snort-1.0
所属分类:网络截获/分析
开发工具:Unix_Linux
文件大小:91KB
下载次数:63
上传日期:2009-05-01 11:57:40
上 传 者:
netydy
说明: snort1.0的代码,学习snort的好东西,现在snort很庞大,不易理解,但是1.0的代码包含了最基本的功能,读者可以在看完1.0的代码后再去理解现在snort的一些功能相信会有事半功倍的效果
(snort1.0 code, learn the good things snort, snort now very large and difficult to understand, but the 1.0 code that contains the most basic functions, the reader can read 1.0 to understand the code and then snort some of the features now believe it will have a multiplier effect)
文件列表:
snort-1.0\acconfig.h (176, 1999-04-29)
snort-1.0\aclocal.m4 (4532, 1999-04-29)
snort-1.0\AUTHORS (261, 1999-04-06)
snort-1.0\ChangeLog (8051, 1999-04-29)
snort-1.0\config.guess (20370, 1999-04-06)
snort-1.0\config.h.in (544, 1999-04-06)
snort-1.0\config.sub (19236, 1999-04-06)
snort-1.0\configure (54387, 1999-04-29)
snort-1.0\configure.in (1635, 1999-04-29)
snort-1.0\COPYING (17989, 1999-04-06)
snort-1.0\CREDITS (568, 1999-04-29)
snort-1.0\decode.c (28897, 1999-04-29)
snort-1.0\decode.h (8156, 1999-04-29)
snort-1.0\INSTALL (8343, 1999-04-17)
snort-1.0\install-sh (5584, 1999-04-06)
snort-1.0\log.c (17945, 1999-04-29)
snort-1.0\log.h (3218, 1999-04-29)
snort-1.0\Makefile.am (165, 1999-04-07)
snort-1.0\Makefile.in (8838, 1999-04-29)
snort-1.0\missing (6274, 1999-04-06)
snort-1.0\mkinstalldirs (732, 1999-04-06)
snort-1.0\mstring.c (10431, 1999-04-29)
snort-1.0\mstring.h (1213, 1999-04-29)
snort-1.0\NEWS (5922, 1999-04-29)
snort-1.0\rules.c (31134, 1999-04-29)
snort-1.0\rules.h (3322, 1999-04-29)
snort-1.0\RULES.SAMPLE (4607, 1999-04-17)
snort-1.0\snort-lib (4348, 1999-04-29)
snort-1.0\snort.c (21526, 1999-04-29)
snort-1.0\snort.h (3226, 2008-10-13)
snort-1.0\stamp-h.in (10, 1999-04-29)
snort-1.0 (0, 2008-10-13)
Snort Version 1.0
by Martin Roesch (roesch@clark.net)
Distribution Site:
http://www.clark.net/~roesch/security.html
******************************************************************************
COPYRIGHT
Copyright (C)19***,1999 Martin Roesch
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Some of this code has been taken from tcpdump, which was developed
by the Network Research Group at Lawrence Berkeley National Lab,
and is copyrighted by the University of California Regents.
******************************************************************************
DESCRIPTION
This program reads and parses packets from the link layer through the
application layer, dumping the decoded packet data.
It can log these packets in their decoded form to directories which are
generated based upon the IP address of the remote peer. This can
be used as a sort of "poor man's intrusion detection system" if you
specify what traffic you want to record and what to let through. The
traffic to be recorded can be filtered at the command line or via a
flexible set of rules contained within a file.
For instance, I use it to record traffic of interest to the six computers in
my office at work while I'm away on travel or gone for the weekend. It's
also nice for debugging network code since it shows you most of the Important
Stuff(TM) about your packets (as I see it anyway). The code is pretty easy
to modify to provide more complete packet decoding, so feel free to make
suggestions.
******************************************************************************
[*][USAGE]
Command line:
snort -[options]
Options:
-a Display ARP packets (very basic decoding right now)
-c Use configuration file . This is the rules file
which tells the system what to log, alert on, or pass!
-d Dump the application layer data
-e Display/log the ethernet packet header data
-h Set the "home network" to , which is a class C IP
address something like 192.168.1.0 or whatever. If you
use this switch, traffic coming from external networks
will be formatted with the directional arrow of the
packet dump pointing right for incoming external
traffic, and left for outgoing internal traffic. Kind
of silly, but it looks nice.
-i Use interface . Defaults to eth0 on Linux, hme0 on
Solaris, and xl0 on FreeBSD.
-l Log packets to directory . Sets up a hierarchical
directory structure with the log directory as the base
starting directory, and the IP address of the remote
peer generating traffic as the directory which packets
packets from that adress are stored in.
-n Exit after processing packets.
-o Change the order in which the rules are applied to
packets. Instead of being applied in the standard
Alert->Pass->Log order, this will apply them in
Pass->Alert->Log order, allowing people to avoid having
to make huge BPF command line arguments to filter their
alert rules. User requested.
-s Log alert messages to the syslog. On linux boxen, they
will appear in /var/log/secure.
-v Be verbose. Prints packets out to the console. There
is one big problem with verbose mode: it's still kind
of slow. If you are doing IDS work with Snort, don't
use the -v switch, you WILL drop packets (not many, but
some).
-V Show the version number and exit.
-? Show the usage summary and exit.
[*][FILTERS]:
The "filters" are standard BPF style filters as seen in TCPDump. Look
at the man page for TCPDump for docs on how to use it properly. In general,
you can give it a host, net or protocol to filter on and some logical statements
to tie it together and get the specific traffic you're interested in. For
example:
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1
records the traffic to and from host 192.168.1.1.
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1
records all traffic on the 192.168.1.0/24 class C subnet, but not traffic
to/from 192.168.1.1. Notice that the command line data specified after the
"-h" switch is formated differently from the BPF commands provided at the end
of the command line. Sorry for the confusion, but I like the CIDER notation and
I'm not rewriting libpcap to make it consistent! Anyway, you get the picture.
Mail me if you have trouble with it.
[*][RULES]:
New as of version 0.*** is the concept of rules. Now you can start to use
Snort as a real live intrusion detection system, albeit not quite as good as
commercial systems. The rules formats are fairly simple for now and are
covered in the "RULES.SAMPLE" file included in the distribution. Please look
there for complete explainations of how the rules system works.
The Alerts which are generated by the system are logged to a file named
(suprisingly enough) "alert". You can use something like "rt" or just "tail -f"
it to give a running display of system alerts.
Note that the system requires the use of the "-l" flag to redirect rules
based logging to a specific directory. If you don't specify a place for it to
go, it goes into where ever Snort thinks "." is, probably either your current
working directory or wherever the Snort binary is located. I recommend using
the "-l" option. :)
Remember, if you specify a rules file, it doesn't log everything anymore,
just the things which match the current rules set. Rules are applied in the
order in which they're entered in their class. In other words, the Alert
rules are applied in the order they're read out of the rules file, and so on
for Log and Pass rules.
******************************************************************************
近期下载者:
相关文件:
收藏者: