Snort Lab 11-21-18

In this exercise, you will learn the basics of Snort.

  1. Go to Start > Run > Enter cmd.
  2. Right-click on the cmd icon and select Run as administrator.
  3. At the command prompt enter cd c:\snort\bin, which changes to the directory with the Snort executable.
  4. Enter snort -h to see the Snort help.

C:\Snort\bin>snort -W

  1. Enter snort -W to see a list of interfaces to choose from.
  2. Choose the correct adapter based on the number in the Index column that corresponds with the NIC you’re going to be using Snort from.
  • You can figure this out by looking at the IP Address column, and using the NIC that corresponds with the IP address you’re currently using.
  • For example, if the Index is 3, continue with a “3” after the -i in the instructions below. If not, use the actual number you see.
  1. At the command prompt, enter snort -v -i3.
    Snort is now running with verbose output (-v) from interface 3 (-i3) and listening to the network traffic.
  2. Keep the Snort window open and open another command line interface.
  3. In the new window enter ping –t 8.8.8.8.
    8.8.8.8 is the Google Public DNS Server; -t is to make this ping continuous.
  4. Observe the captured packets at the Snort window.
  5. Press Ctrl+c in the Snort window to stop Snort and scroll up to analyze the results.
  6. Repeat the same exercise, but this time enter snort -vd -i3 (snort -v -d -i3 does the same thing) at the command prompt.
    -d dumps the “Application Layer.” Now we can see the payload.
  7. Repeat the same exercise, but enter snort -vde -i3 (snort -v -d -e -i3 does the same thing) at the command prompt.
    -e is used to display the second layer header info.

Run Snort in Packet Logger Mode

You can use Snort to record packets in a file by specifying a log directory using the –l option.

  1. Enter snort -dev -i2 -l c:\snort\log to log every packet into a single log file.
  2. Send a ping to 8.8.8.8.
  3. Stop Snort with Ctrl+c, and scroll up to analyze the results.
  4. Using Windows Explorer, browse to C:\snort\log.
    You should see a log file in this folder.
  5. Open the log file in Wireshark.

Author: McPeters Joseph

Joseph McPeters is a Security Researcher. He specializes in network and web application penetration testing. Contact: admin@incidentsecurity.com

Leave a Reply

Your email address will not be published. Required fields are marked *