June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
9.22. Detecting Intrusions with Snort
Problem
You want to notice if your system is under attack from the network.
Solution
To run as a network intrusion detection system, with binary logging, and alerts sent to the system logger:
# snort -c /usr/local/share/rules/snort.conf -b -s
To run Snort in the background, as a daemon:
# snort -D [-uuser] [-ggroup] [-mumask] -c ...
Discussion
Snort is most valuable when run as a full-fledged NIDS:
# snort -c /etc/snort/snort.conf ... SuSE installation # snort -c /usr/local/share/rules/snort.conf ... Manual installation
The configuration file includes a large number of pattern matching rules that control logging and alerts.
In this mode of operation, packets are recorded (logged) when they match known signatures indicating a possible intrusion. Use the -b option for efficient logging to binary libpcap-format files. [Recipe 9.24] The -N option disables logging if you want alerts only, but we don’t recommend this: the logs provide valuable context about the events that triggered the alerts.
Alerts can be directed to a wide range of destinations. We recommend the system logger [Recipe 9.27] because:
It’s efficient.
It’s convenient (and enlightening) to correlate Snort’s messages with those of other daemons, your firewall, and the kernel—these are all recorded in the system log.
Tools like logwatch [Recipe 9.36] can scan the log files effectively and provide notification by email, which works well with high-priority alerts.
Use the -s option to direct alerts ...