of the default logfile from /var/log/snort/snort.log.[timestamp], use the -L option as well, like so:
to read a binary log
to read a binary file and narrowing down to what traffic is being displayed
Snot: Tool that takes snort ruleset and triggers the IDS to render it useless http://www.stolenshoes.net/sniph/index.html Stick: Similar tool http://www.eurocompton.net/stick/projects8.html [Run Snort with '-z est' to prevent Snot/Stick attacks (for this stream4 preprocessor much be configured, and you will be missing ICMP, UDP, and ARP based attacks)] |
InfoSec >