Configuring IDS
• Components
Module-3
Device Configuration
Configuring IDS
Step 1. Initialization configuration
Step 2. Logging or PostOffice configuration
Step 3. Audit rule configuration and activation
Configuring IDS
Step 1: Initialization Configuration
– The ip audit po max-events command limits the
number of IDS events that the Cisco IOS queues
up to send to a remote device.
– The ip audit smtp spam command is used to limit
e-mail spamming that uses mass mailings.
– Sensor
– Director
– Post Office
Configuring IDS
Step 1: Initialization Configuration
– Router(config)# ip audit po max-events
#_of_events
– Router(config)# ip audit smtp spam
#_of_recipients
– Router(config)# exit
Configuring IDS
Step 2: Logging and PostOffice Configuration
– The Cisco IOS can use two methods when logging
IDS events:
• log the information using syslog
• log the information using an IDS Director.
• Using syslog, the Cisco IOS can log information locally
(the console or the internal buffer) or remotely (a
syslog server).
• If you want to use the syslog method, you must
configure the following IDS statement:
Router(config)# ip audit notify log
 Configuring IDS
Step 2: Logging and PostOffice Configuration
– The Cisco IOS can use two methods when logging
IDS events:
• 1) log the information using syslog
• 2) log the information using an IDS Director.
• Using syslog, the Cisco IOS can log information locally
(the console or the internal buffer) or remotely (a
syslog server).
Configuring IDS
• When logging informational signatures to the
router's console, you also need to execute the
following command:
Router(config)# logging console info
Configuring IDS
• The ip audit notify nr-director command enables the
logging of IDS events to an IDS Director product.
• The ip audit po local command specifies the
PostOffice configuration for the router;
• the ip audit po remote command specifies the
configuration for the remote Director device.
Configuring IDS
If you want to use the syslog method, you
must configure the following IDS statement:
Router(config)# ip audit notify log
• If you are using CiscoWorks VMS with Security
Monitoring Center (MC), you can forward the
router's syslog messages to Security MC, which is
used to centralize the repository and reporting of
alarm information.
Configuring IDS
• Second logging option is to log information to
an IDS Director,
Configuring IDS
• With PostOffice, each device needs a unique combination of a
host ID and an organization ID.
• The organization ID is used to group sensors. In smaller
companies, normally only a single organization ID is necessary.
• For enterprise companies, you might have different
organization IDs for each division, allowing for easier
management of your sensor products.
• Within each organization, a device needs a unique host ID.
This concept is similar to IP addressing, in which you have
network numbers and hosts within a network. Both of these
IDs range from 1 to 65,535.
 Configuring IDS
• For the ip audit po local command, you must specify the
router's personal ID numbers for the host and organization
values.
• Likewise, you must specify the Director's PostOffice ID
information in the ip audit po remote command.
• However, unlike the router's PostOffice configuration, you
have to tell your router many more things about the remote
Director in the ip audit po remote command.
• After specifying the PostOffice ID of the Director, you need to
specify the IP address of the Director and then the IP address
that the router will use as its source address (an address on
one of its physical or loopback interfaces)
Configuring IDS
• the two commands specify actions for
informational and attack signatures. Each has
three possible actions that the router can
take:
– Alarm - Generate an alarm (log), where this is the
default action
– Drop - Drop the packet
– Reset - For TCP connections, tear down the
connection
Configuring IDS
• Step 5:
Router(config-if)# ip audit audit-name {in | out}
• Step 6:
Router(config-if)# exit
• Step 7:
Router(config)# ip audit po protected ip-addr [to
ip-addr]
• Step 8:
Router(config)# exit
Configuring IDS
Step 3: Audit Rule Configuration and Activation
– After logging, next is creating audit rules
– Global Policies
• Global policies are used to take the appropriate actions
for matching on signatures
• To create your global policies, use these two
commands:
Step 1:
– Router(config)# ip audit info {action [alarm] [drop] [reset]}
– Router(config)# ip audit attack {action [alarm] [drop] [reset]}
[Note: Commands on informational and attack signatures]
Specific Policies
• Step 2:
Router(config)# ip audit name audit-name {info
|attack} [list standard-acl] [action [alarm] [drop]
[reset]]
• Step 3:
Router(config)# ip audit signature signature-id
{disable | list acl-list}
• Step 4:
Router(config-if)#interface interface-number
Configuring IDS
• Specific Policies
– Besides globally changing the behavior or IDS, you
can create specific IDS auditing policies.

Cisco IOS Firewall IDS feature
• supports intrusion detection technology.
• identifies 59 of the most common attacks
using "signatures" to detect patterns of
misuse in network traffic.
• acts as an in-line intrusion detection sensor.
Auditing process
• You apply the audit rule to an interface on the
router, specifying a traffic direction (in or out).
– If the audit rule is applied to the in direction of the
interface, packets passing through the interface
are audited before the inbound ACL has a chance
to discard them.
– If the audit rule is applied to the out direction on
the interface, packets are audited after they enter
the router through another interface.
Auditing process
• If a signature match is found in a module, then the following
user-configured action(s) occur: – If the action is alarm, then
the module completes its audit, sends an alarm, and passes
the packet to the next module.
• – If the action is drop, then the packet is dropped from the
module, discarded, and not sent to the next module.
• – If the action is reset, then the packets are forwarded to the
next module, and packets with the reset flag set are sent to
both participants of the session, if the session is TCP.
Packet auditing process with Cisco
IOS Firewall IDS
• Create an audit rule
• Apply the audit rule to an interface on the
router, specifying a traffic direction (in or out)
Auditing process
• Packets going through the interface that
match the audit rule are audited by a series of
modules, starting with IP; then either ICMP,
TCP, or UDP (as appropriate); and finally, the
Application level.
When to Use Firewall IDS
• Enterprises that are interested in a cost-effective method of
extending their perimeter security across all network
boundaries, specifically branch-office, intranet, and extranet
perimeters.
• Small and medium-sized businesses that are looking for a
cost-effective router that has an integrated firewall with
intrusion-detection capabilities.
• Service providers that want to set up managed services,
providing firewalling and intrusion detection to their
customers, all housed within the necessary function of a
router.

DEVICE CONFIGURATION
Troubleshoot Firewall Problems
1) Ping a PC near the device
2) Ping the device
3) Telnet and/or browse to the device
4) Confirm the port configuration of the device
5) Confirm that important IP addresses are not
blocked
6) Trace the route to the device
Troubleshoot Firewall Problems
1) Ping a PC near the device
• So, if your pings to the PC are not returned, try
pinging the gateway.
• Continue working your way up the network with
your pings to identify the point where they stop.
• Check for firewalls and firewall configurations,
especially those that block UDP, SNMP, pings, or
ports 161 or 162.
• Keep in mind that some networks block all ping
traffic as a security measure.
Troubleshoot Firewall Problems
4) Confirm the port configuration of the device
– For additional security, some SNMP devices may use
non-standard ports to obstruct unauthorized SNMP
traffic. If so, make sure that these ports are not
blocked by a firewall and are accepted by the
manager.
– Another potential solution is to reconfigure the device
to use standard ports.
5) Confirm that important IP addresses are not
blocked
– A firewall may simply be blocking the IP address of
your device and/or manager.
– Confirm that these or any other needed IP addresses
are not being blocked.
Device Configuration
• Common issues in installing or configuring
information security devices
• Methods to resolve these issues
• Methods of testing installed/configured
information security devices
Troubleshoot Firewall Problems
1) Ping a PC near the device
• A simple ICMP ping to a PC near the device is a
good initial test to determine connectivity status
and network performance issues.
• ICMP ping is an IP-based signal sent from one
device to another.
• If the target device receives the "ping" from the
source device, it will (if configured to do so)
respond to confirm that is active and connected
to the network.
• It's a simple way of confirming that a device is
online.
Troubleshoot Firewall Problems
2) Ping the device
– Next, send another simple ICMP ping to the device to
determine connectivity.
– If pings to the PC in Step 1 were successful, but pings
sent to the device fail, the problem is almost certainly
with your SNMP device.
3) Telnet and/or browse to the device
– If the SNMP device you are testing supports Telnet
connections or Web access, you should attempt to
connect using one of these methods.
– If pings succeed but Telnet and/or browsing is
blocked, this is a very good indication that you have a
firewall issue.
Troubleshoot Firewall Problems
6) Trace the route to the device
– Tracing the "hops" that network traffic is following to
reach the device can allow you to pinpoint a tricky
firewall issue. A simple trace can be performed from
the Command Prompt of Windows XP:
• Open a Command Prompt in Windows XP.
• Type "tracert", a single space, and the IP address of the
device you are trying to reach (i.e. "tracert
192.168.230.143")
• Press return to start the trace.
• Show the output to your IT department to identify potential
firewall-problems.
 Troubleshooting CISCO IOS Firewall
Contd.
configurations
• Reverse (Remove) - an access list • If too much traffic is denied, study the logic of
your list or try to define an additional broader
- put a "no" in front of the access-group list, and then apply it instead.
command in interface configuration mode • Eg:
access-list # permit tcp any any
Eg: int <interface> access-list # permit udp any any
no ip access-group # in|out access-list # permit icmp any any
https://www.cisco.com/c/en/us/support/docs/security/ios- int <interface>
firewall/13897-trouble-cbac.html ip access-group # in|out

Contd. Contd.
• Command - show ip access-lists
- which access lists are applied and what traffic is denied by them.
• Command - no ip route-cache • Extended Access list
- If the router is not heavily loaded, debugging can be done at a access−list 101 deny ip host 171.68.118.100 host 10.31.1.161
packet level on the extended or ip inspect access list. log
access−list 101 permit ip any any
Then in enable (but not config) mode:
term mon // terminal monitor command - can be used with log options also
debug ip packet # det // Exec command to display IP debug and IP sec Output:
option *Mar 1 04:44:19.446: %SEC−6−IPACCESSLOGDP: list 111
permitted icmp 171.68.118.100 −> 10.31.1.161 (0/0), 15
Output:
packets
*Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100
(Ethernet0), g=10.31.1.21, len 100, forward
*Mar 1 03:27:13.295: %SEC−6−IPACCESSLOGP: list 118 denied
*Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9 (Serial0), tcp 171.68.118.100(0) −> 10.31.1.161(0), 1 packet
g=9.9.9.9, len 100, forward

Common Router problems and

Troubleshooting Routers
solutions
• Basic Faults • Physical Layer Stuff:
- Physical Layer Stuff
- Check the Interfaces – Check power issues. Look for power lights, check
- Ping plugs, and circuit breakers.
- Check the Routing Table • Check the Interfaces:
- Is there a Firewall on the Computer?
- Any Access Lists? – show ip interface brief or show ipv6 interface brief
- Is the VPN Up?
- Do the Protocols Match?
- Check for Human Error
- Verify Settings

Common Router problems and Common Router problems and

solutions solutions
• Ping: • Is there a Firewall on the Computer?
– Use the ping and trace commands to check for – If the problem involves a computer, check to
connectivity. ensure that its firewall is not blocking packets.
• Check the Routing Table: • Any Access Lists?
– show ip route or show ipv6 route – check for access-control lists that block traffic.
 Common Router problems and
solutions
• Is the VPN Up?
– If a VPN is part of the connection, check to ensure
that it is up.
• Do the Protocols Match?
– If you are trying to gain remote access to a server,
ensure that it supports the protocol you’re
attempting to use.
Common Router problems and
solutions
1. Correct your Wi-Fi Security Settings
2. Update your Hardware or Firmware
3. Fix Overheating or Overloading
4. Remove MAC Address Restrictions
5. Check Wireless Signal Limitations
Common Router problems and
solutions
1. Correct your Wi-Fi Security Settings
– Security key: Wi-Fi security keys are phrases or
sequences of letters and digits. All devices that
enter the network must be configured to use the
Wi-Fi key recognized by the router (or wireless
access point).
Common Router problems and
solutions
3. Fix Overheating or Overloading
– You can set up a different Wi-Fi router or allow the
"Guest Network" option for your router.
– You can also set up a separate SSID and password for
your host network to avoid issues with your main
network.
– This segregation would also work with your smart
appliances and secure your key devices from attacks
on the Internet of Things.
– You can also use QoS (Quality of Service). QoS is a
feature on some routers that lets you prioritize traffic
according to the type of data being transmitted.
Common Router problems and
solutions
• Check for Human Error:
– Check to ensure that correct usernames and
passwords are being used,
– same network addresses and matching subnet
masks.
• Verify Settings:
– Do not make assumptions. Verify everything!
Common Router problems and
solutions
1. Correct your Wi-Fi Security Settings
– Network Mode: The router must be allowed to
accommodate all Wi-Fi models used by network
clients. For example, routers designed to run in
802.11g mode only will not support 802.11n or old
802.11b devices. Adjust the router to run in mixed
mode to remedy this kind of network failure.
– Security mode: Most Wi-Fi devices support
several network security protocols (typically different
variations of WPA and WEP). All Wi-Fi devices,
including routers belonging to the same local network,
shall use the same protection mode.
Common Router problems and
solutions
2. Update your Hardware or Firmware
– The reason for this step is twofold. You can take
benefit of any additional features and
improvements of the new version of the firmware.
Also, your router will normally receive any critical
security updates.
– Typically, you will have the choice of checking,
evaluating, downloading, and installing the latest
firmware on your router's administration tab. The
exact steps depend on the make and model of
your router, so check the specifics of the router
manufacturer's support site.
Common Router problems and
solutions
4. Remove MAC Address Restrictions
– A number of network routers support a function
called MAC address filtering.
– While disabled by default, router administrators
can turn this function on and limit connections to
only those devices by their MAC address number.
– Check the router to ensure that either the MAC
address filtering is off or the MAC address of the
computer is included in the list of allowed
connections.
 Common Router problems and
Router Troubleshooting Tools
solutions
5. Check Wireless Signal Limitations • Using Router Diagnostic Commands
– If you have a newer router, check if it supports the – Cisco routers provide numerous integrated
5GHz band. Newer routers typically have dual- commands to assist you in monitoring and
band capabilities. troubleshooting your internetwork.
– By allowing dual bands, you could hold older
devices that only support slower G specification
on the 2.4GHz band and newer devices on the
beefier and faster 5GHz band.
– Essentially, this is like having two routers in one.

Using show Commands

Commonly used show commands
• show interfaces
–
– The show commands are powerful monitoring –
show interfaces ethernet
show interfaces tokenring
and troubleshooting tools. – show interfaces fddi
• Monitor router behaviour during initial installation – show interfaces atm
– show interfaces serial
• Monitor normal network operation
• show controllers
• Isolate problem interfaces, nodes, media, or – show controllers mci
applications – show controllers token
• Determine when a network is congested – show controllers FDDI
• Determine the status of servers, clients, or other – show controllers LEX
neighbours – show controllers ethernet
– show controllers E1
– show controllers cxbus

Using debug Commands

Commonly used show commands
• show running-config – The debug privileged exec commands can provide
• show startup-config a wealth of information about
•
• show flash the traffic being seen (or not seen) on an interface,
• error messages generated by nodes on the network,
• show buffers • protocol-specific diagnostic packets, and
• show memory • other useful troubleshooting data.
• show processes
• Show stacks
• show version

Router Diagnostic Commands Router Troubleshooting Tools

• Using the ping Command
– To check host reachability and network connectivity, use
the ping exec (user) or privileged exec command. • Using the trace Command
– After you log in to the router or access server, you are
automatically in user exec command mode. The exec – The trace user exec command discovers the
commands available at the user level are a subset of those routes that a router’s packets follow when
available at the privileged level.
– In general, the user exec commands allow you to traveling to their destinations.
• connect to remote devices, – The trace privileged exec command permits the
• change terminal settings on a temporary basis,
• perform basic tests, and list system information.
supported IP header options to be specified,
– The ping command can be used to confirm basic network allowing the router to perform a more extensive
connectivity on AppleTalk, ISO Connectionless Network range of test options.
Service (CLNS), IP, Novell, Apollo, VINES, DECnet, or XNS
networks.
 IPS DEPLOYMENT
IPS CONFIGURATION
IPS Network Sensing
• Network sensing - accomplished using Cisco
IPS sensors and Cisco IOS IPS devices.
• Cisco IPS sensors and Cisco IOS IPS devices -
IPS devices or sensors.
Capturing Network Traffic
.-> sensor can operate in either promiscuous or
inline mode.

Capturing Network Traffic Capturing Network Traffic

• When responding to attacks, the sensor can • IP session logs are used to gather information about
do the following: unauthorized use.
– Insert TCP resets via the sensing interface. • Implement multiple packet drop actions to stop
worms and viruses.
– Make ACL changes on switches, routers, and
firewalls that the sensor manages.
– Generate IP session logs, session replay, and
trigger packets display.

Correctly Deploying the Sensor Tuning the IPS

• Before deploy and configure the sensors,
check:
– The size and complexity of your network.
– Connections between your network and other
networks, including the Internet.
– The amount and type of traffic on your network.
• Always position the IPS sensor behind a perimeter-
filtering device.
• Correct placement significantly reduces the number of
alerts, which increases the amount of actionable data you can
use to investigate security violations.
• Ensures that the alerts you see, reflect true
actionable information.
• Tips:
– Place your sensor on your network behind a
perimeter-filtering device.
– Deploy the sensor with the default signatures in
place.
– Make sure that the event action override is set to
drop packets with a risk rating greater than 90.

Tuning the IPS
– Filter out known false positives caused by
specialized software, such as vulnerability scanner
and load balancers
– Filter the Informational alerts.
– Analyse the remaining actionable alerts:
• Research the alert.
• Fix the attack source.
• Fix the destination host.
• Modify the IPS policy to provide more information
Procedure
Step8 : Configure IPS signatures and event
actions.
Step 9: Configure blocking or rate limiting hosts.
Step 10: Configure other desired advanced IPS
services.
Step 11: Maintain the device
Step 12: Monitor the device
Identifying Allowed Hosts
Step 2: Do one of the following:
- To add an entry, click the Add Row button
and fill in the Access List dialog box.
- You can add up to 512 entries.
- To edit an entry, select it and click the
Edit Row button.
- To delete an entry, select it and click the
Delete Row button.
IPS Configuration
Procedure
Step 1: Install and connect the device to your network. Install the
device software and perform basic device configuration. Install
the licenses required for all of the services running on the
device.
Step 2: Add the device to the Security Manager device inventory.
Step 3: Configure the interfaces as described in Configuring
Interfaces.
Step 4: Use the Virtual Sensors policy to assign interfaces to the
virtual sensors.
Step 5: Configure basic device access platform policies.
Step 6: Configure basic server access platform policies.
Step 7: Configure the Logging policy if you want non-default
logging.
Identifying Allowed Hosts
Step 1: Do one of the following to open the
Allowed Hosts policy:
- (Device view) Select Platform > Device
Admin > Device Access > Allowed Hosts from the
Policy selector.
- (Policy view) Select IPS > Platform >
Device Admin > Allowed Hosts, then select an
existing policy or create a new one.
Identifying Allowed Hosts
Step 3: When adding or editing an entry, specify
the host or network address in the Add or
Modify Access List dialog box, then click OK. You
can enter addresses using the following formats:
- Host address—A simple IP address, such
as 10.100.10.10.
- Network address—A network address
and mask, such as 10.100.10.0/24 or
10.100.10.0/255.255.255.0.
 Identifying Allowed Hosts
- A network/host policy object—Click Select to
select an existing object or to create a new one.
To use the object in this policy, it must have a
single value, either a single network or a single
host.
Configuring SNMP
Step 2: On the General Configuration tab,
configure at least the following options.
– Enable SNMP Gets/Sets
– Read-Only Community String
– Read-Write Community String
Step 3: If you want to configure SNMP traps, click the
SNMP Trap Configuration tab and configure at least the
following options.
- Enable Notifications
- Trap Destinations
IPS user accounts, and Security
Manager discovery and
deployment considerations
Configuring SNMP
Step 1: Do one of the following to open the
SNMP policy:
- (Device view) Select Platform > Device
Admin > Device Access > SNMP from the Policy
selector.
- (Policy view) Select IPS > Platform >
Device Admin > Device Access > SNMP, then
select an existing policy or create a new one.
Configuring SNMP
Step 4: If you configure trap destinations, you
must also ensure that the desired alerts include
the Request SNMP Trap action. You have the
following options for adding this action:
- Easy way
- Precise way
Step 5: Add the SNMP management stations to
the Allowed Hosts policy. The management
stations must be allowed hosts to access the
sensor.
• Understanding IPS User Roles
• Understanding Managed and Unmanaged IPS
Passwords
• Understanding How IPS Passwords are
Discovered and Deployed
• Configuring IPS User Accounts
• Configuring User Password Requirements
• Configuring AAA Access Control for IPS
Devices
 Understanding Managed and
Understanding IPS User Roles Unmanaged IPS Passwords
• Four User Roles: • The status of a password is indicated in the Is
– Viewer Password Managed? column of the Platform >
– Operator Device Admin > Device Access > User
– Administrator Accounts policy:
– Service - No - the password for this account is not
configured in Security Manager.
- Yes - the password for this account was
configured or updated in Security Manager.

Understanding How IPS Passwords

Configuring IPS User Accounts
are Discovered and Deployed
• Discovery • The user accounts policy should have at least
– Active these accounts:
– Expired – Cisco
– Locked – An administrator account
• Deployment – Cisco IOS IPS devices use the same user accounts
that are defined for the router

Configuring User Password Configuring AAA Access Control for

Requirements IPS Devices
• To configure IPS password requirements, • When you configure the AAA server object,
select one of the following policies: you must adhere to the following restrictions:
– Device view – Host
Select Platform > Device Admin > Device Access > – Timeout
Password Requirements from the Policy selector. – Protocol
– Policy view – Key
Select IPS > Platform > Device Admin > Password – Port
Requirements from the Policy Type selector,
then select an existing policy or create a new
one.

Configuring Suricata
Suricata
• Open Source Next Generation Intrusion
Detection and Prevention Engine.
• Rule-based ID/PS engine
• Multi-threading

Installing Suricata Add the Suricata PPA

1. Add the Suricata PPA
2. Install Suricata # apt-get install software-properties-
common
3. Add a 'suricata' user
# add-apt-repository ppa:oisf/suricata-
4. Edit Suricata default mode and configure
stable
Suricata run as service user
# apt-get update
5. Ensure that Suricata log directory is owned
by 'suricata' user
6. Start Suricata
7. Verify that Suricata is running as the
'suricata' user

Install Suricata Edit Suricata default mode and

configure Suricata run as service
# apt-get install Suricata user
# editor /etc/default/suricata
Add a 'suricata' user
# useradd -r -s /usr/sbin/nologin suricata

Ensure that Suricata log directory Verify that Suricata is running as

is owned by 'suricata' user the 'suricata' user
# chown -R suricata:suricata /var/log/Suricata • # ps aux | grep suricata suricata

Start Suricata 28296 107 59.9 366140 304160 ? Ssl 22:47 0:05
# service suricata start /usr/bin/suricata -c /etc/suricata/suricata.yaml --
pidfile /var/run/suricata.pid -i eth0 -D -v --
user=suricata
 Snort Configuring Snort
• Open Source NIDS • Setting up Snort on Ubuntu from the source
• Packet sniffer code consists of a couple of steps:
• Works through traffic analysis and packet downloading the code, configuring it,
logging on IP networks. compiling the code, installing it to an
appropriate directory, and lastly configuring
• Runs in 4 modes: the detection rules.
– Sniffer mode
– Packet logger mode
– IDS mode
– IPS mode

Configuring Snort to run in NIDS Setting up username and folder

mode
• Editing some configuration files
• Downloading the rules that Snort will follow
• Taking Snort for a test run
sudo ldconfig
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
Setting up username and folder
structure
• Set the permissions
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775
/usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort
/usr/local/lib/snort_dynamicrules
Download – detection rules
• Provides three tiers of rule sets
– Community
– Registered
– Subscriber rules
structure
- Create a new unprivileged user and a new user
group
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c
SNORT_IDS -g snort
- Create the folder structure
sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
Setting up username and folder
structure
• Create new files for the white and blacklists
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
copy the configuration files
sudo cp ~/snort_src/snort-2.9.16/etc/*.conf*
/etc/snort
sudo cp ~/snort_src/snort-2.9.16/etc/*.map
/etc/snort
Configuring – network and rule
sets
- Open the configuration file in test editor
- Setup the network addresses to protect
- Setup the external network addresses
- Set path to rule files

- Validating Settings