
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
480
|
Chapter 13: Simple Intrusion Detection Techniques
As you can see, this is actually a use of Snort’s Sniffer Mode: you can decode the
packets with the
-d flag, display them to the screen with the -v flag, etc. You can also
filter the output using Tcpdump primitives, as described in the previous section.
Configuring and Using Snort as an IDS
Finally we arrive at Snort’s real purpose in life: intrusion detection. Unlike Sniffer
mode or Packet Logging mode, Snort’s IDS mode requires some preconfiguration. As
I suggested earlier in the section “Making Snort feel at home after compiling and
installing it,” you can keep Snort’s main configuration file, snort.conf,in/etc/snort
and its rules in /etc/snort/rules.
Or you can keep them elsewhere; Snort is not hardcoded to expect its configuration
in any set place. Furthermore, through support of the
include statement, Snort con-
figuration is modular: rules are include files that Snort merges into snort.conf at
runtime.
The snort.conf file typically contains these sections:
• Variable definitions
• Preprocessor plug-in statements
• Output (postprocessor) statements
• Rules (in practice, usually
include statements referring to rule files)
Let’s discuss these sections one at a time.
Variable definitions
Snort’s sample snort.conf file lists a number of