Snort is a free intrusion detection system that uses rules to find odd network traffic. Start your Nessus virtual machine and log in as root. Download the Snort source file from
http://www.snort.org/dl/current/snort-2.8.1.tar.gzusing wget or curl (whichever you prefer). Use the command
tar -xvzf snort-2.8.1.tar.gzto unpack the source files. Then issue the commands
./configure make make installto configure and install Snort. Depending on how fast your particular machine is, this may take a while.
Once Snort is installed, verify that the configuration files copied over
by checking if the directory /etc/snort exists and contains
the file snort.conf. If it does not, create the directory
/etc/snort and copy etc/snort.conf to
/etc/snort.
Create the directory /etc/snort/rules if it does not exist. Change
to that directory and edit a file called local.rules (or create
it if it does not exist). In local.rules, we will define a simple
custom rule that will issue an alert whenever the website www.google.com is
visited. Read the
Writing Snort Rules
document on the Snort website for a complete overview of the rules syntax. For
this rule, we are going to be looking for any outbound traffic to TCP port 80
on the remote machine that contains "www.google.com" in the URL. Add this rule
to local.rules then save your changes.
Now run snort with the command snort -c /etc/snort/snort.conf.
Switch to another terminal using ALT+F2 (or any other F# key) and log in
again. Try visiting Google using
lynx http://www.google.comGo back to your original terminal and check the alerts file in
/var/log/snort to see if it registered the alert.
When you have a working local.rules file, scp that file to Helios using the command:
scp local.rules <username>@helios.cs.csubak.edu:<filename>Then email the file to me.