Snort is a free open-source network intrusion detection and prevention system. It has 5 modules: sniffer, preprocessor, detection engine, alert/log, and import/export. It uses rulesets in its detection engine to detect intrusions written in a rule language. The document demonstrates installing Snort on Ubuntu, downloading rulesets, and running Snort to detect ICMP ping traffic from a Windows machine in a basic topology. It proposes an advanced topology of running a vulnerable website on Kali and detecting attacks from a host machine.

2. Truong Van Rong
20521831
Luong Manh Tien
20522008
Phan Hoang Nam
20521635

3. BMO
FINN JAKE Princess
Bubblegum
1. Introduction
2. Implementation
3. Result & Conclusion

4. 1.
Introduction

5. 1.
Introduction
1.1 Overview
1.2
Component
1.3 Operation

6. 1. Introduction
1.1 Overview
Snort is a free open-source Network Intrusion Detection
System (NIDS) and Intrusion Prevention System (IPS)
made by Martin Roesch.
Snort can perform real-ime traffic analysis and packet
logging on IP networks, help the network manager or
user define malicious activity.

7. 1. Introduction
1.2 Component
- 5 Modules.
- Rulesets.

8. 1. Introduction
1.2 Component
Snort has 5 modules:
- Sniffer Module.
- Pre-processor Module.
- Detection Engine Module.
- Alert and Log Module.
- Import/Export data Module.

9. 1. Introduction
How Snort apply 5 modules
packet Sniffer
Pre-
Processo
r
Detectio
n
Engine
Alert/Log
Import/
Export
Data

10. 1. Introduction
Rulesets
Rule is a set of description languages, it
works with the detection engine to detect
the intrusion.
Rules can be written in
/etc/snort/rules/local.rules

11. 1. Introduction
Rulesets
Snort rules are divided into two logical
section: rule header and rule options
alert tcp any any -> 192.168.1.0/24 1337
(content:”hacked”; msg:”hack attempt”; sid:10000000;)

12. 1. Introduction
Rulesets
alert tcp any any ->
192.168.1.0/24 1337
(content:”hacked”; msg:”hack
attempt”; sid:10000000;)
Rule Header Rule Options

13. 1. Introduction
1.3 Operation
Severals modes:
- Sniffer Mode.
- Logging Mode.
- Network Intrusion Detection System
Mode.
- IPS Inline Mode.

14. 2.
Implementation

15. 2.Implementation
2.1 Topology
2.2 Installation
2.3
Configuration

16. Topology

17. Installation
Before install Snort:
sudo apt-get update
sudo apt-get upgrade
Use this command install Snort:
sudo apt-get install snort

18. Installation

19. Installation
Choose your interface

20. Installation
Type the network address range in CIDR(class inter domain routing) format

21. Installation
Use this command to check version
snort –version

22. Configuratio
nUse Window machine to ping to Ubuntu

23. Download the Snort
Rules
Community Rules
Download rule
wget https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode= <your
link code goes here> -O snortrules-snapshot-2983.tar.gz

24. Basic
Level
Nice now we can run snort
 sudo snort -d -l /var/log/snort/ -h 192.168.1.0/24 -A console -c /etc/snort/snort.conf

25. Basic
Level
Use Window machine to ping to Ubuntu

26. 3. Result and
Conclusion

27. Basic model:
Kali: use ping command (ICMP) to Ubuntu
Ubuntu: use snort community rules to detect

28. Advanced model:
Kali: host a local website (contains many vuls)
Host: connect and attack website in kali
Ubuntu: detect and classify the attack

29. Video

30. Conclusion
- Snort: detect & prevent
- Demo