Using Snort
Page 2 of 3
The Basics
From now on, I am going to pretentiously refer to Snort as sn0rt. This is assuming that you have successfully installed it, and Ethereal, so can start thinking of yourself as a l337 h4x0r (By the way, this is irony. If this is incomprehensible to you, you are still a member of the human race. There is a reasonable explanation of l33tspeak on Wikipedia You are supposed to use it now that you have sn0rt. Get with the program.
It's also a good idea to have a network to detect intrusion on, if you are intending network intrusion detection. Otherwise you can do it on one PC, which is a good idea anyway if you want to run it on a network in the future with some confidence about what you are doing.....
I am going to assume that you can read the manual, so I am going to shortcut everything here. Open a DOS window (with run, cmd.) Navigate to the sn0rt\bin folder then type something like :
snort -vde -i 2 -l ../log
This depends on which network card you are monitoring (The -2 refers to the card. Try out a few numbers if it doesn't work. The /log refers to the log directory, which you should have. If not, set it up from the snort folder. The ../ will go one step up the path before looking for the log folder.)
If everything is working OK, sn0rt should charge into action and start identifying the packets going through it. When you have had enough, ctrl & c will stop it. It's probably a good idea to do this after about ten minutes to half an hour, depending on the rate of traffic, so you can see what you're getting, before the files get huge. Use the Up arrow key to call back the command to run sn0rt and press enter to start it off again.
