snort is one of the most popular intrusion detection system (IDS).
It is free and open source software (FOSS).
snort.conf
snort.conf is a file located in Snort/etc/
ipvar HOME_NET any
You can change ‘any’ with the IP you are protecting (for example, 10.10.10.12)
If you have a DNS Server, then make changes in the DNS_SERVERS line by replacing $HOME_NET with your DNS Server IP address; otherwise, leave this line as it is.
The same applies to SMTP_SERVERS, HTTP_SERVERS, SQL_SERVERS, TELNET_SERVERS, and SSH_SERVERS.
Remember that if you don’t have any servers running on your machine, leave the line as it is. DO NOT make any changes in that line.
If you are a Windows user, you are advised to modify these lines with the absolute path (C:\snort\etc)
var RULE_PATH ../rules
var SO_RULE_PATH ../rules
var PREPROC_RULE_PATH ../rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
Create two empty files white_list.rules and black_list.rules.
Windows users must also changes these lines with Windows paths instead of Linux paths, so substitute
- /usr/local/… with C:\Snort\…
- / by \.
- libsf_engine.so is sf_engine.dll
dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Comment this line (add # to the beginning of the line), as you already configured the libraries in dynamic preprocessor libraries:
dynamicdetection directory...
Comment (#) all lines starting with
preprocessor normalize_...
Supress the word “lzma” from this line:
decompress_swf { deflate_lzma }
Remove all \ from lines immediately after “preprocessor reputation”, and then comment them (#).
Add the full path (C:\Snort\etc\…) for the following lines:
include classification.config
include reference.config
Immediatly after, add this line:
output alert_fast: alerts.ids
Replace the “ipvar” by “var”, because ipvar is not recognized by Snort.
This is all changes to do in snort.conf
Add this line to file icmp-info.rules:
alert icmp $EXTERNAL_NET any -> $HOME_NET 10.10.10.12 (msg:"ICMP-INFO PING"; icode:0; itype:8; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:7;)