Difference between revisions of "SNORT-RULES: DROP packet"

Sumber: http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/

Edit /etc/snort/snort.conf

Pastikan

###################################################
# Step #5: Configure preprocessors
# Inline packet normalization. For more information, see README.normalize
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

###################################################
# Step #2: Configure the decoder.  For more information, see README.decode
###################################################
config policy_mode:inline

## Configure DAQ variables for AFPacket 
config daq: afpacket 
config daq_mode: inline 
config daq_var: buffer_size_mb=1024

Download pullpork dari

https://github.com/shirkdog/pulledpork

Cek

/usr/local/src/pulledpork-master# ./pulledpork.pl -V

Jalankan snort

snort -c /etc/snort/snort.conf -l /var/log/snort/ -K ascii -D

Format aturan snort

action protocol address port direction address port (rule option)

Edit file, misalnya,

/etc/snort/rules/icmp-sementara.rules

Isi dengan

drop icmp any any <> 192.168.8.104 any

dari client

ping 192.168.8.104

Jalankan snort di server, pastikan ping mati

snort -c /etc/snort/rules/icmp-sementara.rules -l /var/log/snort/ -K ascii -D

Referensi

• http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/