https://lms.onnocenter.or.id/wiki/index.php?action=history&feed=atom&title=SNORT%3A_mode_IDS SNORT: mode IDS - Revision history 2026-04-20T07:11:21Z Revision history for this page on the wiki MediaWiki 1.45.1 https://lms.onnocenter.or.id/wiki/index.php?title=SNORT:_mode_IDS&diff=47423&oldid=prev Onnowpurbo: /* Cuplikan isi classification.config */ 2017-04-01T07:07:30Z <p><span class="autocomment">Cuplikan isi classification.config</span></p> <table style="background-color: #fff; color: #202122;" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="en"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:07, 1 April 2017</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l55">Line 55:</td> <td colspan="2" class="diff-lineno">Line 55:</td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>  config classification: tcp-connection,A TCP connection was detected,4</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>  config classification: tcp-connection,A TCP connection was detected,4</div></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>  config classification: trojan-activity,A Network Trojan was detected, 1</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>  config classification: trojan-activity,A Network Trojan was detected, 1</div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==Cuplikan berbagai file di /etc/snort/rules==</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> root@server1604:/etc/snort/rules# dir</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> attack-responses.rules       community-nntp.rules       deleted.rules   netbios.rules    sql.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> backdoor.rules       community-oracle.rules       dns.rules   nntp.rules   telnet.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> bad-traffic.rules       community-policy.rules       dos.rules   oracle.rules   tftp.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> chat.rules       community-sip.rules       experimental.rules  other-ids.rules  virus.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-bot.rules       community-smtp.rules       exploit.rules   p2p.rules   web-attacks.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-deleted.rules        community-sql-injection.rules  finger.rules   policy.rules   web-cgi.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-dos.rules       community-virus.rules       ftp.rules   pop2.rules   web-client.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-exploit.rules        community-web-attacks.rules    icmp-info.rules   pop3.rules   web-coldfusion.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-ftp.rules       community-web-cgi.rules       icmp.rules   porn.rules   web-frontpage.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-game.rules       community-web-client.rules    imap.rules   rpc.rules   web-iis.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-icmp.rules       community-web-dos.rules       info.rules   rservices.rules  web-misc.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-imap.rules       community-web-iis.rules       local.rules   scan.rules   web-php.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-inappropriate.rules  community-web-misc.rules      misc.rules   shellcode.rules  x11.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-mail-client.rules    community-web-php.rules       multimedia.rules   smtp.rules</ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> community-misc.rules       ddos.rules       mysql.rules   snmp.rules</ins></div></td></tr> </table> Onnowpurbo https://lms.onnocenter.or.id/wiki/index.php?title=SNORT:_mode_IDS&diff=47422&oldid=prev Onnowpurbo: Created page with "Pertahanan di dunia cyber akan sangat mengandalkan sensor pendeteksi penyusup yang biasa di kenal sebagai Intrusion Detection System (IDS) seperti di terangkan di artikel tent..." 2017-04-01T07:06:14Z <p>Created page with &quot;Pertahanan di dunia cyber akan sangat mengandalkan sensor pendeteksi penyusup yang biasa di kenal sebagai Intrusion Detection System (IDS) seperti di terangkan di artikel tent...&quot;</p> <p><b>New page</b></p><div>Pertahanan di dunia cyber akan sangat mengandalkan sensor pendeteksi penyusup yang biasa di kenal sebagai Intrusion Detection System (IDS) seperti di terangkan di artikel tentang IDS. Ada beberapa IDS open source yang bisa kita gunakan untuk mendeteksi penyusup, salah satu yang paling populer adalah snort. Teknik instalasi snort telah di jelaskan dengan detail di artikel instalasi snort .<br /> <br /> Kecanggihan snort yang berpenampilan sangat sederhana karena memang hanya CLI, akan tampak cemerlang pada saat kita operasikan sebagai pendeteksi penyusup atau dalam bahasa keren-nya Intrusion Detection System (IDS). Pada kesempatan ini, akan di jelaskan snort untuk mendeteksi penyusup.<br /> <br /> [[File:Snort.jpeg|center|300px|thumb]]<br /> <br /> Pada gambar di atas, di perlihatkan konfigurasi snort yang di operasikan untuk medeteksi penyusup. Snort bisa di operasikan sebagai sebuah mesin secara independen / berdiri sendiri, atau di pasang di titik-titik strategis di jaringan untuk menangkap paket yang berseliweran.<br /> <br /> Kira-kira cara berfikir snort seperti anti-virus di komputer menganalisa file, snort menganalisa paket yang lewat dan di bandingkan dengan referensi serangan yang ada. Semua konfigurasi snort ada di /etc/snort. Secara umum snort akan membaca minimal 2 file penting, yaitu, snort.conf yang berisi konfigurasi snort, dan classification.config, yang berisi klassifikasi pelanggaran yang terjadi. Snort.conf yang akan menentukan bagaimana pola pendeteksian penyusup / serangan dilakukan. Daftar catatan pola serangan ada di folder /etc/snort/rules.<br /> <br /> Berbasis pada snort.conf dan rules yang ada, maka snort akan mencatat alert yang ada di file alert dan juga akan merekam semua traffic yang dia dengar di snort.log yang nantinya bisa digunakan untuk kebutuhan forensik jaringan.<br /> <br /> Konfigurasi snort.conf default biasanya mencukup untuk operasi sederhana. Mungkin yang justru akan banyak di ubah adalah file di bawah rules. Khususnya<br /> <br /> /etc/snort/rules/local.rules<br /> <br /> yang akan mencerminkan trap untuk jenis serangan tertentu.<br /> <br /> Jika semua sudah di konfigurasi dengan benar maka untuk mengoperasikan snort sebagai IDS sebetulnya sangat mirip dengan snort untuk merekam / me-log traffic jaringan, hanya kita menambahkan switch -D untuk membuat snort sebagai daemon / server, misalnya menggunakan perintah<br /> <br /> snort -c /etc/snort/snort.conf -l /var/log/snort/ -D<br /> <br /> Untuk memastikan bahwa snort telah berjalan dengan baik, bisa ketik<br /> <br /> ps ax<br /> <br /> <br /> ==Cuplikan isi classification.config==<br /> <br /> #<br /> # config classification:shortname,short description,priority<br /> #<br /> <br /> config classification: not-suspicious,Not Suspicious Traffic,3<br /> config classification: unknown,Unknown Traffic,3<br /> config classification: bad-unknown,Potentially Bad Traffic, 2<br /> config classification: attempted-recon,Attempted Information Leak,2<br /> config classification: successful-recon-limited,Information Leak,2<br /> config classification: successful-recon-largescale,Large Scale Information Leak,2<br /> config classification: attempted-dos,Attempted Denial of Service,2<br /> config classification: successful-dos,Denial of Service,2<br /> config classification: attempted-user,Attempted User Privilege Gain,1<br /> config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1<br /> config classification: successful-user,Successful User Privilege Gain,1<br /> config classification: attempted-admin,Attempted Administrator Privilege Gain,1<br /> config classification: successful-admin,Successful Administrator Privilege Gain,1<br /> <br /> # NEW CLASSIFICATIONS<br /> config classification: rpc-portmap-decode,Decode of an RPC Query,2<br /> config classification: shellcode-detect,Executable code was detected,1<br /> config classification: string-detect,A suspicious string was detected,3<br /> config classification: suspicious-filename-detect,A suspicious filename was detected,2<br /> config classification: suspicious-login,An attempted login using a suspicious username was detected,2<br /> config classification: system-call-detect,A system call was detected,2<br /> config classification: tcp-connection,A TCP connection was detected,4<br /> config classification: trojan-activity,A Network Trojan was detected, 1</div> Onnowpurbo