Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wireshark and Snort Tutorials


  • Please log in to reply
13 replies to this topic

#1 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:03 PM

Posted 16 October 2015 - 12:00 PM

Tutorials on Wireshark and Snort

 

I was online the other day trying to find some tutorials for Dummys on wireshark and Snort.

I found that most of them are written like people all ready know what they are talking about.

Their also does not seem to be a lot of info on what one should see and not see [the good bad or ugly]

 

Maybe I am just missing the unspoken message that people like me should not try to use those type programs. LOL


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:11:03 PM

Posted 16 October 2015 - 12:09 PM

  Many tutorials, certainly not all, are written in a I, II, III style, with the 1,2,3, etc underneath each Roman Numeral assumed, or, explained in addendums.  Because different programs are used for accomplishing the same final result -- it would be impossible to provide step by steps.

  Example:  Acronis True Image and Macrium Reflect both can produce OS and data images, clones, etc.  However, the step by step would be very different in each program.  The Roman Numerals might be the same, but the 1,2,3s underneath would be very different.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:03 PM

Posted 16 October 2015 - 12:55 PM

I could accept that rational if these weren't specific products that do a specific thing. A list of what should be allowed and what should not be allowed should not be that hard to make.  Yet few seldom do. I mean they tell you how to block something or create a rule but not really what should be blocked or rule written for to deny or allow.

 

Like I said maybe I am trying to find out information a common user should not know unless they are willing to spend the time and money to take the necessary training to learn.  Just talking off the top of my head this morning. I spent about 4 hrs last night trying to learn how to set up and use snort. I know even less now that when I started.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#4 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:11:03 PM

Posted 16 October 2015 - 01:40 PM

I was posting about Tutorials in general around the 'Net; BC tutorials usually are very specific, not too many generalities.  Allowed, not allowed; block, don't block, etc. -- I wasn't aware such things sometimes are not written in.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#5 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:03 AM

Posted 16 October 2015 - 01:46 PM

Please understand the purpose of the two tools you are discussing. What you are asking for is like asking for instructions for how to cook. It depends on what you are cooking, how you want it to taste, what cookware you have, and what ingredients you have on hand. There is not a single answer for "How do you use Wireshark?" or "How do you use Snort?".

 

Snort has various rules that are built in. You can download Snort rules HERE. Each Snort rule is assigned a category. You can view a list of Snort categories HERE. Snort is designed so you can write your own rules. To write your own rules, you need to understand IP and TCP/UDP. When packets that match a rule are received by Snort, it can alert, log, pass, activate, dynamic, drop, reject, or sdrop the packet. Additional information about actions Snort can take when a packet matches a rule can be obtained HERE.

 

Wireshark is meant to capture network packets. It shows you the packets so you can analyze them and view individual packets. An overview on how to complete basic tasks in Wireshark can be referenced HERE.

 

You can read the Wireshark User's Guide HERE.

 

I guess I'm not sure what your question is. There is a lot of information about how to use both tools on a significant number of websites. They are not easy tools and require patience to learn. If you do not understand IP and TCP/UDP you will struggle with learning how to use either program.

 

If you are serious about learning how to use Snort or Wireshark, I highly suggest you read the manuals. There is a lot of helpful information in the manuals for both programs.

 

If you have a specific question about how to create a Snort rule that does "Z", please feel free to ask. If you have a specific question about what a specific TCP or UDP transmission looks in Wireshark, also ask.

 

I hope that addresses your questions. It may result in you having more questions when you start using the programs on your own which is good. One of the best ways to learn is by doing it yourself. :)



#6 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:03 PM

Posted 16 October 2015 - 02:29 PM

I think that has always been my biggest problems. Not enough patience and my old brain just does not want to easily absorb new information.  When I was a teenager I was a quick study, learned new stuff easily. Now nearing 70 I think I need a serieous defrag.

 

A lot of that I already tried to read and understand.

 

Thank you for the links and info.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#7 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:03 AM

Posted 16 October 2015 - 02:35 PM

dannyboy950,

 

Maybe we can come at this from a different direction. What do you want to do with Wireshark and Snort? Do you have a specific task you want to learn how to do?

 

If you want to learn how to write basic Wireshark filters I can certainly help with that. You can download Snort rules from several different companies. There are Snort rules from Cisco and other companies develop and sell Snort rules.

 

 

Edit - For example, HTTP traffic uses TCP port 80 so if you want to create a display filter in Wireshark that captures all traffic but only shows you HTTP traffic, then your filter is the below.

HTTP

If you want to create a capture filter in Wireshark so only port 80 traffic is captured, then your filter is the below.

port 80

Display filters use service names and capture filters use port numbers.

 

Does that give you enough information to start teaching yourself Wireshark?

 

Edit Edit - The usual disclaimer for using packet capture programs (e.g. Wireshark) apply. Only capture your packets on your system on your network. You are responsible for ensuring your know, understand, and follow all applicable policies, restrictions, and laws concerning using packet capture programs (e.g. Wireshark).


Edited by packetanalyzer, 16 October 2015 - 02:41 PM.


#8 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:03 PM

Posted 16 October 2015 - 02:57 PM

Sorry I guess I was trying to find some that were a little easier to understand.  I know this is a complex subject and needs many years of practice and experience to do well.

I am only trying to learn for my machine alone. Overkill possibly but I have been having a battle with one or more hackers for almost 20 years.

Sometimes I catch them in the act sometimes not in time.  I have lost the use of 9 systems out of 15 over the years.

 

Now you may think I am just a paranoid old man looking for hackers under every bush.  But I don't think I have been hacked I know.

I studied computer security for about 4 years over 25 years ago and I made a stupid challenge In one of the forums at that time.

Young and new to the trade I thought that just because I was running every av;anti malware; anti spyware; anti Trojan and rootkit program available at that time I was pretty secure so I told one member Hack me if you can if your so good.

 

Turns out he really was it took him about 8 months but one day I booted up and a big garish message popped up. ( got you smart ass) and the game has been on ever since. LOL

 

So let that be a lesson keep yer trap shut until you are shure you can back it up.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#9 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:03 AM

Posted 16 October 2015 - 03:11 PM

Perhaps you want to post in the Am I Infected? What do I do? Forum. They will be able to help you determine if someone has access to your system through malware.



#10 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:03 PM

Posted 16 October 2015 - 06:50 PM

First I do thank you for your time and information.  At this point in time I do not think anything has got in yet.

This time I am trying to get ahead of the curve so to speak.

Wireshark is different enough from ethereal I am having to learn all over.  Snort has changed drastically from when I last used it.

 

We shall see as time progresses I guess.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#11 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:03 PM

Posted 17 October 2015 - 04:43 PM

Ok I have steeped into it up to neck high and sinking fast. This is way over my head and way more than I need.

Snort doesn't even have an interface, not like wireshark or ethereal.  I installed it and can't even find it to uninstall it.

I dl/installed the basic rule set looks like several thousand rules and I can not even tell where one rule ends and another begins.  Just lines and lines of character strings and I can  see no differentiation between them.

 

Think I need to go play somewhere else.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#12 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:03 AM

Posted 18 October 2015 - 03:25 PM

 

First I do thank you for your time and information.

 

Certainly!

 

I do have an idea you might want to consider. Rather than starting with Snort which might be more involved than you need, have you looked at Untangle?

 

You can use the free version of Untangle which for the most part is licensed under GPL 2.

 

Untangle includes an Intrusion Prevention System (based on Snort) that already has the rules that Untangle feels accurately identify malicious traffic enabled. Untangle also can obtain updates for its components. This might be a better product for you to start with just so you can learn about configuring an IDS/IPS and how to write rules with a web based interface instead of starting in a command line window and trying to teach yourself everything.


Edited by packetanalyzer, 18 October 2015 - 03:25 PM.


#13 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:03 PM

Posted 18 October 2015 - 04:46 PM

The IDS part looks interesting I will do a little reading up on it.

Do you really need to install it on another computer?  I only have this one that is running.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#14 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:03 AM

Posted 18 October 2015 - 06:37 PM

Short answer is no. You can install it on a VM.

 

Now the long explanation of why you should install Untangle on its own computer.

 

It often makes more sense to have your IDS/IPS physically located between your gateway device and your network. When you install an Untangle server between the gateway and your network and do not have it provide routing information to network traffic, then it is called transparent bridge mode. This is the least intrusive and allows you to insert an IDS/IPS in your network with existing router, DHCP, VLANs, DNS, etc. and passively monitor network traffic entering and exiting the network. To do this you need your Untangle server to have at least 2 network interface cards. One card connects to the internal network and the second card connects to the LAN side of your gateway device. All traffic entering or exiting your network physically must traverse the Untangle server which gives your IDS/IPS the best chance to detect and stop malicious traffic from entering your network (blocking malicious inbound network traffic) or an infected computer inside your network from exiting the network to communicate with an attacker controlled server (blocking malicious outbound network traffic).

 

You can do that in a VM, but if you do Untangle will take a performance hit because it has to share resources with your computer and Untangle will only monitor the traffic to and from your computer. If you feel there is a need for you to have an IDS/IPS I would recommend getting a computer with 2 network interface cards and setting up Untangle on a dedicated computer.


Edited by packetanalyzer, 18 October 2015 - 06:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users