Snort Modes


65


20:01:55.749466 192.168.1.1.1901 > 239.255.255.250.1900:  udp 325


20:01:55.751968 192.168.1.1.1901 > 239.255.255.250.1900:  udp 253


20:01:55.754145 192.168.1.1.1901 > 239.255.255.250.1900:  udp 245


20:01:55.756781 192.168.1.1.1901 > 239.255.255.250.1900:  udp 289


20:01:55.759258 192.168.1.1.1901 > 239.255.255.250.1900:  udp 265


20:01:55.761763 192.168.1.1.1901 > 239.255.255.250.1900:  udp 319


20:01:55.764365 192.168.1.1.1901 > 239.255.255.250.1900:  udp 317


20:01:55.767103 192.168.1.1.1901 > 239.255.255.250.1900:  udp 321


20:01:55.769557 192.168.1.1.1901 > 239.255.255.250.1900:  udp 313


20:01:56.336697 192.168.1.100.2474 > 192.168.1.2.ssh: P 0:80(80) ack 


465 win 16496 (DF)


[root@conformix snort]#


You can use different command line options with tcpdump to manipulate the dis 


play of data. For more information about tcpdump, use the  man tcpdump  com 


mand or see Appendix A.


2.7.2


Network Intrusion Detection Mode


In intrusion detection mode, Snort does not log each captured packet as it does in


the network sniffer mode. Instead, it applies rules on all captured packets. If a packet


matches a rule, only then is it logged or an alert is generated. If a packet does not match


any rule, the packet is dropped silently and no log entry is created. When you use Snort


in intrusion detection mode, typically you provide a configuration file on the command


line. This configuration file contains Snort rules or reference to other files that contain


Snort rules. In addition to rules, the configuration file also contains information about


input and output plug ins, which are discussed in Chapter 4. The typical name of the


Snort configuration file is snort.conf. We have previously saved snort.conf


configuration file in /opt/snort/etc directory along with other files. This was


done during the installation procedure.


5


 The following command starts Snort in the Net 


work Intrusion Detection (NID) mode:


snort  c /opt/snort/etc/snort.conf 


When you start this command, Snort will read the configuration file /opt/


snort/etc/snort.conf and all other files included in this file. Typically these


files contain Snort rules and configuration data. After reading these files, Snort will


build its internal data structures and rule chains. All captured packets will then be


matched against these rules and appropriate action will be taken, if configured to do so.


5.


If you used the RPM package to install Snort, the typical location of the Snort configuration file is


/etc/snort/snort.conf.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved