Last active
February 8, 2021 17:25
-
-
Save bluesku/876e1fb7707fe8ced6c9a927a04e9667 to your computer and use it in GitHub Desktop.
IDS-Snort-run.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/sh | |
ifconfig -s | |
read -p 'SET Interface.: ' int_f | |
#Config | |
mkdir /etc/snort/rules/iplists | |
mkdir /etc/snort/preproc_rules | |
mkdir /usr/local/lib/snort_dynamicrules | |
mkdir /etc/snort/so_rules | |
mkdir /var/log/snort | |
mkdir /var/log/snort/archived_logs | |
chmod -R 5775 /etc/snort | |
chmod -R 5775 /var/log/snort | |
chmod -R 5775 /usr/local/lib/snort_dynamicrules | |
chown -R snort:snort /etc/snort | |
chown -R snort:snort /var/log/snort | |
chown -R snort:snort /usr/local/lib/snort_dynamicrules | |
snort -A console -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -i $int_f | |
#snort -A console -e --require-rule-sid -H -I -y -l /tmp -k all -u snort -g snort -c /etc/snort/snort.conf -i $int_f | |
# -k checksum-mode :: all virus are HASH from DB checksum of file:: Tune the internal checksum verification functionality with alert-mode. Valid checksum modes include all, noip, notcp, noudp, noicmp, and none. | |
# -K logging-mode: ascii , pcap and none | |
# -x = --conf-error-out | exit if flowbits or problems occur such as flowbits without Stream5 | |
# -y Include the year in Alert and log files | |
# -e Display/log the link layer packet headers (every GET POST from WWW are the datagram HEADER). | |
# -Q Enable inline mode operation. | |
# -s Send alert messages to syslog. | |
# -T Snort will start up in self-test mode | |
# -w Show management frames if running on an 802.11 (wireless) network. | |
# -p Turn off promiscuous mode sniffing. | |
# -N Turn off packet logging. The program still generates alerts normally. | |
# -M Log console messages to syslog when not run‐ning daemon mode. This switch has no impact on logging of alerts. | |
# --require-rule-sid IM TESTING THIS RULE | |
# -O Obfuscate the IP addresses when in ASCII packet dump mode. Get printed to screen/log if the homenet add is set (-h) only address on homenet will be obfuscated whilw IPs will be left visible which is perfect to posting security mailing list | |
# -H Force hash tables to be deterministic instead of using a random number generator for the seed & scale. Useful for testing and generating repeatable results with the same traffic. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment