summaryrefslogtreecommitdiff
path: root/snort.asciidoci
blob: 75929406f9a2aa4562f3a5325f705c021dbfa9d0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
== Snort Practical, Week 12 ==

The goal of this practical is to let us discover what intrusion detection
systems are and start to practice using the Snort implementation.

At the end of the practical, we should be able to write and understand simple
rules to detect and react to abnormal behaviour on our network.

=== Problem 1: Fresh install configuration issues ===

After installing Snort using our package manager, the configuration check fails
because a variable in the file '/etc/snort/snort.conf' appears not to be set to
a valid value.

==== Resolution ====

The header of the so called file describes us the steps to create our
configuration. A 'README.variables' file is advised to be read. However, it is
not present on our machine. To get it, we have to install the package
'snort-doc' (we can use 'apt-get' to achieve that).

We can fix the configuration issue by setting 'HOME_NET' to our IP address
given by 'ifconfig eth0'.

=== Problem 2: Creating our own rules ===

The manpage 'snort (8)' tells us that we can use the '-c' option to use our own
rules. In our case, the command line to start 'snort' with our own rules is:

    $ sudo snort -c 'custom.rules' -l $HOME/logs -i eth0

All we have to do now is fill the file 'custom.rules' with our custom rules.

==== Resolution ====

The file 'Snort.pdf' from 'www.seren.net' and linked in the practical provides
us the syntax of a rule, which is:

----
    function protocol source_ip source_port -> dest_ip dest_port [options]
----

To create a rule which simply alerts whenever a TCP packet is transmitted to
our HTTP server, we don't need any option so we will leave the field blank. The
following rule does what we intend.

    alert tcp any any -> $HOME_NET 80

Doing the same for HTTPS is very similar. We will append the message 'secured
website' to the alert though.

    alert tcp any any -> $HOME_NET 443 (msg:"secured website"; sid:1)

Using the following rule, we can alert whenever a TCP packet is transmitted to
our web server using SSL or not.

    alert tcp any any -> $HOME_NET [80,443]

Last but not least, if we want to alert only when packets are transmitted to
our port 443 and come from outside the university, we will use:

    alert tcp 129.12.0.0/16 any -> $HOME_net 443

Having '129.12.0.0/16' be an alternate notation of '129.12.0.0' with a mask of
'255.255.0.0'.