Snort should be a dedicated computer in your network. This computer’s logs should be reviewed often to see malicious activities on your network.
Steps to install Snort on Windows :
1. Download Snort from the Snort.org website. (http://www.snort.org/snort-downloads)
2. Download Rules from here. You must register to get the rules. (You should download these often)
3. Double click on the .exe to install snort. This will install snort in the “C:\Snort” folder.
It is important to have WinPcap installed
4. Extract the Rules file. You will need WinRAR for the .gz file.
5. Copy all files from the “rules” folder of the extracted folder. Now paste the rules into “C:\Snort\rules” folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder. You must paste it into “C:\Snort\etc” folder. Overwrite any existing file. Remember if you modify your snort.conf file and download a new file, you must modify it for Snort to work.
7. Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder. ( at the Prompt, type cd\snort\bin)
8. To start (execute) snort in sniffer mode use following command:
snort -dev -i 3
-i indicates the interface number. You must pick the correct interface number. In my case, it is 3.
-dev is used to run snort to capture packets on your network.
You can tell which interface to use by looking at the Index number and finding Microsoft. As you can see in the above example, the other interfaces are for VMWare. My interface is 3.
9. To run snort in IDS mode, you will need to configure the file “snort.conf” according to your network environment.
10. To specify the network address that you want to protect in snort.conf file, look for the following line.
var HOME_NET 192.168.1.0/24 (You will normally see any here)
11. You may also want to set the addresses of DNS_SERVERS, if you have some on your network.
13. Change the path of all library files with the name and path on your system. and you must change the path of snort_dynamicpreprocessorvariable.
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be: “/usr/local/lib/…”. you will need to replace that path with your system path. Using C:\Snort\lib
14. Change the path of the “dynamicengine” variable value in the “snort.conf” file..
15 Add the paths for “include classification.config” and “include reference.config” files.
16. Remove the comment (#) on the line to allow ICMP rules, if it is commented with a #.
17. You can also remove the comment of ICMP-info rules comment, if it is commented.
18. To add log files to store alerts generated by snort, search for the “output log” test in snort.conf and add the following line:
output alert_fast: snort-alerts.ids
19. Comment (add a #) the whitelist $WHITE_LIST_PATH/white_list.rules and the blacklist
Change the nested_ip inner , \ to nested_ip inner #, \
20. Comment out (#) following lines:
#preprocessor normalize_tcp: ips ecn stream
21. Save the “snort.conf” file.
22. To start snort in IDS mode, run the following command:
snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 3
(Note: 3 is used for my interface card)
If a log is created, select the appropriate program to open it. You can use WordPard or NotePad++ to read the file.
To generate Log files in ASCII mode, you can use following command while running snort in IDS mode:
snort -A console -i3 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii
23. Scan the computer that is running snort from another computer by using PING or NMap (ZenMap).
After scanning or during the scan you can check the snort-alerts.ids file in the log folder to insure it is logging properly. You will see IP address folders appear.
Snort monitoring traffic -
Snort’s detailed report when scanning has stopped -
Log files -
Note: Read the setup and configuration of Snort from Snort.org. While this is a demo, Snort can be configured thousands of ways to detect and alert you in the event you have malicious activity on your network. Downloading signatures often is extremely important
100% credit goes to Bill Mullins for sharing this information. (BillMullins.wordpress.com).
Softperfect has some of the best freeware for Windows. With Netscan you can see devices on your network and find information about the devices. Now with their software “WiFi Guard”, you can use a device on your network and find the devices that are attached to it.
While you should take precautions to secure your wireless network, is someone accessing your network without your knowledge?
Installation is fast and easy. Simply follow the wizard and make sure you run the software at startup.
Once you install the software, select the adapter and scan your network. Next double click on known devices and select “I know this device.” Let the software run and periodically scan your network. If you find a device connecting to it, locate the device and remove it from the network or take action to prevent unknown devices from connecting.
The software is designed to run on Apple, Windows or Linux.
Note: The above pic is from a lab environment and the addresses and macs do not represent real machines or a production environment.
This post is for educational purposes and any use of these tools against a network without explicit permission could be illegal. Metasploit is designed to identify weaknesses in networks and hardware/software on a network. Do NOT use metasploit for other reasons.
Want to protect your network and the computers in your network? You can get updates for your operating systems (Linux, Mac, iOS, Android, Windows or whatever) along with updates for third party programs yet you can still be unsecure. When updating these products, you also have to remember firmware and updates for wireless devices, access points, bridges, firewalls, routers, switches, SCADA devices, robots, mobile devices, printers and any device on your network.
Metasploit Community is free and allows for a free scan of your network or server. Although limited (Try Pro for details and Brute Force), Metasploit Community is a first step in finding open services and ports on your operating system, hardware devices such as routers and other devices. The trick to installing Metasploit is to disable your antivirus or make exceptions to what your antivirus finds. You should truly install the software inside of a VM (Virtual Machine) so that your computer remains protected.
You can use Metasploit to protect your network by ‘seeing’ what a hacker or malicious person would see. Truly for network professionals and auditors, this software can help you identify services, ports and weaknesses in your network.
There are several versions of Metasploit – Community, Pro, Express and Framework (Compare Editions)
The above scan was in a controlled lab. Malicious scanning of networks may be illegal. Read Penetration Basics on Metasploit’s website.
So what happens when you install a firewall and make sure all operating systems on your home network are fresh installs?
You’ll probably see hits from foreign and U.S. IP addresses trying to make connections to your computers, phones and other devices on your network. You’ll also notice common port numbers in the above log. So what would happen if any of the services and ports were open? It could result in the loss of data.
What should you do? Install a hardware SOHO firewall and keep your OS firewall on. While there are tons of other precautions you also need to take, ultimately this is a form of protection most home users and business users fail to implement.
Credit: Chris Davis
ITX-motherboards can often be found in older computers from garage sales or thrift stores. What is the practical use for these motherboards or older computers?
Here’s a small project that involves protecting your home.
After finding an ITX motherboard and gathering extra parts from broken laptops and computers, this project will put the software SMOOTHWALL Express onto the computer to make a mini firewall. Total cost?
- $22 250watt power supply
- $5 Gearhead mini keyboard
Athlon 64 X2 (B) 5400+ 2.8 GHz (65W)
800 MHz front side bus
- Manufacturer: Pegatron
- Motherboard Name: APX78-BN
- HP/Compaq motherboard name: Nutmeg-GL6E
240 Pin DDR2 PC2-6400 MB/sec
120 GB SATA 6G (6.0 Gb/sec)
Integrated on motherboard (NVidia 9100)
High Definition 6-channel audio
ALC 888S chipset
Integrated 10/100 Base-T networking interface
Added Broadcom wireless to create a wireless router
External I/O ports connections – 6 USB
PCI Express mini card socket – added Broadcom Wireless
PCI Express x16
PCI Express x1
- 2″ Fan for Chipset
In the video below, HAK5 shows just how to make a motherboard like this into a nice home router/Firewall.
According to the study, the most sought-after quality is a broad knowledge of security — more of a strategic understanding than technical know-how – followed by certifications. Read More
Opinion – While certifications are an important part of IT, the technical know-how is the most important. Getting a degree or a certification is a great advancement for your education but can you configure a firewall? Run Linux-OSX- Windows? Support mobile, wireless, servers with Active Directory and monitor and control an IT environment? That’s the difference between $12 an hour and a career.
FREE – How can you beat it? Once again, another excellent site has training that is Free. While we have found Rackspace’s Cloud University, Free Microsoft Training and virtualization this site adds an additional form of training that can help you supplement your training programs.
“Security engineering training by SAFECode is an online community resource offering free software security training courses delivered via on-demand webcasts.
Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. All courses are free and published under a Creative Commons license and open, non-commercial usage of the content is encouraged.
SAFECode will be adding new courses to the site on an ongoing basis. Our goal is to create a diverse catalog of security engineering training courses for all expertise levels as a community resource.”
“While registration is not required to view the courses, registered users of the site will benefit from the ability to:
–Download courses for offline viewing
–Post comments to provide feedback on the courses and ideas for updates.
Your feedback will be used to help keep the material up-to-date and ensure it best meet the needs of the community it aims to serve.
–Receive email updates when new courses and resources are available”
CryptoLocker and CryptoLocker2 are still alive. You can help prevent infections and encryption (losing your data) by downloading Foolish IT’s CryptoPrevent for Home and Commercial use.
Get the prevention software from here. http://www.foolishit.com/vb6-projects/cryptoprevent/
Over 666,000 internal security breaches took place in US businesses in the last 12 months, an average of 2,560 per working day, new research has revealed. The findings, revealed by IS Decisions, also found that despite this regular occurrence, only 17.5% of IT managers consider insider threats to be in their top three security priorities.
What is one of the best vulnerability scanners on the market? Nessus® by Tenable Network Security. Nessus® provides an exceptional scanner that creates a server on your computer to scan your network or an individual device on your network. This software allows you to scan for patch, configuration, compliance details, malware, botnet discovery and more. (Features) Nessus® has more than 60,000 plugins to detect vulnerabilities on your network.
Here’s the basics behind the installation and operation of Nessus® -
Note: The detailed information and power of this program are not shown in these screenshots. Nessus® is much more complex than is shown in this brief.
Nessus® is a small download that installs a server on your local computer. The server which is accessed by your webbrowser allows you to scan all hosts on your network.
Installation of Tenable Nessus® is straightforward and easy. Nessus® does require a free registration allowing for up to 16 IPs on your network for the basic version.
Once the software is installed, your browser will open requiring you to use a SSL connection and to create a username and password.
If you have not registered Nessus®, you will be required to do so. Once you register and enter your key, the software will download plugins needed to check your network and hosts.
Once the plugins are downloaded (This will take some time), the server will initialize. This can become resource intensive and may take a few minutes. Be patient.
Once the plugins are downloaded, you will be required to sign in. Once you sign in, you will need to setup a basic policy along with providing authentication settings (for other computers in your network) in order to scan your network.
The policy wizard creates basic policies that can discovery hosts, credential patch, basic scan, web application tests, malware scans or mobile device scans.
Once a policy is created, you can begin a scan of your network.
Vulnerabilities are shown after the scan. By clicking on an individual node, you can view the details about the node and its vulnerabilities.
Nessus® provides detailed reports can exported in different formats.
Difference in editions – Link
What is OPSWAT? OPSWAT is a San Francisco based software company that provides solutions to secure and manage IT infrastructure. More info
OPSWAT has an excellent program you can download to check the overall score of your computer’s security rating.
Installation is easy and doesn’t require any special configuration.
Once the program is started, it will take several minutes to analyze your computer.
Your security score rates your computer’s security with a colorful graph and clickable links. While mine showed a 75, I backup offsite. This little program is accurate and gives any end-user a look at their security standing. The program is very useful and should be ran by any home or small business owner.