Sniffing out malformed packets with Snort
The web's top-rated NIDS solution, Snort, checks incoming packets against a rules-base and reports the results to a MySQL database as well as, as discussed previously, to OSSEC:
Snort – http://snort.org
That's handy, especially when fronted by Snorby, a powerful interface that makes analysis a snap and which makes a Snort-specific alternative to using Splunk's GUI:
Snorby – http://snorby.org
The Splunk for Snort app – http://splunkbase.splunk.com/apps/All/4.x/App/app:Splunk+for+Snort+-+Splunk+4.x
We need to work in superuser mode so take root:
sudo -iInstalling the packages
Install Snorby with Ruby on Rails to power it, Snort's MySQL version and dependencies:
aptitude install apache2-prefork-dev build-essential git-core libapr1-dev libaprutil1-dev libopenssl-ruby rake ruby rubygems ruby1.8-dev snort-mysqlSnort's installation options
During Snort's install you'll be prompted twice.
Specifying the network
Snort wants the IP address range of your local network...
