1 00:00:00,06 --> 00:00:03,07 - We just introduced a new Snort rule 2 00:00:03,07 --> 00:00:05,07 to detect ping packets, 3 00:00:05,07 --> 00:00:07,09 and it's time to check 4 00:00:07,09 --> 00:00:09,05 if it actually works. 5 00:00:09,05 --> 00:00:11,09 Let's start by running Snort 6 00:00:11,09 --> 00:00:14,00 in its IDS mode. 7 00:00:14,00 --> 00:00:15,03 Type sudo 8 00:00:15,03 --> 00:00:16,05 space 9 00:00:16,05 --> 00:00:18,05 snort 10 00:00:18,05 --> 00:00:19,09 space 11 00:00:19,09 --> 00:00:22,00 - C, 12 00:00:22,00 --> 00:00:23,08 which indicates the location 13 00:00:23,08 --> 00:00:26,08 of the Snort configuration file. 14 00:00:26,08 --> 00:00:29,00 We'll be using the default 15 00:00:29,00 --> 00:00:31,00 Snort configuration file, 16 00:00:31,00 --> 00:00:33,03 which is located at 17 00:00:33,03 --> 00:00:37,09 /etc/snort/snort 18 00:00:37,09 --> 00:00:40,04 .com. 19 00:00:40,04 --> 00:00:42,04 The next option is 20 00:00:42,04 --> 00:00:44,03 - A 21 00:00:44,03 --> 00:00:46,00 console. 22 00:00:46,00 --> 00:00:49,03 Type dash, capital a, 23 00:00:49,03 --> 00:00:53,03 space, console, 24 00:00:53,03 --> 00:00:55,03 which indicates that we'll be displaying 25 00:00:55,03 --> 00:00:57,01 the Snort alert 26 00:00:57,01 --> 00:00:59,06 on our terminal window. 27 00:00:59,06 --> 00:01:02,06 The next option to specify is 28 00:01:02,06 --> 00:01:04,07 - L 29 00:01:04,07 --> 00:01:06,08 space 30 00:01:06,08 --> 00:01:12,04 /var/log/snort, 31 00:01:12,04 --> 00:01:17,03 which tells where the Snort log messages 32 00:01:17,03 --> 00:01:19,04 are going to be stored. 33 00:01:19,04 --> 00:01:20,06 And finally, 34 00:01:20,06 --> 00:01:23,08 we have to say which network interface card 35 00:01:23,08 --> 00:01:26,03 Snort is going to be listening to 36 00:01:26,03 --> 00:01:27,03 by typing 37 00:01:27,03 --> 00:01:30,00 / -i 38 00:01:30,00 --> 00:01:31,03 space 39 00:01:31,03 --> 00:01:33,08 eth0. 40 00:01:33,08 --> 00:01:36,06 We'll be listening to the external network interface card 41 00:01:36,06 --> 00:01:38,05 of this Ubuntu router host, 42 00:01:38,05 --> 00:01:43,01 which has the IP of 10.0.0.6. 43 00:01:43,01 --> 00:01:50,03 Let's start Snort by pressing enter. 44 00:01:50,03 --> 00:01:53,09 Do you see our new rule working here? 45 00:01:53,09 --> 00:01:57,04 The Snort alert ID we created was 46 00:01:57,04 --> 00:01:59,05 1 million one, 47 00:01:59,05 --> 00:02:01,03 and our message was 48 00:02:01,03 --> 00:02:03,09 ping detected. 49 00:02:03,09 --> 00:02:06,09 Our new Snort rule is working. 50 00:02:06,09 --> 00:02:08,08 Congratulations. 51 00:02:08,08 --> 00:02:10,00 You did it again.