Snort Alerts

29/12/2020
Chưa phân loại
It was  previously explained on LinuxHint how to install Snort Intrusion Detection System and how to create Snort rules. Snort is an Intrusion Detection System designed to detect and alert on irregular activities within a network. Snort is integrated by sensors delivering information to the server according to rules instructions.

In this tutorial Snort alert modes will be explained to instruct Snort to report over incidents in 5 different ways (ignoring the “no alert” mode), fast, full, console, cmg and unsock.

If you didn’t read the articles mentioned above and you don’t have previous experience with snort please get started with the tutorial on Snort installation and usage and continue with the article on rules before continuing this lecture. This tutorial assumes you have Snort already running.

To being let’s state Snort has 6 alert modes:

Fast: in this mode Snort will report the timestamp, alert message, IP source address and port and destination IP address and port. (-A fast)

Full: additionally to the fast mode alert, the full mode includes: TTL, IP packet and IP header length, service, ICMP type and sequence number. (-A full)

Console: prints fast alerts in the console. (-A console)

Cmg: This format was developed by Snort for testing purposes, it prints a full alert on the console without saving reports on logs. (-A cmg)

Unsock: export report to other programs through Unix Socket. (-A unsock)

None: Snort won’t generate alerts. (-A none)

All alert modes are preceded by a -A which is the parameter for alerts. Alerts are saved in the log /var/log/snort/alert. Snort default rules are capable to detect irregular activity such as port scanning. Let’s test each alert mode:

Fast alert test:

snort -c /etc/snort/snort.conf -q -A fast

Where:

snort= calls the program

-c= path to config file, in this case the default one (/etc/snort/snort.conf)

-q= prevents snort from displaying initial information

-A= defines the alert mode, in this case fast.

While from a different computer I started an nmap scan against top 1000 ports alerts started to get logged to /var/log/snort/alert.

Full alert test:

snort -c /etc/snort/snort.conf -q -A full

Where:

snort= calls the program

-c= path to config file, in this case the default one (/etc/snort/snort.conf)

-q= prevents snort from displaying initial information

-A= defines the alert mode, in this case full.

As you see the report gives additional information to the fast one.

Console alert test:

With the console alert test we’ll get alerts printed in the console, for this run

snort -c /etc/snort/snort.conf -q -A console

Where:

snort= calls the program

-c= path to config file, in this case the default one (/etc/snort/snort.conf)

-q= prevents snort from displaying initial information

-A= defines the alert mode, in this case console.

As you see the printed information is closer to a fast alert than a full one.

Cmg alert test:

Now let’s get a report in the console with the information of a full report and more. This mode was developed for testing purposes and does not log results.

snort -c /etc/snort/snort.conf -q -A cmg

Where:

snort= calls the program

-c= path to config file, in this case the default one (/etc/snort/snort.conf)

-q= prevents snort from displaying initial information

-A= defines the alert mode, in this case cmg.

For the unsock alert to work, you’ll need to integrate it to a third party program or plugin.

Snort’s default alert mode is the full mode, if you don’t need the additional information of a fast, then a fast mode would increase the performance.

I hope this tutorial helped to understand Snort’s alert modes.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

How To Install Prometheus on Ubuntu 18.04

Overview Prometheus is an excellent open-source monitoring system which allows us to collect metrics from our applications...
28/12/2020

Install latest uGet – Download Manager for Linux

uGet is the number #1 download manager application for the Linux platform. In addition, The app is simple, lightweight and...
28/12/2020

Hướng dẫn cấu hình cảnh báo qua Gmail và Telegram trên Grafana

Ở bài trước, chúng tôi đã hướng dẫn các bạn cài đặt TIG stack và một số thao tác cơ bản....
30/12/2020
Bài Viết

Bài Viết Mới Cập Nhật

Mua Proxy V6 Nuôi Facebook Spam Hiệu Quả Tại Onetcomvn
03/06/2024

Hướng dẫn cách sử dụng ProxyDroid để duyệt web ẩn danh
03/06/2024

Mua proxy Onet uy tín tại Onet.com.vn
03/06/2024

Thuê mua IPv4 giá rẻ, tốc độ nhanh, uy tín #1
28/05/2024

Thuê địa chỉ IPv4 IPv6 trọn gói ở đâu chất lượng, giá RẺ nhất?
27/05/2024