added content for the snort practical

Signed-off-by: Olivier Gayot <duskcoder@gmail.com>

1 files changed, 52 insertions, 2 deletions

diff --git a/snort.adoci b/snort.adoci
index 7b0be02..7592940 100644
--- a/snort.adoci
+++ b/snort.adoci
@@ -1,6 +1,12 @@
 == Snort Practical, Week 12 ==
 
-=== Problem 3: Fresh install configuration issues ===
+The goal of this practical is to let us discover what intrusion detection
+systems are and start to practice using the Snort implementation.
+
+At the end of the practical, we should be able to write and understand simple
+rules to detect and react to abnormal behaviour on our network.
+
+=== Problem 1: Fresh install configuration issues ===
 
 After installing Snort using our package manager, the configuration check fails
 because a variable in the file '/etc/snort/snort.conf' appears not to be set to
@@ -13,4 +19,48 @@ configuration. A 'README.variables' file is advised to be read. However, it is
 not present on our machine. To get it, we have to install the package
 'snort-doc' (we can use 'apt-get' to achieve that).
 
-We can fix the configuration issue by setting 'HOME_NET' to '127.0.0.1'.
+We can fix the configuration issue by setting 'HOME_NET' to our IP address
+given by 'ifconfig eth0'.
+
+=== Problem 2: Creating our own rules ===
+
+The manpage 'snort (8)' tells us that we can use the '-c' option to use our own
+rules. In our case, the command line to start 'snort' with our own rules is:
+
+    $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0
+
+All we have to do now is fill the file 'custom.rules' with our custom rules.
+
+==== Resolution ====
+
+The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides
+us the syntax of a rule, which is:
+
+----
+    function protocol source_ip source_port -> dest_ip dest_port [options]
+----
+
+To create a rule which simply alerts whenever a TCP packet is transmitted to
+our HTTP server, we don't need any option so we will leave the field blank. The
+following rule does what we intend.
+
+    alert tcp any any -> $HOME_NET 80
+
+Doing the same for HTTPS is very similar. We will append the message 'secured
+website' to the alert though.
+
+    alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1)
+
+Using the following rule, we can alert whenever a TCP packet is transmitted to
+our web server using SSL or not.
+
+    alert tcp any any -> $HOME_NET [80,443]
+
+Last but not least, if we want to alert only when packets are transmitted to
+our port 443 and come from outside the university, we will use:
+
+    alert tcp 129.12.0.0/16 any -> $HOME_net 443
+
+Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of
+'255.255.0.0'.
+