[go: up one dir, main page]
Scribd
Upload
14 views5 pages

Snort Lab

The document provides a comprehensive guide for setting up and configuring SNORT, an Intrusion Detection System (IDS), within a specified lab environment. It includes instructions for installing necessary dependencies, configuring SNORT, and writing basic rules for detecting network threats. Additionally, it outlines exercises for users to practice creating custom SNORT rules for various security scenarios.

Uploaded by

nourandlina2025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views5 pages

Snort Lab

The document provides a comprehensive guide for setting up and configuring SNORT, an Intrusion Detection System (IDS), within a specified lab environment. It includes instructions for installing necessary dependencies, configuring SNORT, and writing basic rules for detecting network threats. Additionally, it outlines exercises for users to practice creating custom SNORT rules for various security scenarios.

Uploaded by

nourandlina2025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

LAB: SNORT (IDS)

Objective: Understand the concept of Intrusion Detection System, particularly installation and setup of
SNORT.

In this example we are using apnictraining.net as domain name.


# super user command
$ normal user command
X replace with the group number
Username apnic and password training

Topology

The following will be the topology used for this lab. Note that the IP addresses are examples only. When
working on the lab, use the actual IP addresses as indicated by the instructors. For the purpose of this
guide, the IP address of 192.168.30.X or 2001:db8:1::X will refer to your Virtual Machine (VM).

[group1.apnictraining.net] [192.168.30.1]
[group2.apnictraining.net] [192.168.30.2]
[group3.apnictraining.net] [192.168.30.3]
...................
[group30.apnictraining.net] [192.168.30.30]

Lab Notes

Confirm interface name:

On the VM, check the IP configuration to see the interface Name

ifconfig
OR
ip route show | grep " src " | cut -d " " -f 3,12

In this guide the interface name is eth0 . Depending on the version of Ubuntu the interface
name may be enp0s3 or something different. Where eth0 is used in this guide replace it
with your interface name.

Virtual Machine (Container) details


Ubuntu 16.04 LTS/LXC
Hostname = groupXX.apnictraining.net
Domain name = apnictraining.net
IPv4 Address = 192.168.30.xx
IPv6 Address = 2001:db8:1::xx
xx = group ID as allocated by the instructor

Install SNORT
1. Update the list of Ubuntu repos to download resources from.

sudo apt-get update

2. Install the dependencies required for snort.

sudo apt-get install -y ethtool build-essential libpcap-dev libpcre3-dev


sudo apt-get install -y libdumbnet-dev
sudo apt-get install -y bison flex zlib1g-dev liblzma-dev openssl libssl-dev

3. Install snort.

sudo apt-get install -y snort

It will ask for your HOME_NET address. For this lab define it as your host IP. Example, for group 11 it
will be 192.168.30.11/32 . If required it can be changed by modifying the snort.debian.conf file.

4. After installation check the installation location.

whereis snort

Important file locations


SNORT configuratiion: /etc/snort/snort.conf
SNORT debian configuration: /etc/snort/snort.debian.conf
SNORT rules: /etc/snort/rules
SNORT executables: /etc/sbin/snort

5. To view the SNORT help.

snort -? | more
-? display options and help

Configure SNORT
1. During installation process you defined the HOME_NET. To confirm the HOME_NET and Interface
related configuration from /etc/snort/snort.debian.conf

sudo cat /etc/snort/snort.debian.conf | grep HOME_NET

2. Do a backup of the snort.conf file

sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.bak

3. For the purpose of this lab, disable all predefined rules (ruleset) except local.rules from the
snort.conf file:

sudo vi /etc/snort/snort.conf

This is a big configuration file. To disable (put # ) on all the line having include $RULE_PATH (in Step 7
of configuration file) except include $RULE_PATH/local.rules . We will put all our local rules
in the include $RULE_PATH/local.rules file.

To enable alert log; comment out the following line (by adding # before the line and is in Step 6 in the
configuration file):

output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vla


n_event_types

4. Save and quit editing the snort.conf file, by pressing ESC then :wq key combination.

5. Test the snort.conf file has been edited correctly.


sudo snort -T -c /etc/snort/snort.conf | more

-T test a configuration file


-c configuration or ruleset file

6. Start SNORT.

sudo /etc/init.d/snort start

7. Confirm SNORT is running.

ps -ef | grep snort

or

sudo /etc/init.d/snort status

SNORT rules
Snort rules are divided into two logical sections:

1. Rule Header: The rule header contains the rule's action, protocol, source and destination IP
addresses and netmasks, and the source and destination ports information.
2. Rule Options: The rule option section contains alert messages and information on which parts of the
packet should be inspected to determine if the rule action should be taken.

Here is a good reference to learn about writing snort rules:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node28.html

First bad rule

1. Add the following rule in /etc/snort/rules/local.rules

sudo vi /etc/snort/rules/local.rules

alert ip any any -> any any (msg: "IP Packet detected"; sid: 10000;)

2. Save and exit.

3. Restart SNORT service.

sudo /etc/init.d/snort restart


This rule will generate an alert for every packet.

4. Try to ping any destination.

ping 127.0.0.1

5. Check the alert log file.

sudo su
tail -f /var/log/snort/alert

6. REMOVE (or comment out) the bad rule from local.rules once you have seen the alert!

SNORT Exercises
Exercise 1 : Write a rule to check XMAS scan on your server from external network

Using TCP flags in Snort Rules

Exercise 2 : Write a rule to check any external network access to the webserver /admin pages

Content matching

Exercise 3 : Write a rule to check SSH brute force attack and log IP trying to connect more than 3 times in
60 seconds (the threshold option may be deprecated*)

Detection Filter

A useful tool to write a basic snort rule. https://github.com/chrisjd20/Snorpy

***END OF EXERCISE***

version: 20201105

You might also like