- Configuring your browser to work with Burp suite
First , on Burp suite make sure your configuration like the picture below, further you can edit port different 8080 default , example port 8081,…
Second, on your browser (in this case I using firefox) follow link :Preferences > Advanced > Network > Settting
Config proxy like picture below
When you’ve configured your browser, visit any HTTP URL, and confirm that request in intercepted in Burp
This basic configuraion will let your browser work with Burp for many purposes.To properly deal with websites that use HTTPS, you’ll need to carry out some further configuration.
Fore more details, see the tutorial on installing Burp’s SSL certificate in your browser follow link:
In this case I will do with firefox :
- Using Burp Suite Proxy
– Interceting requests and responses
Now , with Burp set up and running , visit any URL in your browser.The browser will wait for the response to complete
Here, we can see the HTTP service that the request is begin sent to, and full contents message.These tabs show different vies into the message , to help you analyze and mofiy its contents.These buttons let you forword the message , or carry our other actions.
Forward: request is sent on to the server ( hot key : Ctrl + F)If you want Itercept off, so that all messages forwarded automaticaly
– Using the proxy history
burpsuite proxy
Burp proxy maintains a history of all requests and responses pass through it
When you select an item the table , the full request and response for that item are show below
Above the history table is a filter bar . Click on the bar to open the filters options
– Driving your testing workflow
The proxy tool lies at the heart of Burp’s user-driven workflow.And you can choose the particular tasks .
– Key configuraiont options
You can add listeners on different ports and interfaces, redirect to different hosts, configure how the listener handles SSL certificates, and support invisible proxying for non-browsers clients
You can configure fine-grained rules to intercept just the request that you want to see.
The match and replace options let you define rules to automatically mofiy ports of request and response messages passing through the proxy
The miscellaneous options control some specific details of Bup’s behaviour -
![## What is snort ? Snort is an open source network intrusion prevention system(IDS), capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. ## Installation **Install from source** Find the appropriate package for your operating system and install. ```sh wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar xvfz daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && sudo make install ``` On Ubuntu/Debinan: ```sh sudo apt-get install snort ``` ## Usage ```sh USAGE: snort [-options] Options: -A Set alert mode: fast, full, console, test or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -b Log packets in tcpdump format (much faster!) -B Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -f Turn off fflush() calls after binary log writes -F Read BPF filters from file -g Run snort gid as group (or gid) after initialization -G Log Identifier (to uniquely id events for multiple snorts) -h Set home network = (for use with -l or -B, does NOT change $HOME_NET in IDS mode) -H Make hash tables deterministic. -i Listen on interface -I Add Interface name to alert output -k Checksum mode (all,noip,notcp,noudp,noicmp,none) -K Logging mode (pcap[default],ascii,none) -l Log to directory -L Log to this tcpdump file -M Log messages to syslog (not alerts) -m Set umask = -n Exit after receiving packets -N Turn off logging (alerts still work) -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -Q Enable inline mode operation. -r Read and process tcpdump file -R Include 'id' in snort_intf.pid file name -s Log alert messages to syslog -S Set rules file variable n equal to value v -t Chroots process to after initialization -T Test and report on the current Snort configuration -u Run snort uid as user (or uid) after initialization -U Use UTC for timestamps -v Be verbose -V Show version number -X Dump the raw packet data starting at the link layer -x Exit if Snort configuration problems occur -y Include year in timestamp in the alert and log files -Z Set the performonitor preprocessor file path and name -? Show this information are standard BPF options, as seen in TCPDump Longname options and their corresponding single char version --logid Same as -G --perfmon-file Same as -Z --pid-path Specify the directory for the Snort PID file --snaplen Same as -P --help Same as -? --version Same as -V --alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,... --treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup --treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline. --process-all-events Process all queued events (drop, alert,...), default stops after 1st action group --enable-inline-test Enable Inline-Test Mode Operation --dynamic-engine-lib Load a dynamic detection engine --dynamic-engine-lib-dir Load all dynamic engines from directory --dynamic-detection-lib Load a dynamic rules library --dynamic-detection-lib-dir Load all dynamic rules libraries from directory --dump-dynamic-rules Creates stub rule files of all loaded rules libraries --dynamic-preprocessor-lib Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir Load all dynamic preprocessor libraries from directory --dynamic-output-lib Load a dynamic output library --dynamic-output-lib-dir Load all dynamic output libraries from directory --create-pidfile Create PID file, even when not in Daemon mode --nolock-pidfile Do not try to lock Snort PID file --no-interface-pidfile Do not include the interface name in Snort PID file --disable-attribute-reload-thread Do not create a thread to reload the attribute table --pcap-single Same as -r. --pcap-file file that contains a list of pcaps to read - read mode is implied. --pcap-list "" a space separated list of pcaps to read - read mode is implied. --pcap-dir a directory to recurse to look for pcaps - read mode is implied. --pcap-filter filter to apply when getting pcaps from file or directory. --pcap-no-filter reset to use no filter when getting pcaps from file or directory. --pcap-loop this option will read the pcaps specified on command line continuously. for times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-reload if reading multiple pcaps, reload snort config between pcaps. --pcap-show print a line saying what pcap is currently being read. --exit-check Signal termination after callbacks from DAQ_Acquire(), showing the time it takes from signaling until DAQ_Stop() is called. --conf-error-out Same as -x --enable-mpls-multicast Allow multicast MPLS --enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds --max-mpls-labelchain-len Specify the max MPLS label chain --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS --require-rule-sid Require that all snort rules have SID specified. --daq Select packet acquisition module (default is pcap). --daq-mode Select the DAQ operating mode. --daq-var Specify extra DAQ configuration variable. --daq-dir Tell snort where to find desired DAQ. --daq-list[=] List packet acquisition modules available in dir. Default is static modules only. --dirty-pig Don't flush packets and release memory on shutdown. --cs-dir Directory to use for control socket. --ha-peer Activate live high-availability state sharing with peer. --ha-out Write high-availability events to this file. --ha-in Read high-availability events from this file on startup (warm-start). --suppress-config-log Suppress configuration information output. ``` ## Features Snort can be configured to run in three modes: * **Sniffer mode**, which simply reads the packets off the network and displays them for you in a continous stream on the console(screen). An example, if you want to print out TCP/IP packet headers to the screen, try this: ```sh snort -v ``` ![]() If you want to see the application data in transit, try the following: ```sh snort -vd ``` * **Packet Logger mode**, wich logs the packets to disk. To record the packets to the disk, you need to specify a loggin directory and Snort will automatically know to go into packet logger mode: ```sh snort -dev -l ./log ``` **Others logging options:** ```sh snort -dev -l ./log -h 192.168.1.0/24 // Log relative to the home network snort -l ./log -b // Binary mode logs ``` * **Network Intrusion Detection System(NIDS) mode**, which performs detection and analysis on network traffic. This is the most complex and configurable mode. To enable Network Detection System(NIDS) mode so that your don't recorad every single packet sent down the wire, try this: ```sh snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf ``` where **snort.conf** is the name of your configuration file( default at /etc/snort/). This will applay the rules configured in the **snort.conf** file to each packet to decide if an action based upon the rule type in the file should taken. If you don't specify an output directory for the program, it will default to **/var/log/snort**. Many options we can try, but just one for start. ## Snort rules - Snort's rule engine enables custom rules to meets the needs of the network - Snort rules help in differentiating between normal internet activities and malicious activities. - Snort rules must be contained on a single line, the Snort rule parser does not handle rules on multiple lines - Snort rules come with two logical parts: **Rule heaer:** Identifies rule's cations such as alerts, log, pass, activate, dynamic, etc. **Rule options:** Indentifies rule's alert messages. Example: ![]() A real example rule for ddos: ```sh alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) ``` ## Demo So, let try an example with ping detect Open file **local.rules** to add a new rule: ```sh sudo vim /etc/snort/rules/local.rules ``` Add a new rule to detect ping: ```sh alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"You're being pinged!"; GID:1; sid: 10000001; classtype: icmp-event;) ``` Run snort IDS mode: ```sh sudo snort -A console -d -l /var/log/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf ``` 92.168.1.22 -> 192.168.1.152 Now, pring from another host: ```sh ping 192.168.1.22 ``` Here are results: ![]() Above, just is an example. Hope you can do more ! ## Conclusion Snort is the most open source IDS. In this artice, I'm trying to guide you litte bit to start with snort like: installation, snort's mode, snort's rule strucuture and an real example how we apply a new rule by your own. Cheers! ## References Snort manual: https://goo.gl/kE3HWG](https://hydrasky.com/wp-content/uploads/2017/09/snort-ids.jpg)
This site is really cool. I have bookmarked it.
Do you allow guest post on your blog ? I can write high quality posts for you. Let me know.
Which kind of post do you like? 🙂