diff options
Diffstat (limited to 'snort.adoci')
-rw-r--r-- | snort.adoci | 66 |
1 files changed, 0 insertions, 66 deletions
diff --git a/snort.adoci b/snort.adoci deleted file mode 100644 index 7592940..0000000 --- a/snort.adoci +++ /dev/null @@ -1,66 +0,0 @@ -== Snort Practical, Week 12 == - -The goal of this practical is to let us discover what intrusion detection -systems are and start to practice using the Snort implementation. - -At the end of the practical, we should be able to write and understand simple -rules to detect and react to abnormal behaviour on our network. - -=== Problem 1: Fresh install configuration issues === - -After installing Snort using our package manager, the configuration check fails -because a variable in the file '/etc/snort/snort.conf' appears not to be set to -a valid value. - -==== Resolution ==== - -The header of the so called file describes us the steps to create our -configuration. A 'README.variables' file is advised to be read. However, it is -not present on our machine. To get it, we have to install the package -'snort-doc' (we can use 'apt-get' to achieve that). - -We can fix the configuration issue by setting 'HOME_NET' to our IP address -given by 'ifconfig eth0'. - -=== Problem 2: Creating our own rules === - -The manpage 'snort (8)' tells us that we can use the '-c' option to use our own -rules. In our case, the command line to start 'snort' with our own rules is: - - $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0 - -All we have to do now is fill the file 'custom.rules' with our custom rules. - -==== Resolution ==== - -The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides -us the syntax of a rule, which is: - ----- - function protocol source_ip source_port -> dest_ip dest_port [options] ----- - -To create a rule which simply alerts whenever a TCP packet is transmitted to -our HTTP server, we don't need any option so we will leave the field blank. The -following rule does what we intend. - - alert tcp any any -> $HOME_NET 80 - -Doing the same for HTTPS is very similar. We will append the message 'secured -website' to the alert though. - - alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1) - -Using the following rule, we can alert whenever a TCP packet is transmitted to -our web server using SSL or not. - - alert tcp any any -> $HOME_NET [80,443] - -Last but not least, if we want to alert only when packets are transmitted to -our port 443 and come from outside the university, we will use: - - alert tcp 129.12.0.0/16 any -> $HOME_net 443 - -Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of -'255.255.0.0'. - |