
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
476
|
Chapter 13: Simple Intrusion Detection Techniques
Note that in Example 13-9, I used a non-root account I’d created,
called snortsql. On a publicly accessible or multiuser system it’s essen-
tial that you not use root as your Snort database account. Refer to your
database’s documentation (and Chapter 8 in this book, if you’re using
MySQL) for instructions on setting up database users and using your
database securely.
Using Snort as a Packet Sniffer
Snort is extremely useful as a network diagnostic tool and, in fact, can be used as a
real-time packet sniffer with no prior configuration. Simply invoke the command
snort with its decode, verbose (display-to-screen), and interface flags:
-d, -v,and-i,
respectively (see Example 13-10). The name of the Ethernet interface on which you
wish to sniff—that is, the name reported by
ifconfig -a, not the full path to its
actual device file—should follow the
-i flag. (If your system has only one Ethernet
interface, you can omit this flag altogether.)
Example 13-9. Creating a MySQL database for Snort
bash-# echo "CREATE DATABASE snort;" | mysql -u snortsql -p
Enter password: mypassword
bash-# cd /usr/src/snort-2.2.0
bash-# mysql snort < ./contrib/create_mysql
Example 13-10. Invoking Snort as a sniffer
bash-# snort -dvi eth0
Running in packet dump mode
Log ...