1. Experiment Content: Snort Modes
Network Intrusion Detection Mode is one of the Snort Modes.
2. Experiment Objective
1) Learn how to use intrusion detection mode.
2) Understand and learn about syntax parameters.
3. Experiment Principle
1) Snort has three modes of operation: sniffer mode, packet logger mode, and network intrusion detection system mode. Sniffer mode simply captures network packets and displays them on the terminal, packet logger mode stores the captured packets to disk, and intrusion detection mode is the most complex, capable of analyzing packets, detecting according to rules, and responding.
4. Experiment Content and Screenshots
1.1 Open the host with the address 192.168.1.2, and enter the command “snort -vde -l /var/log/snort –h 192.168.1.0/24 –c
/etc/snort/snort.conf”. Start Snort, and output the packets to the /var/log/snort directory. Then use the ctrl+c combination to end the process.
1.2 The parameter “-h 192.168.1.0/24” is used to analyze logs only for the local network.
1.3 The parameter “-c /etc/snort/snort.conf” is used to load the configuration file /etc/snort/snort.conf.
1.4 Use the cat command to view the snort.conf file. The command is “cat /etc/snort/snort.conf”. This file contains many intrusion detection rule files.
1.5 The “-l” parameter can specify the location to store log files. If no specific location is specified after the “-l” parameter, the system automatically saves the logs in the /var/log/snort directory. First, delete the log files in the /var/log/snort directory. The command is “rm –rf snort.log.*
1.6 Execute the command “snort –c /etc/snort/snort.conf”.
1.7 Use the ctrl+c combination to end the process, enter the /var/log/snort directory, and use the “ls” command to view the files in this directory. You will find log files starting with “snort.log.” have been regenerated.
1.8 Switch the directory to “/home” and view the files in this directory. There are no files starting with “snort.log.” in this directory.
1.9 Execute the command “snort –l /home –c /etc/snort/snort.conf
1.10 Use the ctrl+c combination to end the Snort process. Switch the directory to “/home”. Use the “ls -l” command to view the files in the “/home” directory. The log files have been successfully output to the home directory (Note: If you do not see the relevant log files, you can reopen a new terminal to view them).
