Snort is a free and open-source network intrusion detection system software for Linux and Windows designed to detect emerging threats.
In this lab, you will evaluate how IDS commands, configuration, and rules could be designed to protect your system.
Part 1: Introduction to Snort
- Turn on the Windows VM.
Open a browser and visit
https://www.7-zip.org
for an archive extractor. Download the Windows 64-bit x64 version. - When prompted, click Run to download and install the package. If prompted with a Windows Defender SmartScreen, click More Info and Run anyway. When prompted by User Account Control, click Yes.
- Click Install in 7-Zip Setup. Once it is installed, click Close.
- Browse to
https://www.microsoft.com/en-us/download/details.aspx?id=52685
for Microsoft Visual C++ 2015 Redistributable Update 3 RC. Click Download. Check vc_redist.x64.exe and click Next. Repeat step 2. Check I agree to the license terms and conditions and click Install. Once the installation is complete, click Close. - Browse to
https://npcap.com/#download
for a Windows packet capture driver. Click on Npcap 1.70 installer or a newer version. Repeat step 2. - In Npcap Setup, click I Agree. Click Install. Click Next. Then click Finish once the installation is complete.
- In the browser, browse to
https://www.snort.org/downloads
for a list of the Snort software installation packages. Under Snort and Binaries, click on Snort_2_9_16_1_Installerx64.exe or a newer version. Repeat step 2. - In Snort Setup, click I Agree. Click Next. Click Next again. Then click Close once the installation is complete. Click OK. This installs Snort in the C:\Snort\ directory.
- Now you need some intrusion detection rules. In the browser, still on the Snort downloads site, under Rules and Community and Snort v2.9, click on the link for community-rules.tar.gz to download some community-created opensource Snort rules. Click Save and Open the folder.
- In the Windows Explorer window that opens, right-click the community-rules.tar.gz file. In the menu, hover over 7-Zip and click on Extract Here.
-
Repeat step 10 for the newly-created community-rules.tar file. This extracts the Snort rules and licensing information into a community-rules\ folder. Open the file Downloads\community-rules\community.rules with Notepad and scroll to the bottom.
You can see the that the rules that have been developed by the community, what they alert on, and if the enabled or disabled (indicated by commenting them out with “#”).
The rules are structured with a rule action (“alert”), protocol (“tcp”), source address and source port (“any any”), direction (“->”), and the destination address and destination port (“any any”).
The rule action is what Snort will do when it detects a packet that matches the rule. The protocol is the type of packet that Snort will look for. The source address and source port are the IP address and port number of the source of the packet. The direction is the direction of the packet. The destination address and destination port are the IP address and port number of the destination of the packet. - Review the types of Snort NIDS rules. Close the browser.
- Open the file C:\Snort\etc\snort.conf with Notepad to edit the Snort configuration. Review the 9 steps that Snort takes for detection.
- Press Ctrl+G.
Enter
104
to skip to line 104. This is how you could quickly find lines in Notepad. - The line is
var RULE_PATH ../rules
underStep #1
. This is a relative path. Due to a bug, Snort recommends to instead use absolute paths on Windows. Press Ctrl+H. In Find what, enter “../” and in Replace with, enter “C:\Snort\”. Click Replace All. This will change all of the relative paths to absolute paths.var RULE_PATH C:\Snort\rules
- Line 186 is
# config logdir:
underStep #2
. Uncomment it and change it to help Snort write the output in a particular location.config logdir:C:\Snort\log
- Line 247 is
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
underStep #4
. Delete the line’s ending forward slash.dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
- Snort is originally a Linux tool, so the config contains references to Linux paths. Press Ctrl+H and replace “/usr/local/lib/” with “C:\Snort\lib\”, then click Replace All.
- Line 250 is
dynamicengine C:\Snort\lib\snort_dynamicengine/libsf_engine.so
. There are two changes that should be made here. First, change the “/libsf” to “\sf”. Second, Linux uses shared objects for dynamic libraries, while Windows uses dynamic-link libraries. Change the line’s ending from “.so” to “.dll”.dynamicengine C:\Snort\lib\snort_dynamicengine/sf_engine.dll
- Line 253 is
dynamicdetection directory C:\Snort\lib\snort_dynamicrules
. Comment out the line.# dynamicdetection directory C:\Snort\lib\snort_dynamicrules
- Line 265 is
preprocessor normalize_ip4
underStep #5
. This and the other 4 packet normalization lines generate errors at runtime. Comment each of the 5 lines out. - Line 507 begins the Reputation preprocessor. Comment out this and following 5 lines.
- Line 534 is
include classification.config
underStep #6
. Add the path “C:\Snort\etc\”.include C:\Snort\etc\classification.config
- Add the same path to the following line.
- In the next line, add an entry for Snort to spit out all alerts in a one-line file as fast as the detection engine can spawn them.
output alert_fast: alert.ids
- Review the rules files under
Step #7
. The naming convention helps with maintaining the rules. However, for this exercise, comment out or delete all those rules files entries. Replace them with the 2 entries.include $RULE_PATH\community.rules
include $RULE_PATH\user.rules - Press Ctrl+H and replace “ipvar” with “var”, then click Replace All.
- Press Ctrl+S to save the changes to the Snort configuration file.
Part 2: Create NIDS Rules
- In Command Prompt, copy the Community rules to the Snort rules directory.
copy Downloads\community-rules\community.rules C:\Snort\rules\
- In Notepad, press Ctrl+N for a new document.
- In the document, add the following 3 header lines.
#——————-
# USER-DEFINED RULES
#——————- - After those, create a rule entry with no criteria, so that it will load on any ICMP packet that passes the network interface.
We provide a signature ID (sid), which is required.
Also, by convention, when you write your own Snort rules, you have to start above 999999.
alert icmp any any -> any any (msg: “ICMP packet found” ; sid:1000001)
- Repeat step 32, but to create a rule for TCP and use the next available signature ID (1000002).
- Repeat step 32, but to create a rule for IP and use the next available signature ID (1000003).
- Press Ctrl+S to save the rules file. Change the Save as type from Text Documents (*.txt) to All Files. Browse to C:\Snort\rules\, name the new file as “user.rules”. Click Save.
- In Command Prompt, use the
ipconfig
command to find the MAC address (labeled asPhysical Address
) of the Ethernet adapter that pertains the to Windows IP address, possibly192.168.56.101
.ipconfig/all
- Get a list of the network interfaces.
C:\Snort\bin\snort -W
Take note of the Index number of the Physical Address from above. Let’s assume it is
5
. - Run Snort with the correct index number instead of
5
. This process will remain open until you stop it. Leave it open for now.C:\Snort\bin\snort -i 5 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
The
-i
option enables you to specify an interface.
The-A
option specifies the alerting level.
The-c
option specifies which configuration file to use.
The-l
option specifies where to output the logs.
The-K
option specifies the logging mode. - Open the Kali VM.
In Terminal, send 4 ICMP echo requests to the Windows VM.
ping -c 4 192.168.56.101
- Attempt to SSH into the Windows VM.
ssh user@192.168.56.101
It will fail, so after a few seconds press Ctrl+C.
- In the browser in Kali, try browsing to
http://192.168.56.101
or the appropriate Windows IP. - Close the Kali VM.
- In the Windows VM, notice the alerts that have shown up in Command Prompt. Press Ctrl+C to end the process. In Windows Explorer, browse through the logs in C:\Snort\log\.
- Write up a paragraph answering the following questions.
- In step 12, how would you as a network security administrator use some of the different types of to protect your network? Be specific.
- What sort of traffic does each of the rules created in steps 32 to 34 capture? How could they be improved to capture only the most relevant ICMP, TCP, and IP traffic?