summaryrefslogtreecommitdiff
path: root/snort.adoci
diff options
context:
space:
mode:
Diffstat (limited to 'snort.adoci')
-rw-r--r--snort.adoci66
1 files changed, 0 insertions, 66 deletions
diff --git a/snort.adoci b/snort.adoci
deleted file mode 100644
index 7592940..0000000
--- a/snort.adoci
+++ /dev/null
@@ -1,66 +0,0 @@
-== Snort Practical, Week 12 ==
-
-The goal of this practical is to let us discover what intrusion detection
-systems are and start to practice using the Snort implementation.
-
-At the end of the practical, we should be able to write and understand simple
-rules to detect and react to abnormal behaviour on our network.
-
-=== Problem 1: Fresh install configuration issues ===
-
-After installing Snort using our package manager, the configuration check fails
-because a variable in the file '/etc/snort/snort.conf' appears not to be set to
-a valid value.
-
-==== Resolution ====
-
-The header of the so called file describes us the steps to create our
-configuration. A 'README.variables' file is advised to be read. However, it is
-not present on our machine. To get it, we have to install the package
-'snort-doc' (we can use 'apt-get' to achieve that).
-
-We can fix the configuration issue by setting 'HOME_NET' to our IP address
-given by 'ifconfig eth0'.
-
-=== Problem 2: Creating our own rules ===
-
-The manpage 'snort (8)' tells us that we can use the '-c' option to use our own
-rules. In our case, the command line to start 'snort' with our own rules is:
-
- $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0
-
-All we have to do now is fill the file 'custom.rules' with our custom rules.
-
-==== Resolution ====
-
-The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides
-us the syntax of a rule, which is:
-
-----
- function protocol source_ip source_port -> dest_ip dest_port [options]
-----
-
-To create a rule which simply alerts whenever a TCP packet is transmitted to
-our HTTP server, we don't need any option so we will leave the field blank. The
-following rule does what we intend.
-
- alert tcp any any -> $HOME_NET 80
-
-Doing the same for HTTPS is very similar. We will append the message 'secured
-website' to the alert though.
-
- alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1)
-
-Using the following rule, we can alert whenever a TCP packet is transmitted to
-our web server using SSL or not.
-
- alert tcp any any -> $HOME_NET [80,443]
-
-Last but not least, if we want to alert only when packets are transmitted to
-our port 443 and come from outside the university, we will use:
-
- alert tcp 129.12.0.0/16 any -> $HOME_net 443
-
-Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of
-'255.255.0.0'.
-