Experiment-1
Aim: -Using Snort to create log file to record the packet data.
About tool:-
SNORT is a powerful open-source intrusion detection system (IDS) and intrusion
prevention system (IPS) that provides real-time network traffic analysis and data
packet logging. SNORT uses a rule-based language that combines anomaly,
protocol, and signature inspection methods to detect potentially malicious activity.
Using SNORT, network admins can spot denial-of-service (DoS) attacks and
distributed DoS (DDoS) attacks, Common Gateway Interface (CGI) attacks, buffer
overflows, and stealth port scans. SNORT creates a series of rules that define
malicious network activity, identify malicious packets, and send alerts to users.
SNORT is a free-to-use open-source piece of software that can be deployed by
individuals and organizations. The SNORT rule language determines which network
traffic should be collected and what should happen when it detects malicious
packets. This snorting meaning can be used in the same way as sniffers and
network intrusion detection systems to discover malicious packets or as a full
network IPS solution that monitors network activity and detects and blocks potential
attack vectors.
SNORT can be used to monitor the traffic that goes in and out of a network. It will
monitor traffic in real time and issue alerts to users when it discovers potentially
malicious packets or threats on Internet Protocol (IP) networks.
SNORT enables packet logging through its packet logger mode, which means it logs
packets to the disk. In this mode, SNORT collects every packet and logs it in a
hierarchical directory based on the host network’s IP address.
SNORT can perform protocol analysis, which is a network sniffing process that
captures data in protocol layers for additional analysis. This enables the network
admin to further examine potentially malicious data packets, which is crucial in, for
example, Transmission Control Protocol/IP (TCP/IP) stack protocol specification.
Operating system (OS) fingerprinting uses the concept that all platforms have a
unique TCP/IP stack. Through this process, SNORT can be used to determine the
OS platform being used by a system that accesses a network.
1
�Procedure:-
Create a path variable and point it at snort.exe variable name->path and variable
value->c:\snort\bin.
Click OK button and then close all dialog boxes.
Open command prompt and type the following commands:
SNORT can be configured to run in three modes:
1. Sniffer mode 2. Packet Logger mode 3. Network Intrusion Detection System mode
Sniffer mode:-
snort –v
Print out the TCP/IP packets header on the screen
Snort –vd
Show the TCP/IP ICMP header with application data in transit.
2
�Packet Logger mode:-
snort –dev –l C:\snort\log [create this directory in the C drive] and snort will
automatically know to go into packet logger mode, it collects every
packet it sees and places it in log directory.
3
�snort –dev –l C:\snort\log –h ipaddress/24
4
�This rule tells snort that you want to print out the data link and TCP/IP headers as
well as application data into the log directory.
snort –l C:\snort\log –b
This is binary mode logs everything into a single file.
Conclusion: - Hence we can create log file to record the packet data using snort.
