1 00:00:00,05 --> 00:00:04,01 - [Instructor] Although, Snort is an intrusion detection 2 00:00:04,01 --> 00:00:07,04 and prevention systems solution, 3 00:00:07,04 --> 00:00:12,02 it can also be used as a basic packet sniffer. 4 00:00:12,02 --> 00:00:16,05 let's start by first installing Snort. 5 00:00:16,05 --> 00:00:29,06 Type sudo, space, apt, get, install, space, snort. 6 00:00:29,06 --> 00:00:32,09 Press Enter. 7 00:00:32,09 --> 00:00:37,07 Type Y and press Enter. 8 00:00:37,07 --> 00:00:41,01 The address range for the local network is 9 00:00:41,01 --> 00:00:48,04 10 dot, zero dot, zero dot, zero, forward slash 24. 10 00:00:48,04 --> 00:00:53,06 Forward slash 24, indicates that, 10 dot zero dot zero 11 00:00:53,06 --> 00:00:57,03 is the subnet ID for the network to monitor. 12 00:00:57,03 --> 00:01:05,05 Press Tab to select OK and press Enter. 13 00:01:05,05 --> 00:01:10,05 Now, we have our snort instance installed successfully. 14 00:01:10,05 --> 00:01:19,03 To start capturing packets type sudo, space, snort, 15 00:01:19,03 --> 00:01:25,08 space, dash i standing for interface. 16 00:01:25,08 --> 00:01:29,04 Which interface do we use to sniff the packets here? 17 00:01:29,04 --> 00:01:32,01 We'll be using it is zero, 18 00:01:32,01 --> 00:01:34,05 which is the first network interface 19 00:01:34,05 --> 00:01:37,02 of the Ubuntu router host. 20 00:01:37,02 --> 00:01:42,03 Space, E-T-H zero. 21 00:01:42,03 --> 00:01:47,03 Space dash L and then the location 22 00:01:47,03 --> 00:01:50,06 where the packets are going to be locked. 23 00:01:50,06 --> 00:01:54,03 Here, dash L stands for logging. 24 00:01:54,03 --> 00:01:57,08 We'll be logging the packets in a particular location, 25 00:01:57,08 --> 00:02:03,01 namely, var log snort. 26 00:02:03,01 --> 00:02:10,02 So type, space forward slash var, forward slash log, 27 00:02:10,02 --> 00:02:13,09 forward slash snort. 28 00:02:13,09 --> 00:02:17,03 We're going to be storing the results of packet sniffing 29 00:02:17,03 --> 00:02:18,05 in a binary format, 30 00:02:18,05 --> 00:02:22,09 which is why now we're typing dash B here. 31 00:02:22,09 --> 00:02:29,01 So space, dash B, press Enter. 32 00:02:29,01 --> 00:02:32,08 Now the snort application is up and running. 33 00:02:32,08 --> 00:02:35,01 Let's give it a little bit of time 34 00:02:35,01 --> 00:02:38,04 so that we can capture some packets. 35 00:02:38,04 --> 00:02:43,09 To stop capturing, press Control + C together 36 00:02:43,09 --> 00:02:45,09 and let's go to the directory, 37 00:02:45,09 --> 00:02:48,04 where the packets are captured. 38 00:02:48,04 --> 00:02:56,04 Type C-D, space, var, log, snort. 39 00:02:56,04 --> 00:02:58,04 Press Enter. 40 00:02:58,04 --> 00:03:02,03 Type ls, press Enter. 41 00:03:02,03 --> 00:03:04,02 There are three log files here, 42 00:03:04,02 --> 00:03:06,08 and we're going to be opening up the last one. 43 00:03:06,08 --> 00:03:17,06 Type sudo, space more, space snort, dot log, dot one six, 44 00:03:17,06 --> 00:03:22,04 and here press Tab to complete the command. 45 00:03:22,04 --> 00:03:24,02 Press Enter. 46 00:03:24,02 --> 00:03:28,03 We're getting weird results here because it's a binary file 47 00:03:28,03 --> 00:03:31,07 and we cannot read it in a text viewer. 48 00:03:31,07 --> 00:03:35,06 What do we do to actually read the content properly? 49 00:03:35,06 --> 00:03:38,07 Type Q to get out of this, 50 00:03:38,07 --> 00:03:40,02 and we'll be using Wireshark 51 00:03:40,02 --> 00:03:43,05 to view the packet captured by Snort. 52 00:03:43,05 --> 00:03:49,05 Type sudo, space Wireshark, 53 00:03:49,05 --> 00:04:00,09 and then the name of the file, snort, log, press Enter. 54 00:04:00,09 --> 00:04:04,08 Now, you can read the individual entries of the results 55 00:04:04,08 --> 00:04:06,08 of our packet capturing. 56 00:04:06,08 --> 00:04:10,02 Packet capturing is the most basic Snort mode, 57 00:04:10,02 --> 00:04:13,01 and we tried it to get familiar with 58 00:04:13,01 --> 00:04:17,01 how to run snort in general and to see what it looks like 59 00:04:17,01 --> 00:04:19,00 when Snort is running.