== Snort Practical, Week 12 == The goal of this practical is to let us discover what intrusion detection systems are and start to practice using the Snort implementation. At the end of the practical, we should be able to write and understand simple rules to detect and react to abnormal behaviour on our network. === Problem 1: Fresh install configuration issues === After installing Snort using our package manager, the configuration check fails because a variable in the file '/etc/snort/snort.conf' appears not to be set to a valid value. ==== Resolution ==== The header of the so called file describes us the steps to create our configuration. A 'README.variables' file is advised to be read. However, it is not present on our machine. To get it, we have to install the package 'snort-doc' (we can use 'apt-get' to achieve that). We can fix the configuration issue by setting 'HOME_NET' to our IP address given by 'ifconfig eth0'. === Problem 2: Creating our own rules === The manpage 'snort (8)' tells us that we can use the '-c' option to use our own rules. In our case, the command line to start 'snort' with our own rules is: $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0 All we have to do now is fill the file 'custom.rules' with our custom rules. ==== Resolution ==== The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides us the syntax of a rule, which is: ---- function protocol source_ip source_port -> dest_ip dest_port [options] ---- To create a rule which simply alerts whenever a TCP packet is transmitted to our HTTP server, we don't need any option so we will leave the field blank. The following rule does what we intend. alert tcp any any -> $HOME_NET 80 Doing the same for HTTPS is very similar. We will append the message 'secured website' to the alert though. alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1) Using the following rule, we can alert whenever a TCP packet is transmitted to our web server using SSL or not. alert tcp any any -> $HOME_NET [80,443] Last but not least, if we want to alert only when packets are transmitted to our port 443 and come from outside the university, we will use: alert tcp 129.12.0.0/16 any -> $HOME_net 443 Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of '255.255.0.0'.