summaryrefslogtreecommitdiff
path: root/snort.asciidoci
diff options
context:
space:
mode:
Diffstat (limited to 'snort.asciidoci')
-rw-r--r--snort.asciidoci66
1 files changed, 66 insertions, 0 deletions
diff --git a/snort.asciidoci b/snort.asciidoci
new file mode 100644
index 0000000..7592940
--- /dev/null
+++ b/snort.asciidoci
@@ -0,0 +1,66 @@
+== Snort Practical, Week 12 ==
+
+The goal of this practical is to let us discover what intrusion detection
+systems are and start to practice using the Snort implementation.
+
+At the end of the practical, we should be able to write and understand simple
+rules to detect and react to abnormal behaviour on our network.
+
+=== Problem 1: Fresh install configuration issues ===
+
+After installing Snort using our package manager, the configuration check fails
+because a variable in the file '/etc/snort/snort.conf' appears not to be set to
+a valid value.
+
+==== Resolution ====
+
+The header of the so called file describes us the steps to create our
+configuration. A 'README.variables' file is advised to be read. However, it is
+not present on our machine. To get it, we have to install the package
+'snort-doc' (we can use 'apt-get' to achieve that).
+
+We can fix the configuration issue by setting 'HOME_NET' to our IP address
+given by 'ifconfig eth0'.
+
+=== Problem 2: Creating our own rules ===
+
+The manpage 'snort (8)' tells us that we can use the '-c' option to use our own
+rules. In our case, the command line to start 'snort' with our own rules is:
+
+ $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0
+
+All we have to do now is fill the file 'custom.rules' with our custom rules.
+
+==== Resolution ====
+
+The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides
+us the syntax of a rule, which is:
+
+----
+ function protocol source_ip source_port -> dest_ip dest_port [options]
+----
+
+To create a rule which simply alerts whenever a TCP packet is transmitted to
+our HTTP server, we don't need any option so we will leave the field blank. The
+following rule does what we intend.
+
+ alert tcp any any -> $HOME_NET 80
+
+Doing the same for HTTPS is very similar. We will append the message 'secured
+website' to the alert though.
+
+ alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1)
+
+Using the following rule, we can alert whenever a TCP packet is transmitted to
+our web server using SSL or not.
+
+ alert tcp any any -> $HOME_NET [80,443]
+
+Last but not least, if we want to alert only when packets are transmitted to
+our port 443 and come from outside the university, we will use:
+
+ alert tcp 129.12.0.0/16 any -> $HOME_net 443
+
+Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of
+'255.255.0.0'.
+