ACTIVITY: USING SNORT TO SNIFF AND LOG PACKETS
This activity is ungraded.
Remember: Be sure to watch this Demo video from this unit before trying this activity. Watching me do it first will help you understand each of the steps.
- Snort Sniffer Mode
- Snort Packet Logger Mode
- Because you will use Wireshark, you may want to review Welcome to Wireshark from Unit 1.
System: You can complete this activity on any system. These instructions are for Windows users.
- Mac/Linux users should follow the same instructions, using syntax for those OSes instead.
Downloads
- Pick the appropriate file in the Binaries section.
- Windows users should select Snort_2_9_9_0_Installer.exe.
Parts of this activity require the Kali VM downloaded in Unit 1, along with Wireshark. Instructions for installing Kali VM.
Time: This activity should take you 15 to 30 minutes to complete.
Goal
- To use Snort to capture and log network traffic
Instructions
Note: Hit Enter after each command.
Snort Overview
In this exercise, you will learn the basics of Snort.
- Go to Start > Run > Enter cmd.
- Right-click on the cmd icon and select Run as administrator.
- At the command prompt enter cd c:\snort\bin, which changes to the directory with the Snort executable.
- Enter snort -h to see the Snort help.
Run Snort in Sniffer Mode
In this exercise, you will use Snort to capture packets from the network and send output to the console.
Note: You can ignore the message No preprocessors configured for policy 0. We’ll deal with it later.
- Enter snort -W to see a list of interfaces to choose from.
- Choose the correct adapter based on the number in the Index column that corresponds with the NIC you’re going to be using Snort from.
- You can figure this out by looking at the IP Address column, and using the NIC that corresponds with the IP address you’re currently using.
- For example, if the Index is 3, continue with a “3” after the -i in the instructions below. If not, use the actual number you see.
- At the command prompt, enter snort -v -i3.
Snort is now running with verbose output (-v) from interface 3 (-i3) and listening to the network traffic. - Keep the Snort window open and open another command line interface.
- In the new window enter ping –t 8.8.8.8.
8.8.8.8 is the Google Public DNS Server; -t is to make this ping continuous. - Observe the captured packets at the Snort window.
- Press Ctrl+c in the Snort window to stop Snort and scroll up to analyze the results.
- Repeat the same exercise, but this time enter snort -vd -i3 (snort -v -d -i3 does the same thing) at the command prompt.
-d dumps the “Application Layer.” Now we can see the payload. - Repeat the same exercise, but enter snort -vde -i3 (snort -v -d -e -i3 does the same thing) at the command prompt.
-e is used to display the second layer header info.
Run Snort in Packet Logger Mode
You can use Snort to record packets in a file by specifying a log directory using the –l option.
- Enter snort -dev -i2 -l c:\snort\log to log every packet into a single log file.
- Send a ping to 8.8.8.8.
- Stop Snort with Ctrl+c, and scroll up to analyze the results.
- Using Windows Explorer, browse to C:\snort\log.
You should see a log file in this folder. - Open the log file in Wireshark.
You’ll notice Snort has captured all packets.
After you've finished, answer the Check Your Work questions.
You will continue to work in Snort in the next activity.