Comprehensive Guide to Snort NIPS: Features, Installation, and Usage

I. Overview of Snort and NIPS

Snort is a powerful network intrusion detection/prevention system known as NIDS/NIPS, featuring cross-platform, real-time traffic analysis, and network IP packet logging.

1. Operating Modes

Snort operates in three modes: sniffer, packet logger, and network intrusion detection system.

1. Sniffer: The sniffer mode reads packets from the network and displays them continuously on the terminal. 2. Packet Logger: The packet logger mode writes packets to the hard drive. 3. Network Intrusion Detection: The network intrusion detection mode is the most complex and configurable. We can let Snort analyze network data streams to match user-defined rules and take appropriate actions based on the detection results.

When using Snort, the network card is automatically set to promiscuous mode

II. Snort Installation and Download

[The experiment was conducted on a Win7 virtual machine]

For 32-bit systems, WinPcap must be installed when using Snort.

Snort download link: https://www.snort.org/downloads#snort-downloadsNIPS WinPcap download link: https://www.winpcap.org/install/default.htmNIPSInsert image description here Install as instructed (strongly recommended to install in the root directory of the C drive for convenience in future experiments)Insert image description here

III. Sniffing and Data Logging

1. Sniffing

Open cmd in Snort’s bin directoryInsert image description here Enter snort -W to view the current network cardInsert image description here Sniffing network card 1: Snort -v -i1Insert image description here Use another machine to ping this hostInsert image description here Packets begin to displayInsert image description here Terminate with ctrl + c, then view packet analysisInsert image description here

2. Packet Logging

The default log folder in the Snort directory can directly save logs hereInsert image description here Use Snort -dve -i1 -h 192.168.88.0/24 -l c:\Snort\log -K ascii to log packets, where

-dve indicates verbose sniffing mode -h specifies the monitored host segment; if not specified, it indicates the local IP -l specifies the log storage location -K indicates character set storage in ASCII

Insert image description here Access any webpage, and capture results are availableInsert image description hereInsert image description here View file content, which is the data headerInsert image description hereLink:Snort Usage Part Two: Intrusion Detection