In this exercise, you will learn the basics of Snort.
- Go to Start > Run > Enter cmd.
- Right-click on the cmd icon and select Run as administrator.
- At the command prompt enter cd c:\snort\bin, which changes to the directory with the Snort executable.
- Enter snort -h to see the Snort help.
- Enter snort -W to see a list of interfaces to choose from.
- Choose the correct adapter based on the number in the Index column that corresponds with the NIC you’re going to be using Snort from.
- You can figure this out by looking at the IP Address column, and using the NIC that corresponds with the IP address you’re currently using.
- For example, if the Index is 3, continue with a “3” after the -i in the instructions below. If not, use the actual number you see.
- At the command prompt, enter snort -v -i3.
Snort is now running with verbose output (-v) from interface 3 (-i3) and listening to the network traffic.
- Keep the Snort window open and open another command line interface.
- In the new window enter ping –t 184.108.40.206.
220.127.116.11 is the Google Public DNS Server; -t is to make this ping continuous.
- Observe the captured packets at the Snort window.
- Press Ctrl+c in the Snort window to stop Snort and scroll up to analyze the results.
- Repeat the same exercise, but this time enter snort -vd -i3 (snort -v -d -i3 does the same thing) at the command prompt.
-d dumps the “Application Layer.” Now we can see the payload.
- Repeat the same exercise, but enter snort -vde -i3 (snort -v -d -e -i3 does the same thing) at the command prompt.
-e is used to display the second layer header info.
Run Snort in Packet Logger Mode
You can use Snort to record packets in a file by specifying a log directory using the –l option.
- Enter snort -dev -i2 -l c:\snort\log to log every packet into a single log file.
- Send a ping to 18.104.22.168.
- Stop Snort with Ctrl+c, and scroll up to analyze the results.
- Using Windows Explorer, browse to C:\snort\log.
You should see a log file in this folder.
- Open the log file in Wireshark.