From f69eedf204399373c23690ad4220b5e44bc772be Mon Sep 17 00:00:00 2001 From: Olivier Gayot Date: Mon, 19 Jan 2015 00:44:56 +0000 Subject: added content for the snort practical Signed-off-by: Olivier Gayot --- snort.adoci | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/snort.adoci b/snort.adoci index 7b0be02..7592940 100644 --- a/snort.adoci +++ b/snort.adoci @@ -1,6 +1,12 @@ == Snort Practical, Week 12 == -=== Problem 3: Fresh install configuration issues === +The goal of this practical is to let us discover what intrusion detection +systems are and start to practice using the Snort implementation. + +At the end of the practical, we should be able to write and understand simple +rules to detect and react to abnormal behaviour on our network. + +=== Problem 1: Fresh install configuration issues === After installing Snort using our package manager, the configuration check fails because a variable in the file '/etc/snort/snort.conf' appears not to be set to @@ -13,4 +19,48 @@ configuration. A 'README.variables' file is advised to be read. However, it is not present on our machine. To get it, we have to install the package 'snort-doc' (we can use 'apt-get' to achieve that). -We can fix the configuration issue by setting 'HOME_NET' to '127.0.0.1'. +We can fix the configuration issue by setting 'HOME_NET' to our IP address +given by 'ifconfig eth0'. + +=== Problem 2: Creating our own rules === + +The manpage 'snort (8)' tells us that we can use the '-c' option to use our own +rules. In our case, the command line to start 'snort' with our own rules is: + + $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0 + +All we have to do now is fill the file 'custom.rules' with our custom rules. + +==== Resolution ==== + +The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides +us the syntax of a rule, which is: + +---- + function protocol source_ip source_port -> dest_ip dest_port [options] +---- + +To create a rule which simply alerts whenever a TCP packet is transmitted to +our HTTP server, we don't need any option so we will leave the field blank. The +following rule does what we intend. + + alert tcp any any -> $HOME_NET 80 + +Doing the same for HTTPS is very similar. We will append the message 'secured +website' to the alert though. + + alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1) + +Using the following rule, we can alert whenever a TCP packet is transmitted to +our web server using SSL or not. + + alert tcp any any -> $HOME_NET [80,443] + +Last but not least, if we want to alert only when packets are transmitted to +our port 443 and come from outside the university, we will use: + + alert tcp 129.12.0.0/16 any -> $HOME_net 443 + +Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of +'255.255.0.0'. + -- cgit v1.2.3