Lab 5 - Building a Snort IPS

We are going to try again with the newest version of Snort. You MAY want to consider renstall Ubuntu to avoid problems with previous installs. CS are available.

Step One:

1. Download the two Manuals and Snort 2.9.22 below:

2. Open the both files, but start with the on Installing Snort 2.9 on Ubunt.

3. Goto B-1 "Operating sytem" on page 4.

4. Work down through steps 1, 2, and 3 to install the prerequisits, and to install Snort. (I've done all these and they should work).
You may skip the "Report" option. However, I will give you some extra credit if you get report working.

Use "root" for the mySQL root password to keep things simple for now.

Use 'snort' for the snort user password (again, to keeps things simple for now)

5. Setup Snort rules. I've attach the proper rule set here:

6. When configuring Snort, I suggest using gedt rather then vi.

Step two

Read the other (main manual), and startup the system at a IPS (using the -Q option)

The system will need to be setup as a transparent bright with BOTH interfaces set in permiscuois mode. Instructions can be found here:

http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html

The basic steps:

Running inline Snort

ifconfig eth0 promisc up
ifconfig eth1 promisc up
sudo /usr/local/snort/binsnort --daq afpacket -i eth0:eth1 -Q -c /usr/local/snort/etc/snort.conf

The first two commands above set up both interfaces to accept EVERY packet (permiscuous mode). The third runs Snort in a mode where is act like a transparent (layer 2) bridge, passing everything EXCEPT what it decides to drop.

Step three - Remote Login

Attemp to login from a system OUTSIDE the IPS. Use the following:

  • Attempt to login with Telnet. Report results.
  • Attempt to login with SSH an several different ports. Report the result.

Step four - NMAP

Use NMAP to do the following scans against the system from the outside:

  1. Complete Port Scan
  2. TCP SYN scan
  3. TCP ACK scan
  4. TCP connect Scan
  5. UDP SCAN
  6. SCTP INIT scan
  7. TCP NULL Scan
  8. TCP FIN Scan
  9. TCP XMAS Scan
Review the options here: http://nmap.org/book/man-port-scanning-techniques.html

For each of the above, report the results, and explain the significance of the results.

Step five - Create and test a rule

Create the following rules:

  1. A rule to prevent the uploading of .zip files
  2. A rule to present the veiwing of the content on this page! (Not teh address, the content)
  3. A rule prevent logging in remotely with the username of "root"
Turn in for this:
  • Carefully define and explain each rule.
  • Explain a test to test the rule (buth positively and negatively)
  • Show the results of your tests
Topic attachments
I Attachment Action Size Date Who Comment
Pdfpdf 014-snortinstallguide292.pdf manage 117.5 K 2012-04-05 - 13:52 JimSkon Installing Snort 2.9 on Ubuntu
Gzgz snort-2.9.2.2.tar.gz manage 6376.9 K 2012-04-05 - 15:54 JimSkon Snort 2.9.2.2
Pdfpdf snort_manual.pdf manage 1163.9 K 2012-04-05 - 13:52 JimSkon Snort 2.9 Manual
Gzgz snortrules-snapshot-2920.tar.gz manage 17243.2 K 2012-04-05 - 16:34 JimSkon Snort Rules for Lab (2920)
Topic revision: r2 - 2012-04-05 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback