diff options
Diffstat (limited to 'snort.asciidoci')
-rw-r--r-- | snort.asciidoci | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/snort.asciidoci b/snort.asciidoci new file mode 100644 index 0000000..7592940 --- /dev/null +++ b/snort.asciidoci @@ -0,0 +1,66 @@ +== Snort Practical, Week 12 == + +The goal of this practical is to let us discover what intrusion detection +systems are and start to practice using the Snort implementation. + +At the end of the practical, we should be able to write and understand simple +rules to detect and react to abnormal behaviour on our network. + +=== Problem 1: Fresh install configuration issues === + +After installing Snort using our package manager, the configuration check fails +because a variable in the file '/etc/snort/snort.conf' appears not to be set to +a valid value. + +==== Resolution ==== + +The header of the so called file describes us the steps to create our +configuration. A 'README.variables' file is advised to be read. However, it is +not present on our machine. To get it, we have to install the package +'snort-doc' (we can use 'apt-get' to achieve that). + +We can fix the configuration issue by setting 'HOME_NET' to our IP address +given by 'ifconfig eth0'. + +=== Problem 2: Creating our own rules === + +The manpage 'snort (8)' tells us that we can use the '-c' option to use our own +rules. In our case, the command line to start 'snort' with our own rules is: + + $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0 + +All we have to do now is fill the file 'custom.rules' with our custom rules. + +==== Resolution ==== + +The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides +us the syntax of a rule, which is: + +---- + function protocol source_ip source_port -> dest_ip dest_port [options] +---- + +To create a rule which simply alerts whenever a TCP packet is transmitted to +our HTTP server, we don't need any option so we will leave the field blank. The +following rule does what we intend. + + alert tcp any any -> $HOME_NET 80 + +Doing the same for HTTPS is very similar. We will append the message 'secured +website' to the alert though. + + alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1) + +Using the following rule, we can alert whenever a TCP packet is transmitted to +our web server using SSL or not. + + alert tcp any any -> $HOME_NET [80,443] + +Last but not least, if we want to alert only when packets are transmitted to +our port 443 and come from outside the university, we will use: + + alert tcp 129.12.0.0/16 any -> $HOME_net 443 + +Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of +'255.255.0.0'. + |