How to detect DDOS, PING, etc using SNORT

How to detect DDOS, PING, etc using SNORT

Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.

My OS :- ubuntu

Let my ip address be 192.168.1.103

🅢🅔🅣🅤🅟:- ( will be easy in future ) 

First you need to make some changes in configuration of snort. 

𝚜𝚞𝚍𝚘 𝚐𝚎𝚍𝚒𝚝 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏

Now, change HOME_NET IP address to your ip range. 

Like, 

𝚒𝚙𝚟𝚊𝚛 𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟷𝟿𝟸.𝟷𝟼𝟾.𝟷.𝟶/𝟸𝟺

Now go to

/𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚛𝚞𝚕𝚎𝚜/𝚕𝚘𝚌𝚊𝚕.𝚛𝚞𝚕𝚎𝚜

and add the rules given below

( Watch rules writing in the image. ) 

🅓🅔🅣🅔🅒🅣 🅟🅘🅝🅖 🅢🅒🅐🅝

𝙍𝙪𝙡𝙚:-

𝚊𝚕𝚎𝚛𝚝 𝚒𝚌𝚖𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐:"𝙿𝚒𝚗𝚐 𝚍𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟷; 𝚛𝚎𝚟:𝟷; 𝚌𝚕𝚊𝚜𝚜𝚝𝚢𝚙𝚎:𝚒𝚌𝚖𝚙-𝚎𝚟𝚎𝚗𝚝;)

alert ---> show alert 

ICMP ---> It's a protocol used to report error in ipv4

-> :- to

$HOME_NET ---> destination ip

msg ---> shows message which you write

sid ---> keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily.

100 - 1,000,000 Rules already registered . So u need to use greater than this id like 1,000,123.

rev ---> keyword is used to uniquely identify revisions of Snort rules

classtype:icmp-event ---> Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.

𝘿𝙚𝙩𝙚𝙘𝙩𝙞𝙣𝙜

𝚜𝚞𝚍𝚘 𝚜𝚗𝚘𝚛𝚝 -𝙰 𝚌𝚘𝚗𝚜𝚘𝚕𝚎 -𝚚 -𝚌 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏 -𝚒 𝚎𝚑𝚝𝟶

-A console ----> shows standard output alert

-q ----> quite mode

-i ----> interface

-c ----> config

🅓🅔🅣🅔🅒🅣 🅣🅒🅟 🅢🅒🅐🅝

𝙍𝙪𝙡𝙚:-

𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐: "𝚃𝙲𝙿 𝚂𝚌𝚊𝚗 𝙳𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟶𝟻; 𝚛𝚎𝚟:𝟸; )

🅓🅔🅣🅔🅒🅣 🅓🅞🅢 🅐🅣🅣🅐🅒🅚

𝙍𝙪𝙡𝙚:-

𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟾𝟶 (𝚏𝚕𝚊𝚐𝚜: 𝚂; 𝚖𝚜𝚐:"𝙿𝚘𝚜𝚜𝚒𝚋𝚕𝚎 𝙳𝚘𝚂 𝙰𝚝𝚝𝚊𝚌𝚔 𝚃𝚢𝚙𝚎 : 𝚂𝚈𝙽 𝚏𝚕𝚘𝚘𝚍"; 𝚏𝚕𝚘𝚠:𝚜𝚝𝚊𝚝𝚎𝚕𝚎𝚜𝚜; 𝚜𝚒𝚍:𝟹; 𝚍𝚎𝚝𝚎𝚌𝚝𝚒𝚘𝚗_𝚏𝚒𝚕𝚝𝚎𝚛:𝚝𝚛𝚊𝚌𝚔 𝚋𝚢_𝚍𝚜𝚝, 𝚌𝚘𝚞𝚗𝚝 𝟸𝟶, 𝚜𝚎𝚌𝚘𝚗𝚍𝚜 𝟷𝟶;)

#reference__researchgate-website

𝙀𝙭𝙩𝙧𝙖

Ping scan :- nmap 192.168.1.103

Tcp scan :- nmap -sT 192.168.1.103

Dos :- Use any tools😐

Credit :- I am groot