Recipe 9.20 Getting Started with Snort

9.20.1 Problem

You want to set up Snort, a network-intrusion detection system.

9.20.2 Solution

Snort is included with SuSE but not Red Hat. If you need it (or you want to upgrade), download the source distribution from http://www.snort.org and unpack it:

$ tar xvpzf snort-*.tar.gz

Then compile it:

$ cd `ls -d snort-* | head -1` $ ./configure $ make

and install the binary and manpage as root:

# make install

Next, create a logging directory. It should not be publicly readable, since it will contain potentially sensitive data:

# mkdir -p -m go-rwx /var/log/snort

Finally, install the configuration files and rules database:

# mkdir -p /usr/local/share/rules # cp etc/* rules/*.rules  /usr/local/share/rules

9.20.3 Discussion

Snort is a network intrusion detection system (NIDS), sort of an early-warning radar system for break-ins. It sniffs packets from the network and analyzes them according to a collection of well-known signatures characteristic of suspicious or hostile activities. This may remind you of an anti-virus tool, which looks for patterns in files to identify viruses.

By examining the protocol information and payload of each packet (or a sequence of packets) and applying its pattern-matching rules, Snort can identify the telltale fingerprints of attempted buffer overflows, denial of service attacks, port scans, and many other kinds of probes. When Snort detects a disturbing event, it can log network trace information for further investigation, and issue alerts so you can respond rapidly.

9.20.4 See Also

snort(8). The Snort home page is http://www.snort.org.



Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net