SNORT

Made by:- MAYOUF Dallal

-BOUSSOUAR Anfal
Directed by: Mme Aliouat.Z
Table of contents

What is Intrusion? What is Snort?

How to install and

02 What does intrusion
detection means? configurate it?

What is an IDS/IPS? How can we test it?

 01
What is Intrusion?
 Intrusion

Unlawfully gaining access to systems and resources.

The access itself, or the methods used, may be unlawful
There may not be a “breaking”, but the result is the same
, someone is accessing something they are not allowed
to…
 02
What does intrusion
detection means?
 Intrusion Detection

Technically, any method that allows you to discover if

someone has penetrated or is attempting intrusion into
your network, host or services.
 03
What is an IDS?
 IDS definition

An IDS is a device, or group of devices, which

look for specific patterns in network traffic, for
the purpose of detecting malicious intent.
 03
What is an IPS?
 IPS definition

An intrusion prevention system IPS is a network security

tool (which can be a hardware device or software) that
continuously monitors a network for malicious activity and
takes action to prevent it, including reporting, blocking, or
dropping it, when it does occur.
 04
What is Snort?
 Snort

Snort is the foremost Open Source Intrusion Prevention System

(IPS/IDS) in the world. Snort IPS uses a series of rules that help define
malicious network activity and uses those rules to find packets that match
against them and generates alerts for users.
•It has hundreds of thousands of users.
•Active development of rules by the community make Snort up to date,
and often more so than commercial alternatives.
•Snort is fast! It can run at Gbit/s rates with the right hardware and proper
tuning.
 05
How to install and
configurate it?
 Installation on windows 10
1) Install WinPcap , form winpcap.org :
- Open npcap with double clicks
- Click yes
- Click I agree then install

2) Install npcap , form nmap.org/npcap :

- Open npcap with double clicks
- Click yes
- Click I agree
- Tick the two last squares and click install
3) Install snort , from snort.org :
- Open npcap with double clicks
- Click yes
- Click I agree
- Tick all squares (Snort, Dynamic Modules ,Documentation ) click next
- Click next and install
4) Install snortrules for your version of snort that you install
 Configuration snort
1) Extract files from the "rules.gz" compressed folder you decomposed
2) Copy the 2 "rules" and "preproc_rules" folders from the decomposed folder and paste
them into the "Snort" folder.
3) Copy the snort.conf file from the unzip folder and paste it into the c:\Snort\etc folder
(replace it as it already exists)
4) Open the c:\Snort\rules folder then open the file "blacklist" with a text editor and change
the word BLACKLIST to WHITELIST then save the as "whitelist" (respect upper and
lower case)
5) Check if everything is going well, by executing the following commands:
-> cd c:\snort\bin
-> snort –V (to see the version of snort installed)
-> snort –W (to see the devices that exist on your machine)
-> snort -i 5 -c c:\snort\etc\snort.conf -T (5 is the device number used you can
choose any existing interface on your machine)
 Configuration snort

6) Edit the file "c:\Snort\rules\local.rules" with NotePad++ paste the following alerts at
the bottom of the file:
alert icmp any any -> any any (msg:"Testing ICMP"; sid:1000001;)
alert tcp any any -> any any (msg:"Testing TCP"; sid:1000002;)
alert udp any any -> any any (msg:"Testing UDP"; sid:1000003;)
Then click save
7) To run snort execute the following command :
snort -i 5 -c c:\Snort\etc\snort.conf -A console (display will be in the console you can do
it in a file by executing this command instead of the 1st:
snort -i 5 -c c:\Snort\etc\snort.conf -A > "path of the file")
 Testing snort

To test, connect 2 PCs to the same internet network, one

PC will be the target machine (or snort is installed) the other
will be the attacking mchine .By executing the following
command: ping “ IP address of the target machine “
Then we check the packets received on snort of the target
machine and you will see that snort detect it .
 Thank you
for your
CREDITS: This presentation template was created by
Slidesgo, including icons by Flaticon, and infographics &

attention
images by Freepik