A network-based IDS usually monitors the network, logs it and alerts the admin if something catches its eye. Using a span port, you can run all the traffic through IDS. Another way to analyse the network is to get the network capture (for example, pcap
file) and check it with an IDS offline.
- Snort
- Suricata
- Bro-IDS
- Network Captures
Endpoint protection:
- Browser protection
- Anti-virus ๐ฆ
- Data loss prevention
- E-mail ๐ฎ
tcpdump -s 0 -w file.pcap
-s 0
- grab the entire packetw file.pcap
- write to file.pcaphost <IP>
- only capture particular IP address-nn
- donโt resolve hostnames or port names.-E
- decrypt IPSEC traffic by providing an encryption key.-tttt
- give maximally human-readable timestamp output.-X
ore
- display Ethernet header as well.
You can also use Wireshark for that. Or a Python ๐ script. Or any other PL for that matter.
Common filters
๐งบ I want to see all TCP packets that have 1.1.1.1
source or destination IP address. Also, I would l like to get only those packets, that have destination port 80, assuming the web server is listening on port 80
.
For tcpdump ๐ - tcpdump src 192.168.1.65 and dst port 80
.
For Wireshark ๐ฆ - ip.src==192.168.1.65 and tcp.port==80
.
For Python ๐:
Snort
sudo apt-get install snort
cat /etc/snort/dafault
# or
cat /etc/init.d/snort