Installation and application of Snort

Time:2020-11-30

Snort experiment

1、 Experimental environment

Operating system: Ubuntu 18.04, Kali

Experimental tools: snort, VMware Workstation

IP of unit 1: 192.168.204.131

IP of unit 2: 192.168.204.132

2、 Experimental content

The experimental environment needs to be built before snort configuration. The environment configuration required for the experiment is shown in the following figure:

Part A

Run snort on unit 1 to monitor the network interface eth0. The requirements are as follows:

1) Capture only ICMP echo request packets from machine 2.

2) The detailed mode is used to display the information of link layer and application layer in the terminal.

3) Log the captured information, log directory / var / log / snort.

Part B

Run snort on unit 1 to monitor the network interface eth0. The requirements are as follows:

1) Capture only telnet request packets from machine 2.

2) Store the capture packets in binary form in the log file / var / log / snort/ snort.log 。

Part C

Create a new snort rule set file in the snort rule set directory IDS / rules of unit 1 new.rules To alarm the request packets from the external host and the target is the current host 80 / TCP port, and the alarm message is customized.

Edit on machine 1 snort.conf Configuration file to include new.rules Rule set file.

Start snort in the form of intrusion detection, monitor and access the web service of machine 1.

3、 Experimental steps

Install snort:

https://www.snort.org/downloads/archive/snort/daq-2.0.6.tar.gz

https://www.snort.org/downloads/archive/snort/snort-2.9.9.0.tar.gz

Install the required header libraries

For Kali end:

Apt get install GCC: compiler. If an error is reported, apt get install G++

Apt get install flex: parser for DAQ

Apt get install Bison: parser for DAQ

Apt get install zlib1g dev: compression library for snort

Apt get install Libpcap dev: Network Traffic Capture header file library required by snort

Apt get install libdnet dev: not necessary, but snort provides a simplified and portable interface for several network processes

Apt get install luakit: Lua's header file library

apt-get install liblua5.1-0-dev

apt-get install liblua5.1-0-dev liblua50-dev liblualib50-dev

Apt get install build essential: provides a build tool for compiling software

Apt get install libpcre3 dev: header file of pcre3 required by snort

Apt get install libdumbnet dev: the same as libdnet

Apt get install OpenSSL libssl dev: the encryption component of SSL, providing Sha and MD5 file signatures

apt-cache search lua

#Install Libpcap source code

tar -zxvf libpcap-1.9.0.tar.gz

cd libpcap-1.9.0

./configure && make && make install

#Source code installation nghttp2

tar -zxvf nghttp2-1.35.1.tar.gz

cd nghttp2-1.35.1

./configure && make && make install

#Source code installation luajit

tar -zxvf LuaJIT-2.0.5.tar.gz

Make & & make install (PS: none. / configure)

#Source code installation PCRE

tar -zxvf pcre-8.42.tar.gz

cd pcre-8.42.tar.gz

./configure && make && make install

#Source installation DAQ

tar -zxvf daq-2.0.6.tar.gz

cd daq-2.0.6

./configure && make && make install

#Source code installation snort

tar -xvzf snort-2.9.7.0.tar.gz                           

cd snort-2.9.7.0

./configure --enable-sourcefire

make

make install

#Update shared library

ldconfig                                                         

ln -s /usr/local/bin/snort /usr/sbin/snort

snort -V

If it’s Ubuntu, it’s simple:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install snort
#Check whether the installation is successful
snort -V

Part A:

Listening port ens37: sudo snort -i ens37 -dev icmp and src 192.168.204.132 -l /var/log/snort

No.2 unit Ping:

Unit 1:

Use Wireshark to open the saved log record:

Part B:

Start telnet of unit 1:

Install OpenBSD inetd:

sudo apt-get install openbsd-inetd

To install telnetd:
sudo apt-get install telnetd

Restart OpenBSD inetd
sudo /etc/init.d/openbsd-inetd restart

To view the running status of Telnet:
sudo netstat -a | grep telnet

Unit 1 started monitoring and logging:

sudo snort -i ens37 -b tcp and src 192.168.204.132 and dst port 23

Request from unit 2:

sudo telnet 192.168.204.131

Unit 1:

Wireshark open log:

sudo wireshark /var/log/snort/snort.log.1605864340

Part C:

Create a new snort rule set file in the snort rule set directory IDS / rules of unit 1 new.rules To alarm the request packets from the external host and the target is the current host 80 / TCP port. The alarm message is user-defined

sudo gedit /etc/snort/rules/local.rules

Input:alert tcp any any -> 192.168.204.131 80 (msg:"WARNING! There is http connect!" ;sid:26287)

edit snort.conf Configuration file to include loacl.rules Rule set file:

gedit /etc/snort/rules/local.rules

add to:include $RULE_PATH/local.rules

Install Apache:

sudo apt install apache2 -y

Open Apache:

sudo service apache2 start

Start snort for monitoring in the form of intrusion detection

snort -c /etc/snort/snort.conf -A console -i ens37

Host 2 accesses the server of host 1 in the browser:

Engine 1 warning:

4、 Experimental summary

Through this experiment, I learned the deployment of Snort and the use of related commands, and realized the power of snort. In the process of using, I constantly encounter problems and solve problems. From this process, I also learned a lot of knowledge, and learned three ways of snort, sniffer mode, packet logger mode, and network intrusion detection system mode. Sniffer mode is only to capture network packets displayed on the terminal, packet recorder mode is to store the captured packets to disk, intrusion detection mode is the most complex, which can analyze data packets, detect according to rules, and make response. However, Snort also has some disadvantages. Snort is operated by various functional plug-ins, and its installation is complicated. Sometimes, the software plug-ins may affect the program operation due to version problems; snort matches all the traffic data according to the rules, and sometimes produces many false positives of legitimate programs.