1 clear
2 ifconfig
3 mkdir snort
4 ls
5 cd snort/
6 ls
7 tar -xzvf libpcap-1.8.1.tar.gz
8 cd libpcap-1.8.1
9 ./configure
10 make & make install
11 make install
12 cd ..
13 ls
14 tar -xzvf libdnet-1.11.tar.gz
15 cd libdnet-1.11
16 ./configure
17 make
18 make install
19 cd ..
20 ls
21 tar -xzvf pcre-8.40.tar.gz
22 cd pcre-8.40
23 ./configure
24 make
25 make install
26 cd ..
27 ls
28 tar -xzvf daq-2.0.6.tar.gz
29 cd daq-2.0.6
30 ./configure
31 make
32 make install
33 cd ..
34 tar -xzvf snort
35 tar -xzvf snort-2.9.9.0.tar.gz
36 yum -y install libdnet-devel
37 cd snort-2.9.9.0
38 ls
39 ./configure --enable-sourcefire
40 yum -y install libdnet-devel
41 wget https://sourceforge.net/projects/libnet/files/libnet/0.10.11/libnet-0.10.11.tar.gz/
42 ls
43 yum -y install libdnet-devel
44 ./configure --enable-sourcefire
45 yum install zlib-devel -y
46 ./configure --enable-sourcefire
47 make
48 make install
49 cd /etc/
50 mkdir snort
51 cd snort/
52 cp /root/snort/snort-2.9.9.0/etc/* .
53 ls
54 tar -zvxf /root/snort/snort-2.9.9.0/snortrules-snapshot-2990.tar.gz
55 ls
56 touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
57 vi /etc/snort/snort.conf
58 cd /root/snort/snort-2.9.9.0
59 ls
60 cd rpm/
61 ls
62 cp snortd /etc/init.d/snort
63 cp snort.sysconfig /etc/sysconfig/snort
64 chkconfig --add /etc/init.d/snort
65 chkconfig snort on
66 cd /usr/sbin/
67 ln -s /usr/local/bin/snort snort
68 cd /var/log/
69 chmod 777 snort
70 ls
71 mkdir snort
72 ls
73 chmod 777 snort/
74 ls
75 cd /etc/
76 ls
77 chmod 777 snort/
78 cd /usr/local/bin/
79 ls
80 ./snort -T eth0 -u snort -g snort -c /etc/snort/snort.conf
81 ./snort -T eth0 -g snort -c /etc/snort/snort.conf
82 ./snort -T eth0 -c /etc/snort/snort.conf
83 locate snort_dynamicrules
84 mkdri /usr/local/lib/snort_dynamicrules
85 mkdir /usr/local/lib/snort_dynamicrules
86 ./snort -T eth0 -c /etc/snort/snort.conf
87 vi /etc/snort/rules/local.rules
88 snort -c /etc/snort/snort.conf -i eth0 -A console
89 snort -v
90 ls /var/log/snort/
91 snort -c /etc/snort/snort.conf -i eth0 -A console
92 history
93 cat history > /home/boobal.txt
94 cat history > /root/boobal.txt
95 history > /home/boobal.txt
working fine in localhost ping
rule
alert icmp any any -> $HOME_NET any (msg:"Ping Testing";sid:1000003; rev:1;)
install ngrep
wget http://ftp.tu-chemnitz.de/pub/linux/dag/redhat/el6/en/x86_64/rpmforge/RPMS/ngrep-1.45-1.el6.rf.x86_64.rpm
rpm -ivh ngrep-1.45-1.el6.rf.x86_64.rpm
In these examples, it is assumed that eth0 is the used network interface.
Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods
ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string
ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses
ngrep -l -q -d eth0 -i "" udp and port 53
/32 is a network mask of 255.255.255.255
/24 is a network mask of 255.255.255.0
#ip addr
2 ifconfig
3 mkdir snort
4 ls
5 cd snort/
6 ls
7 tar -xzvf libpcap-1.8.1.tar.gz
8 cd libpcap-1.8.1
9 ./configure
10 make & make install
11 make install
12 cd ..
13 ls
14 tar -xzvf libdnet-1.11.tar.gz
15 cd libdnet-1.11
16 ./configure
17 make
18 make install
19 cd ..
20 ls
21 tar -xzvf pcre-8.40.tar.gz
22 cd pcre-8.40
23 ./configure
24 make
25 make install
26 cd ..
27 ls
28 tar -xzvf daq-2.0.6.tar.gz
29 cd daq-2.0.6
30 ./configure
31 make
32 make install
33 cd ..
34 tar -xzvf snort
35 tar -xzvf snort-2.9.9.0.tar.gz
36 yum -y install libdnet-devel
37 cd snort-2.9.9.0
38 ls
39 ./configure --enable-sourcefire
40 yum -y install libdnet-devel
41 wget https://sourceforge.net/projects/libnet/files/libnet/0.10.11/libnet-0.10.11.tar.gz/
42 ls
43 yum -y install libdnet-devel
44 ./configure --enable-sourcefire
45 yum install zlib-devel -y
46 ./configure --enable-sourcefire
47 make
48 make install
49 cd /etc/
50 mkdir snort
51 cd snort/
52 cp /root/snort/snort-2.9.9.0/etc/* .
53 ls
54 tar -zvxf /root/snort/snort-2.9.9.0/snortrules-snapshot-2990.tar.gz
55 ls
56 touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
57 vi /etc/snort/snort.conf
58 cd /root/snort/snort-2.9.9.0
59 ls
60 cd rpm/
61 ls
62 cp snortd /etc/init.d/snort
63 cp snort.sysconfig /etc/sysconfig/snort
64 chkconfig --add /etc/init.d/snort
65 chkconfig snort on
66 cd /usr/sbin/
67 ln -s /usr/local/bin/snort snort
68 cd /var/log/
69 chmod 777 snort
70 ls
71 mkdir snort
72 ls
73 chmod 777 snort/
74 ls
75 cd /etc/
76 ls
77 chmod 777 snort/
78 cd /usr/local/bin/
79 ls
80 ./snort -T eth0 -u snort -g snort -c /etc/snort/snort.conf
81 ./snort -T eth0 -g snort -c /etc/snort/snort.conf
82 ./snort -T eth0 -c /etc/snort/snort.conf
83 locate snort_dynamicrules
84 mkdri /usr/local/lib/snort_dynamicrules
85 mkdir /usr/local/lib/snort_dynamicrules
86 ./snort -T eth0 -c /etc/snort/snort.conf
87 vi /etc/snort/rules/local.rules
88 snort -c /etc/snort/snort.conf -i eth0 -A console
89 snort -v
90 ls /var/log/snort/
91 snort -c /etc/snort/snort.conf -i eth0 -A console
92 history
93 cat history > /home/boobal.txt
94 cat history > /root/boobal.txt
95 history > /home/boobal.txt
working fine in localhost ping
rule
alert icmp any any -> $HOME_NET any (msg:"Ping Testing";sid:1000003; rev:1;)
install ngrep
wget http://ftp.tu-chemnitz.de/pub/linux/dag/redhat/el6/en/x86_64/rpmforge/RPMS/ngrep-1.45-1.el6.rf.x86_64.rpm
rpm -ivh ngrep-1.45-1.el6.rf.x86_64.rpm
In these examples, it is assumed that eth0 is the used network interface.
Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods
ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string
ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses
ngrep -l -q -d eth0 -i "" udp and port 53
/32 is a network mask of 255.255.255.255
/24 is a network mask of 255.255.255.0
#ip addr
No comments:
Post a Comment