Chapter 10. Intrusion Detection


93


02:05:53.702706 ns1.rdu.redhat.com.domain > pinky.exampledomain.com.55828: \


6077 NXDomain* 0/1/0 (103) (DF)


02:05:53.886395 shadowman.exampledomain.com.netbios ns > \


172.16.59.255.netbios ns: NBT UDP PACKET(137): QUERY; BROADCAST


02:05:54.103355 802.1d config c000.00:05:74:8c:a1:2b.8043 root \


0001.00:d0:01:23:a5:2b pathcost 3004 age 1 max 20 hello 2 fdelay 15


02:05:54.636436 konsole.exampledomain.com.netbios ns > 172.16.59.255.netbios ns:\


NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST


02:05:56.323715 pinky.exampledomain.com.1013 > heavenly.exampledomain.com.860:\


udp 56 (DF)


02:05:56.323882 heavenly.exampledomain.com.860 > pinky.exampledomain.com.1013:\


udp 28 (DF)


Notice that packets that were not intended for our machine (


pinky.exampledomain.com


) are still


being scanned and logged by


tcpdump


.


10.3.1.


snort


While


tcpdump


is a useful auditing tool, it is not considered a true IDS because it does not analyze


packets for anomalies; it only dumps them to the output screen or to a log file. A proper IDS will


analyze the packets and then tag and log suspicious activity.


Snort is an IDS designed to be comprehensive and accurate in successfully logging malicious network


activity and notifying administrators when potential breaches occur. Snort uses the standard


libcap


library, and


tcpdump


as a packet logging backend.


The most prized feature of Snort is not in its functionality, but in its flexible attack signature sub 


system. Snort has a constantly updated database of attacks that can be added to and updated via the


Internet. Users can create signatures based on new network attacks and submit them to the Snort signa 


ture mailing lists (located at http://www.snort.org/lists.html), so that all Snort users will benefit. This


community ethic of sharing has grown Snort into one of the most up to date and robust network based


IDSes available.


Note


Snort is not included with Red Hat Linux and is not supported. It has been included in this document


as a reference to users who may be interested in evaluating it.


For more information about using Snort, refer to the official website at http://www.snort.org.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved