InfoSec‎ > ‎

snort

Nmap -D generate a very noisy scanning redering IDS's useless. To the target it looks like a bunch of 'decoy' boxes scanning and the real source is masked among the fake ones. Newsham-Ptacek paper by the Fragroute author explains stealth attacks farther. File Integrity Checker: AIDE, Tripwire log-monitoring tool: logwatcher, swatch

running snort as a packet sniffer

$ snort -dev

Note: v tells it to run as normal sniffer, d gives the data in packet and e is for displaying headers of the packets

$ snort -v

just runs as normal sniffer but not as verbose as -dev if we wanted to save our logfiles to the directory /home/snortlogs/kobayashi, and our home network was 10.1.1.0/24, we'd use the command:

$ snort -dev -l /home/snortlogs/kobayahsi -h 10.1.1.0/24

What if you would rather log your packets in binary format? Not hard. Instead of using -dev as command line options to Snort, use -b for binary format. If you want to change the name of the default logfile from /var/log/snort/snort.log.[timestamp], use the -L option as well, like so:

$ snort -b -L /home/snortlogs/FunnyTrafficCapture-03112004

to read a binary log

$ snort -devr /home/snortlogs/FunnyTrafficCapture-03112004

to read a binary file and narrowing down to what traffic is being displayed

$ sudo snort -devr /home/kam/snort-logs/log.1147147245 not host 66.100.167.2


Anti snort tools

Snot: Tool that takes snort ruleset and triggers the IDS to render it useless

http://www.stolenshoes.net/sniph/index.html

Stick: Similar tool

http://www.eurocompton.net/stick/projects8.html

[Run Snort with '-z est' to prevent Snot/Stick attacks (for this stream4 preprocessor much be configured, and you will be missing ICMP, UDP, and ARP based attacks)]

Comments