Bài Thực Hành 14/12 - SNORT ON BACKTRACK 5

 Snort: A Network Based Intusion Detection System(IDS)

Snort is an open source network-based intrusion detection system (NIDS). That can analyses the real-time traffic and can log packets on Internet Protocol (IP) networks. Snort can perform protocol analysis, content searching, and content matching. It also can be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans

There are three modes in which the can be configured:
1)Sniffer
2)Packet logger
3)Network intrusion detection.

In sniffer mode, It reads the network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

In this  Article, we will learn how to configure snort on backtrack.

Snort is installed in backtrack by default. So you only need to configure it according to your infra
First of all Start Snort Service to test if there is any problem with the installation.
Step1
To accomplish this, Click on Application menu,=> click on backtrack menu, => click on services and then click on snort service.

Step2
Now edit the configuration file named snort.conf located in /etc/snort directory using vim or any other text editor and change...
var HOME_NET any to var HOME_NET <target ip/nw add>
var EXTERNAL_NET any to var EXTERNAL_NET <attacker ip address>
save the file and restart snort service using /etc/init.d/snort restart command on terminal

Step3
Now open terninal and type the command below

snort -q -A console -i eth0 -c /etc/snort/snort.conf
Where -
       -q is for quiet:- not to show banner and status report
       -A is to set alert mode in this case, it is console
       -i is to specify interface and
       -c is to tell snort the location of configuration file

Step4
Now to test the functionality of snort, perform a DOS attack using LOIC..

Your Snort  alarm should ring

Note:You can download LOIC from the link below
http://sourceforge.net/projects/loic/files/latest/download
Now perform Nmap scan,,,,
snort should display the logs again...

Thử nghiệm tấn công với Kali 

và xem kết quả phát hiện trên Snort

Here is use Backtrack 5r3 as a snort machine ( IDS ) and Kali Linux as a attacker machine .

Both are open source linux so easy for you to download .

Now without wasting  time see the examples 

USING DMITRY FROM KALI LINUX

• Here  i perform the Deepmagic Information Gathering Tool also known as 'Dmitry'.
• I used this tool to scan for TCP Ports .

ATTACKER MACHINE

• I look that Kali Linux uses dmitry to performing tcp scan on snort machine                            ( 192.168.72.129).
• See the below image for more details -

SNORT DETECTION EXAMPLE 1

IDS SNORT CAUGHT SOMETHING

• Here you can see that Snort has caught something .
• It shows a Tcp port scan is performed by the 192.168.72.128 ip address.
• Its a very useful information.
• See the below image for more details -

SNORT DETECTION EXAMPLE 1

EXAMPLE 2 : PERFORM OS DETECTION SCAN 

• Here i used nmap to perform " OS DETECTION SCAN ".
• Command i used : nmap -v -A 192.168.72.129
• See the below image of performing OS Detection scan on kali linux .

SNORT DETECTION EXAMPLE 2

SNORT DETECTION

• Now the best thing , you can see the behaviour of the scan that is performed by nmap .
• See the red boxes that i have put , it shows so many things.
• See the below image for more help-

SNORT DETECTION EXAMPLE 2

CONCLUSION

• So this is how you can use snort on backtrack 5.
• Good in aspect of security .
• You can use it to understand the behaviour of the attack .
• There are lots of things you can do , use your ninja skills and sharp your security .
• Thats it . Thank you for reading .