ids:snort
Differences
This shows you the differences between two versions of the page.
Next revisionBoth sides next revision | |||
ids:snort [2018/05/03 14:23] – created veera | ids:snort [2018/05/03 14:30] – veera | ||
---|---|---|---|
Line 8: | Line 8: | ||
- Configure Oinkmaster for automatic updates | - Configure Oinkmaster for automatic updates | ||
- Start snort and view analytics in TrisulNSM | - Start snort and view analytics in TrisulNSM | ||
+ | |||
+ | |||
+ | ===== Install snort ===== | ||
+ | |||
+ | Snort has a package for Ubuntu. | ||
+ | |||
+ | <code bash> | ||
+ | apt-get update | ||
+ | apt-get install snort | ||
+ | </ | ||
+ | |||
+ | Also install oinkmaster , which also has an Ubuntu package | ||
+ | |||
+ | <code bash> | ||
+ | apt-get install oinkmaster | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Replace with Emerging Threats rules ===== | ||
+ | |||
+ | We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step. | ||
+ | |||
+ | ==== Download ET Community rules ==== | ||
+ | |||
+ | |||
+ | < | ||
+ | cd /etc/snort | ||
+ | mv rules rules_old | ||
+ | wget https:// | ||
+ | tar xf emerging.rules.tar.gz -C / | ||
+ | </ | ||
+ | |||
+ | ==== Point to the new ET rules ==== | ||
+ | |||
+ | Open snort.conf and copy the lines from rules/ | ||
+ | |||
+ | Next specify a HOMENET, otherwise many ET rules wont load | ||
+ | |||
+ | Example: | ||
+ | |||
+ | < | ||
+ | ipvar HOME_NET 192.168.0.0/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
ids/snort.txt · Last modified: 2018/05/03 14:42 by veera