How to detect DDOS, PING, etc using SNORT
How to detect DDOS, PING, etc using SNORT
Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.
My OS :- ubuntu
Let my ip address be 192.168.1.103
🅢🅔🅣🅤🅟:- ( will be easy in future )
First you need to make some changes in configuration of snort.
𝚜𝚞𝚍𝚘 𝚐𝚎𝚍𝚒𝚝 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏
Now, change HOME_NET IP address to your ip range.
Like,
𝚒𝚙𝚟𝚊𝚛 𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟷𝟿𝟸.𝟷𝟼𝟾.𝟷.𝟶/𝟸𝟺
Now go to
/𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚛𝚞𝚕𝚎𝚜/𝚕𝚘𝚌𝚊𝚕.𝚛𝚞𝚕𝚎𝚜
and add the rules given below
( Watch rules writing in the image. )
🅓🅔🅣🅔🅒🅣 🅟🅘🅝🅖 🅢🅒🅐🅝
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚒𝚌𝚖𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐:"𝙿𝚒𝚗𝚐 𝚍𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟷; 𝚛𝚎𝚟:𝟷; 𝚌𝚕𝚊𝚜𝚜𝚝𝚢𝚙𝚎:𝚒𝚌𝚖𝚙-𝚎𝚟𝚎𝚗𝚝;)
alert ---> show alert
ICMP ---> It's a protocol used to report error in ipv4
-> :- to
$HOME_NET ---> destination ip
msg ---> shows message which you write
sid ---> keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily.
100 - 1,000,000 Rules already registered . So u need to use greater than this id like 1,000,123.
rev ---> keyword is used to uniquely identify revisions of Snort rules
classtype:icmp-event ---> Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.
𝘿𝙚𝙩𝙚𝙘𝙩𝙞𝙣𝙜
𝚜𝚞𝚍𝚘 𝚜𝚗𝚘𝚛𝚝 -𝙰 𝚌𝚘𝚗𝚜𝚘𝚕𝚎 -𝚚 -𝚌 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏 -𝚒 𝚎𝚑𝚝𝟶
-A console ----> shows standard output alert
-q ----> quite mode
-i ----> interface
-c ----> config
🅓🅔🅣🅔🅒🅣 🅣🅒🅟 🅢🅒🅐🅝
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐: "𝚃𝙲𝙿 𝚂𝚌𝚊𝚗 𝙳𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟶𝟻; 𝚛𝚎𝚟:𝟸; )
🅓🅔🅣🅔🅒🅣 🅓🅞🅢 🅐🅣🅣🅐🅒🅚
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟾𝟶 (𝚏𝚕𝚊𝚐𝚜: 𝚂; 𝚖𝚜𝚐:"𝙿𝚘𝚜𝚜𝚒𝚋𝚕𝚎 𝙳𝚘𝚂 𝙰𝚝𝚝𝚊𝚌𝚔 𝚃𝚢𝚙𝚎 : 𝚂𝚈𝙽 𝚏𝚕𝚘𝚘𝚍"; 𝚏𝚕𝚘𝚠:𝚜𝚝𝚊𝚝𝚎𝚕𝚎𝚜𝚜; 𝚜𝚒𝚍:𝟹; 𝚍𝚎𝚝𝚎𝚌𝚝𝚒𝚘𝚗_𝚏𝚒𝚕𝚝𝚎𝚛:𝚝𝚛𝚊𝚌𝚔 𝚋𝚢_𝚍𝚜𝚝, 𝚌𝚘𝚞𝚗𝚝 𝟸𝟶, 𝚜𝚎𝚌𝚘𝚗𝚍𝚜 𝟷𝟶;)
#reference__researchgate-website
𝙀𝙭𝙩𝙧𝙖
Ping scan :- nmap 192.168.1.103
Tcp scan :- nmap -sT 192.168.1.103
Dos :- Use any tools😐
Credit :- I am groot
Comments
Post a Comment