文件列表:

snort-1.0\acconfig.h (176, 1999-04-29)
snort-1.0\aclocal.m4 (4532, 1999-04-29)
snort-1.0\AUTHORS (261, 1999-04-06)
snort-1.0\ChangeLog (8051, 1999-04-29)
snort-1.0\config.guess (20370, 1999-04-06)
snort-1.0\config.h.in (544, 1999-04-06)
snort-1.0\config.sub (19236, 1999-04-06)
snort-1.0\configure (54387, 1999-04-29)
snort-1.0\configure.in (1635, 1999-04-29)
snort-1.0\COPYING (17989, 1999-04-06)
snort-1.0\CREDITS (568, 1999-04-29)
snort-1.0\decode.c (28897, 1999-04-29)
snort-1.0\decode.h (8156, 1999-04-29)
snort-1.0\INSTALL (8343, 1999-04-17)
snort-1.0\install-sh (5584, 1999-04-06)
snort-1.0\log.c (17945, 1999-04-29)
snort-1.0\log.h (3218, 1999-04-29)
snort-1.0\Makefile.am (165, 1999-04-07)
snort-1.0\Makefile.in (8838, 1999-04-29)
snort-1.0\missing (6274, 1999-04-06)
snort-1.0\mkinstalldirs (732, 1999-04-06)
snort-1.0\mstring.c (10431, 1999-04-29)
snort-1.0\mstring.h (1213, 1999-04-29)
snort-1.0\NEWS (5922, 1999-04-29)
snort-1.0\rules.c (31134, 1999-04-29)
snort-1.0\rules.h (3322, 1999-04-29)
snort-1.0\RULES.SAMPLE (4607, 1999-04-17)
snort-1.0\snort-lib (4348, 1999-04-29)
snort-1.0\snort.c (21526, 1999-04-29)
snort-1.0\snort.h (3226, 2008-10-13)
snort-1.0\stamp-h.in (10, 1999-04-29)
snort-1.0 (0, 2008-10-13)

Snort Version 1.0 by Martin Roesch (roesch@clark.net) Distribution Site: http://www.clark.net/~roesch/security.html ****************************************************************************** COPYRIGHT Copyright (C)19***,1999 Martin Roesch This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. Some of this code has been taken from tcpdump, which was developed by the Network Research Group at Lawrence Berkeley National Lab, and is copyrighted by the University of California Regents. ****************************************************************************** DESCRIPTION This program reads and parses packets from the link layer through the application layer, dumping the decoded packet data. It can log these packets in their decoded form to directories which are generated based upon the IP address of the remote peer. This can be used as a sort of "poor man's intrusion detection system" if you specify what traffic you want to record and what to let through. The traffic to be recorded can be filtered at the command line or via a flexible set of rules contained within a file. For instance, I use it to record traffic of interest to the six computers in my office at work while I'm away on travel or gone for the weekend. It's also nice for debugging network code since it shows you most of the Important Stuff(TM) about your packets (as I see it anyway). The code is pretty easy to modify to provide more complete packet decoding, so feel free to make suggestions. ****************************************************************************** [*][USAGE] Command line: snort -[options] Options: -a Display ARP packets (very basic decoding right now) -c Use configuration file . This is the rules file which tells the system what to log, alert on, or pass! -d Dump the application layer data -e Display/log the ethernet packet header data -h Set the "home network" to , which is a class C IP address something like 192.168.1.0 or whatever. If you use this switch, traffic coming from external networks will be formatted with the directional arrow of the packet dump pointing right for incoming external traffic, and left for outgoing internal traffic. Kind of silly, but it looks nice. -i Use interface . Defaults to eth0 on Linux, hme0 on Solaris, and xl0 on FreeBSD. -l Log packets to directory . Sets up a hierarchical directory structure with the log directory as the base starting directory, and the IP address of the remote peer generating traffic as the directory which packets packets from that adress are stored in. -n Exit after processing packets. -o Change the order in which the rules are applied to packets. Instead of being applied in the standard Alert->Pass->Log order, this will apply them in Pass->Alert->Log order, allowing people to avoid having to make huge BPF command line arguments to filter their alert rules. User requested. -s Log alert messages to the syslog. On linux boxen, they will appear in /var/log/secure. -v Be verbose. Prints packets out to the console. There is one big problem with verbose mode: it's still kind of slow. If you are doing IDS work with Snort, don't use the -v switch, you WILL drop packets (not many, but some). -V Show the version number and exit. -? Show the usage summary and exit. [*][FILTERS]: The "filters" are standard BPF style filters as seen in TCPDump. Look at the man page for TCPDump for docs on how to use it properly. In general, you can give it a host, net or protocol to filter on and some logical statements to tie it together and get the specific traffic you're interested in. For example: [zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1 records the traffic to and from host 192.168.1.1. [zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1 records all traffic on the 192.168.1.0/24 class C subnet, but not traffic to/from 192.168.1.1. Notice that the command line data specified after the "-h" switch is formated differently from the BPF commands provided at the end of the command line. Sorry for the confusion, but I like the CIDER notation and I'm not rewriting libpcap to make it consistent! Anyway, you get the picture. Mail me if you have trouble with it. [*][RULES]: New as of version 0.*** is the concept of rules. Now you can start to use Snort as a real live intrusion detection system, albeit not quite as good as commercial systems. The rules formats are fairly simple for now and are covered in the "RULES.SAMPLE" file included in the distribution. Please look there for complete explainations of how the rules system works. The Alerts which are generated by the system are logged to a file named (suprisingly enough) "alert". You can use something like "rt" or just "tail -f" it to give a running display of system alerts. Note that the system requires the use of the "-l" flag to redirect rules based logging to a specific directory. If you don't specify a place for it to go, it goes into where ever Snort thinks "." is, probably either your current working directory or wherever the Snort binary is located. I recommend using the "-l" option. :) Remember, if you specify a rules file, it doesn't log everything anymore, just the things which match the current rules set. Rules are applied in the order in which they're entered in their class. In other words, the Alert rules are applied in the order they're read out of the rules file, and so on for Log and Pass rules. ******************************************************************************

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：