snort manual
Download link: http://www.oschina.net/action/file/download?id=316&fn=964e9b719e4800c457e0d9d8f4032a451ee067ac
Environmental preparation
Install snort under the virtual machine win7
Preparing the software:
crazy next step, nothing to say
- snort: https://www.snort.org/downloads
- npcap: https://nmap.org/npcap/ After
finishing, you can see snort under C drive
Configure environment variables
The main function of this step is to avoid having to go to the bin directory of snort to run snort. You can run snort at any location after configuring environment variables.
From the above figure, you can see that the bin directory of snort isC:\Snort\bin
Start snort
If this interface can appear, it will be a success
Configuration rules
Modify the snort configuration file, it is located C:\Snort\etc\snort.conf, this configuration file consists of 9 parts, we only need to find the seventh part, comment out all the contents, and then manually specify a path
1) Set the network variables.
2) Configure the decoder
3) Configure the base detection engine
4) Configure dynamic loaded libraries
5) Configure preprocessors
6) Configure output plugins
7) Customize your rule set
8) Customize preprocessor and decoder rule set
9) Customize shared object rule set
Demining
Set snort.conf as follows:
1: Comment the following two lines
2: Modify it to the following content
The third one is to manually create a snort_dynamicrules folder under snort\lib, otherwise an error will still be reported. My solution can be used here.
For more minefields, refer to https://blog.51cto.com/fupj1/1112013, or search online
Small scale chopper
For example, here I wrote a rule for detecting DVWA command injection vulnerabilities (my rule is handwritten, you can choose to download the official snort rule )
Write rules
Capture and filter out the packets injected by the command
Analyze the packet
snort -de -c C:\Snort\etc\snort.conf -l C:\Snort\log -r C:\Users\用户名\Desktop\dvwa抓包\Command.pcapng
View Results
