Lab 4 - Using Snort for intrusion prevention

Goals

  1. To a working inline intrustion prevention system using Snort_Inline.

  2. To learn the processes of building a complex system.

Overview

In this Lab you will build a intrusion prevention system using Linux, Snort, and a PC. This will require a PC with to ethernet interfaces. You will work in groups of 2 (though each will turn in there own notes and results).

The system will look something like this: Snort Inline:
Screen_shot_2012-03-29_at_12.17.02_PM.png

You will need to do the following steps:

  1. Install a second ethernet card
  2. Install prerquisite componets for Snort Inline
  3. Install Snort_inline
  4. Set up Snort rule set
  5. Set up system to bridge traffic
  6. Get things working
  7. Test the system

Useful Links

Steps

Step One

Take an ethernet card and install it in your system.

Power up your system to determine if you can use either interface.

Questions:

  1. What did steps did you have to take?
  2. What command were needed to get the second ethernet port to work?
Step Two

Go to this page to find a set of instructions for setting up prerequisite components: http://openmaniak.com/inline_pre.php

Note that some aspects are outdated. Following are notes as to required cheanges:

1. Before doing the commands do a "sudo su" to put the system into super user mode.

2. apt-get install libnet0-dev
Instead:
Download libdnet 1.11 from here (below)

$ tar xzvf libdnet-1.11.tar.gz
$ cd libdnet-1.11
$ ./configure --prefix=/usr
$ make
$ sudo make install

Questions:

  1. What problems did you encounter?

Step Three

Install Snort_inline.

Use the following instructions: http://dangertux.wordpress.com/2011/10/12/compiling-snort-2-9-1-1-daq-0-62/

You will probably need to remove and recreate the Snort database:

mysql -u root -p

drop database snort;

Question:

  1. What problems did you encounter?

Step four

Set up the Snort rules. See instructions here: http://openmaniak.com/inline_oink.php

Step five

Set up Linux to operate in Bridging mode: http://openmaniak.com/inline_final.php

Now check to see if the system passes traffic through itself as a bridge:

  1. Connect the interface that is set to DHCP to the internet (149.143.3.0 network)
  2. Connect the other interface to another computer (you will need either a special CPE to CPE cable, or a switch in the middle).
  3. Try it out. If it donest work do some research, and experiemens, until you get it working.
Questions:
  1. What did you have to do to get bridging to work? Show ALL steps.
  2. Is Snort intercepting the packets? How do you know?
That's all for this weeks lab. Next week we continue with full integration of Snort, and testing.

Turn your answers into Moodle on Lab 4. Next week with be Lab 5.

Part Two

Our goal in this second lab is to fully test the system with a varity of penetration attempt, and see the results.

Step six - Remote Login

Attemp to login from a system OUTSIDE the IPS. Use the following:

  • Attempt to login with Telnet. Report results.
  • Attempt to login with SSH an several different ports. Report the result.

Step seven - NMAP

Use NMAP to do the following scans against the system from the outside:

  1. Complete Port Scan
  2. TCP SYN scan
  3. TCP ACK scan
  4. TCP connect Scan
  5. UDP SCAN
  6. SCTP INIT scan
  7. TCP NULL Scan
  8. TCP FIN Scan
  9. TCP XMAS Scan
Review the options here: http://nmap.org/book/man-port-scanning-techniques.html

For each of the above, report the results, and explain the significance of the results.

Step eight - Create and test a rule

Create the following rules:

  1. A rule to prevent the uploading of .zip files
  2. A rule to present the veiwing of the content on this page! (Not teh address, the content)
  3. A rule prevent logging in remotely with the username of "root"
Turn in for this:
  • Carefully define and explain each rule.
  • Explain a test to test the rule (buth positively and negatively)
  • Show the results of your tests
-- JimSkon - 2012-03-29

*

Topic attachments
I Attachment Action Size Date Who Comment
Pngpng Screen_shot_2012-03-29_at_12.17.02_PM.png manage 46.9 K 2012-03-29 - 16:19 JimSkon Snort Inline
Gzgz libdnet-1.11.tar.gz manage 435.8 K 2012-03-29 - 02:01 JimSkon libdnet-1.11.tar.gz
Pdfpdf snortinline.pdf manage 71.8 K 2012-03-29 - 16:16 JimSkon Snort Inline
Topic revision: r3 - 2012-04-02 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback