Thursday, February 15, 2007

Using Snort as a simple IDS

In my previous blog (Testing Snort 2.7.0 Beta 1) , I described about my endeavour to install Snort 2.7.0Beta1. After successfully install Snort, I want to create a simple IDS rule and use my Snort as a simple IDS.

To test Snort as an IDS, first I created a simple rule like the following :

Then I started Snort using the following command :

I open up another Konsole, and ping localhost :

In Snort window, I press Ctrl-C. Snort will appear as not responding to Ctrl-C, but in fact it's waiting for the first packet.

In other Konsole, I ping the localhost again :

In Snort window, the display will be like the following :

You can see that Snort is actually responding to our Ctrl-C press after it received the first packet matching its rules.

From the figure above, we can see that Snort received 10 packets and it analyzed 2 (two) ICMP packets. Those packets generated 5 alerts and 5 log entries.

In the tests/ directory we can see that Snort has created two files :

And here is the alert file contents :

Our Snort has analyzed ICMP packets according to the rule we've created.

No comments: