Please check out my Udemy courses! Coupon code applied to the following links….
Description:
This video covers how to install Snort, edit the configuration file, create custom Snort rules, and analyze a PCAP with malicious Neutrino exploit kit activity. The following are the commands I used during the video:
apt-get install snort (this command installs Snort. If you are not root, type sudo apt-get install snort)
ifconfig (this shows the configuration of your local network interface)
touch /etc/snort/rules/custom.rules (this creates a rule file)
vi /etc/snort/snort.conf (this opens the Snort configuration file in Vi text editor)
mkdir log (this creates a directory named log)
snort -l ./log -b -c /etc/snort/snort.conf (this runs Snort in NIDS mode)
alert tcp any any -(greater than symbol) any any (msg:“Possible Neutrino Exploit kit infection.”; content:”vclphjybj.ioxbpjgtqvwqfzmwhn.ga”; classtype:trojan-activity; sid:999995; rev:1;) (Snort rule in video. Please note that pointy brackets aren’t allowed in the YouTube description, so use a greater than symbol after any any -)
snort -l ./log -b -c /etc/snort/snort.conf -r (pcap name) (this reads a PCAP and compares it against Snort rules)
Nguồn: https://ftlinuxcourse.com
Xem thêm bài viết khác: https://ftlinuxcourse.com/lap-trinh-linux
Xem thêm Bài Viết:
- Trải nghiệm mới hay ho với hướng dẫn cài Mac Os trên vmware
- Bật mí cách cài đặt ssl miễn phí lên Let’s Encrypt
- Tuyệt chiêu tạo usb boot kali linux đơn giản dành cho bạn
- Hướng dẫn chi tiết từ A – Z các bước cài đặt Python trên Windows 10
- Bật mí quy trình cài đặt Kali Linux trên Vmware đúng chuẩn và chi tiết
http://www.malware-traffic-analysis.net/2015/08/31/page2.html
here a link includes a PCAP file and IOCs
I have a problem, unable to locate package
ERROR: /etc/snort//etc/snort/rules/custom.rules:(0) Unable to open rules file "/etc/snort//etc/snort/rules/custom.rules:": No such file or directory.
lol how'd you escape the prompt @ 4:10
idk if you're still responding to comments from this vid but I have to configure snort for a project in my security class, would just like to know how you got out the prompt
Thanks for this video. You really help me doing my project
I downloaded the malicious.pcap but still not working. is there any sample you will recommend i save the file using wordpad and it came girberish. only characters like {} n & etc. i downloaded and save it on desktop. thank you please help
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Error getting stat on pcap file: malicious.pcap: No such file or directory
ERROR: Error getting pcaps.
Fatal Error, Quitting..
doesnt work
how do you change the CIDR if you want to test on a different network?
can you install snort on 2018 and 19 version plus new rules?
Excellent explanation. Thank you very much
Good video! But I have a question-
The IP address of your system is 192.168.199.130/24. This means that it is in 192.168.199.* network.
But when you installed SNORT IDS, you gave the "Address range for the local network" as 192.168.0.0/24. This means that it is in 192.168.0.* network.
So your system is on one network and SNORT is on a completely different network. How does it work?
Hi,
Thank for the video. I wish to know if I want to get alert for download. How do I write the rule in snort to detect that. Hope to hear from you. Thank.
hello just have a question im new writing snort rule so if you have a web address can you put that in a rule and how do you make that how do you make a snd rule
Hello sir, may i ask. What happen if i did not do/skip the last step " snort -l ./log -b -c /etc/snort/snort.conf -r (pcap name) (this reads a PCAP and compares it against Snort rules) " ??
The custom rule in the video is great. However, it can be hard to test if your local firewall blocks the site. Here is a much simpler rule that checks for traffic from your PC to the Kali box.
alert tcp yourPCIP any -> yourKaliIP any (msg:"Traffic from PC"; sid 113020171; rev:1;)
Then, start snort using the command in the video
From yourPC use a web browser to connect to kaliIP. The connection will likely fail, but the message will be recorded in the log. Cat or more the log to find the msg you wrote in the rule
please help when I used mkdir log command this appears "mkdir: cannot create directory 'log': file exists. what happened here?
Great tutorial vid! Getting it set up right and viewing alerts was killing me. Now, I can complete my class assignments. Thank you!
that is so good
Good day,what about Debian or linux mint,any extra configurations needed?
initializing snort :
"error getting stat on pcap file: malicious.pcap: no such file directory"
what must i do ?
may i ask you why. home_Net , the ping is my os
Great video Jesse… Please keep them coming. What about a nice tutorial on pfSense or Opnsens?
cat | less? why not just less?
Excellent instructor
i receive that error any help please ( Content data needs to be enclosed in quotation marks )
Hi Jesse,
Where can I get a copy of the exact pcap that you used? I downloaded a pcacp from the website you mentioned in a previous comment and download a pcap related to that root kit. However, I am not able to obtain an alert as specified in the custom rules.
so what if you don't have snort how do you get these programs?
Hey Jesse, great video! I just have one error when I run "snort
l ./log -b -c /etc/snort/snort.conf", I get the error: ERROR: /etc/snort/snort.conf(1) Invalid configuration line: —————————————–. Any ideas?Hi Jesse. Cool thing! Simple, easy, short. Are there any places you can recommend for pcap samples downloads?
Im stuck with the log test, after run "snort -l ./log -b -c /etc/snort/snort.conf" they start running but stop with en ERROR: OpenAlertFile()……/log/alert: no such file or directory….Fatal Error, Quitting… and then i dont have any file inside /log , just an "alert" file. So i guess is not working. Any idea? thanks in advance.
Would this method work on a raspberry pi 3? Thanks
very good video. installed snort but missed the configuration package but the log showed that it is working. I don't have the pcap file yet so the the rule don't work. I presume I have to download any pcap file or change the conf file? just excuse this is disabled old fart with some time to mess with stuff like this. Otherwise, keep up the good work!!!
Fantastic explanation of creating Snort rules. Keep them coming. Thank you!
When i do apt-get install snort
Its unable to find the package.
HelloThank you very much for the video, I served much.
but now I wonder, how could send alerts to an email? Excuse the bother. Thanks for your time.