Unit 6: Snort 6.3 Activity and Discussion Activity: Running Snort in Network Intrusion Detection...

ACTIVITY: RUNNING SNORT IN NETWORK INTRUSION DETECTION SYSTEM MODE

This activity is ungraded.

Remember: Be sure to watch this Demo video from this unit before trying this activity. Watching me do it first will help you understand each of the steps.

• Snort NIDS Mode 1
• Snort NIDS Mode 2
• Snort NIDS Mode 3

You may also want to review these port scanning videos from Unit 3:

• FIN/Xmas Tree/Null Scans
• Null/FIN/Xmas Scan Demos

System: You can complete this activity on any system. These instructions are for Windows users.

• Mac/Linux users should follow the same instructions, using syntax for those OSes instead.

• You will also need access to a second computer (or a virtual machine on your computer) for part of this activity.

Downloads

Snort Download

Parts of this activity require the Kali VM downloaded in Unit 1, along with Wireshark. Instructions for installing Kali VM.

Time: This activity should take you 15 to 30 minutes to complete.

Goal

• To use Snort for intrusion detection.

Instructions

Note: Hit Enter after each command.

In Intrusion Detection Mode, Snort records only packets defined by a set of rules. These rules are stored in a configuration file. In this exercise, you will create a basic Snort configuration file with various alerts, related to previous topics covered in this course.

1. Open up a new Windows Command Line Interface and enter cd c:\snort\bin.
2. At the command prompt, enter notepad c:\snort\etc\jonathan.conf.
3. Click Yes to create a new file.
4. In Notepad enter the following lines and save the file.

var HOME_NET 192.168.1.0/24
alert tcp any any -> HOME_NET 4444 (msg:"Possible Metasploit attack"; sid:1;)

The first line declares a variable (HOME_NET), and assigns it a value (192.168.1.0/24).
Note: If your home network uses a different subnetting scheme, substitute yours instead.

The second line is the rule itself.

In the rule header, before the parenthesis, we’re using the word alert, which will alert and log when packets contain TCP segments from any source IP address and port sent to an IP address in the home network, with a destination port of 4444.

The rule options, inside the parenthesis, associate the string “Possible Metasploit attack” to any matches of this rule, and give this rule a unique Snort ID of 1.

Think back to our Metasploit activities: our Kali boxes used a source port of 4444 for the Reverse TCP Meterpreter shell. To simulate an IDS detecting this, we’re going to use port 4444 as a destination port on the victim machine, and not a source port on the attacker machine.

5. At the command prompt, enter snort -i3 -l c:\snort\log -c c:\snort\etc\jonathan.conf. Keep Snort running.
   If you don’t have a mistake in the configuration file, Snort starts monitoring the network.
   If you have a mistake in the configuration file, edit the file and try again. The -c is to identify the location of the configuration file.
6. Open a browser on a second machine and enter http://{IP Address of Snort Machine}:4444 in the URL bar. For example: http://192.168.1.107:4444
7. Send a ping from second the machine to the machine running Snort.
8. In the command prompt window where Snort is running, press Crtl+c to stop Snort.
9. Using Windows Explorer, go to the c:\snort\log folder, and find the alert.ids file.
10. Right‐click alert.ids and open the file with a text editor or Microsoft Word.
    You’ll notice that just packets meeting the rule were logged, and not the pings.
11. A log file has also been created. Open it with Wireshark, and notice that just the packets matching rules in the config file have been captured, mirroring the alert.ids file.

Think back to our port scanning activities. Now, we’re going to have Snort detect port scans.

1. At the command prompt, enter notepad c:\snort\etc\scott.conf.
2. Click Yes to create a new file.
3. Type the following lines Notepad and save the file:

alert tcp any any -> any any (msg:"FIN Scan" ; flags: F  ; sid:2;)
alert tcp any any -> any any (msg:"Xmas Scan"; flags: FUP; sid:3;)
alert tcp any any -> any any (msg:"Null Scan"; flags: 0  ; sid:4;)
Can you figure out what comes after flags: on each line?

4. At the command prompt, enter snort -i3 -l c:\snort\log -c c:\snort\etc\scott.conf. Keep Snort running.
5. From your Kali box, send a FIN scan, a Null scan, and an Xmas scan to port 80 the machine running Snort. (Instructions for this were included in Unit 1.)
6. Open up the alert.ids file, and observe the results.
7. A log file has also been created. Open it with Wireshark, and notice that just the packets matching rules in the config file have been captured, mirroring the alert.ids file.
8. At the command prompt, enter notepad c:\snort\etc\weissman.conf.
9. Click Yes to create a new file.
10. Type the following lines in Notepad and save the file.

var HOME_NET 192.168.1.0/24
var PREPROC_RULE_PATH C:\Snort\preproc_rules
include classification.config
include $PREPROC_RULE_PATH\preprocessor.rules
include $PREPROC_RULE_PATH\decoder.rules
preprocessor sfportscan: proto  { all } \
                         scan_type { all } \
                         memcap { 10000000 } \
                         detect_ack_scans \
                         sense_level { high }

This ReadMe document has more information about the sfPortscan module we’re going to be using.

11. At the command prompt, enter snort -i3 -l c:\snort\log -c c:\snort\etc\weissman.conf. Keep Snort running.
12. From your Kali box, send a FIN scan, a Null scan, and an Xmas scan to the machine running Snort. Do not specify a port, but rather let Nmap scan the most common thousand ports.
13. Take a look inside of alert.ids.
14. Open up the log files generated in Wireshark. Examine the data portion of the packet simply labeled as IPv4. What else do you see in the capture file?

After you've finished, answer the Check Your Work questions.

转载于:https://www.cnblogs.com/sec875/articles/10028772.html