🛡️How to Protect the Server From Attacks By Detecting the Network Using Snort

Introduction

Snort is a software that functions as an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). Snort is referred to as a packet sniffer that monitors network traffic, examining each packet carefully to detect dangerous payloads or suspicious anomalies. Long a leader among enterprise intrusion prevention and detection tools, users can compile Snort on most Linux operating systems (OSes) or Unix. A version is also available for Windows.

Snort Uses

  1. Attack Detection: Snort can detect various types of security attacks, including network attacks that have the potential to damage systems or steal data.

  2. Attack Prevention: With proper configuration, Snort can be set up to prevent attacks before they manage to damage or destroy a server.

  3. Network Monitoring: Snort provides the ability to monitor network traffic in real-time, so administrators can spot suspicious or unwanted activity.

  4. Information Collection: Snort provides reports and information about detected attacks, allowing administrators to perform analysis and respond to the attacks.

  5. Data Protection: By detecting and preventing attacks, Snort helps protect sensitive data stored or processed by servers.

  6. Security Investigation: Snort can be used as a tool to investigate security incidents that occur on a network or server, helping administrators to understand the source of the attack and the steps required to fix it.

  7. Integration with Other Security Systems: Snort can be integrated with other security software, such as firewalls or other security management systems, to increase the overall security defense layer.

Toppology

Configuration

Debian 10- Router

Install Package

apt install snort

Change File Snort

nano /etc/snort/snort.conf

ipvar HOME_NET
*menjadi 
ipvar HOME_NET 192.168.91.0/24

nano /etc/snort/rules/local.rules

alert icmp any any -> any any (msg:"PING DETECTED!";sid:10000001;rev:0)
alert tcp any any -> any 161 (msg:"NMAP SCAN DETECTED";sid:10000002;rev:1)
alert tcp any any -> any 22 (msg:"SSH login DETECTED";sid:10000003;rev:1)

Restart Snort Service

/etc/init.d/snort restart

Run Snort

snort -A console -q -c /etc/snort/snort.conf -i ens33

KaliLinux

nmap -sN (IP Debian10-Router)
nmap -sN 192.168.91.150

Make sure the Debian 10- Router has a notification if someone is doing port scanning.

PreviousSimulate DDOS AttackNextThe Way to Secure the Server When a User Login Must Use an OTP Code

Last updated