Snort experiment
1、 Experimental environment
Operating system: Ubuntu 18.04, Kali
Experimental tools: snort, VMware Workstation
IP of unit 1: 192.168.204.131
IP of unit 2: 192.168.204.132
2、 Experimental content
The experimental environment needs to be built before snort configuration. The environment configuration required for the experiment is shown in the following figure:
Part A
Run snort on unit 1 to monitor the network interface eth0. The requirements are as follows:
1) Capture only ICMP echo request packets from machine 2.
2) The detailed mode is used to display the information of link layer and application layer in the terminal.
3) Log the captured information, log directory / var / log / snort.
Part B
Run snort on unit 1 to monitor the network interface eth0. The requirements are as follows:
1) Capture only telnet request packets from machine 2.
2) Store the capture packets in binary form in the log file / var / log / snort/ snort.log 。
Part C
Create a new snort rule set file in the snort rule set directory IDS / rules of unit 1 new.rules To alarm the request packets from the external host and the target is the current host 80 / TCP port, and the alarm message is customized.
Edit on machine 1 snort.conf Configuration file to include new.rules Rule set file.
Start snort in the form of intrusion detection, monitor and access the web service of machine 1.
3、 Experimental steps
Install snort:
https://www.snort.org/downloads/archive/snort/daq-2.0.6.tar.gz
https://www.snort.org/downloads/archive/snort/snort-2.9.9.0.tar.gz
Install the required header libraries
For Kali end:
Apt get install GCC: compiler. If an error is reported, apt get install G++
Apt get install flex: parser for DAQ
Apt get install Bison: parser for DAQ
Apt get install zlib1g dev: compression library for snort
Apt get install Libpcap dev: Network Traffic Capture header file library required by snort
Apt get install libdnet dev: not necessary, but snort provides a simplified and portable interface for several network processes
Apt get install luakit: Lua's header file library
apt-get install liblua5.1-0-dev
apt-get install liblua5.1-0-dev liblua50-dev liblualib50-dev
Apt get install build essential: provides a build tool for compiling software
Apt get install libpcre3 dev: header file of pcre3 required by snort
Apt get install libdumbnet dev: the same as libdnet
Apt get install OpenSSL libssl dev: the encryption component of SSL, providing Sha and MD5 file signatures
apt-cache search lua
#Install Libpcap source code
tar -zxvf libpcap-1.9.0.tar.gz
cd libpcap-1.9.0
./configure && make && make install
#Source code installation nghttp2
tar -zxvf nghttp2-1.35.1.tar.gz
cd nghttp2-1.35.1
./configure && make && make install
#Source code installation luajit
tar -zxvf LuaJIT-2.0.5.tar.gz
Make & & make install (PS: none. / configure)
#Source code installation PCRE
tar -zxvf pcre-8.42.tar.gz
cd pcre-8.42.tar.gz
./configure && make && make install
#Source installation DAQ
tar -zxvf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install
#Source code installation snort
tar -xvzf snort-2.9.7.0.tar.gz
cd snort-2.9.7.0
./configure --enable-sourcefire
make
make install
#Update shared library
ldconfig
ln -s /usr/local/bin/snort /usr/sbin/snort
snort -V
If it’s Ubuntu, it’s simple:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install snort
#Check whether the installation is successful
snort -V
Part A:
Listening port ens37: sudo snort -i ens37 -dev icmp and src 192.168.204.132 -l /var/log/snort
No.2 unit Ping:
Unit 1:
Use Wireshark to open the saved log record:
Part B:
Start telnet of unit 1:
Install OpenBSD inetd:
sudo apt-get install openbsd-inetd
To install telnetd:
sudo apt-get install telnetd
Restart OpenBSD inetd
sudo /etc/init.d/openbsd-inetd restart
To view the running status of Telnet:
sudo netstat -a | grep telnet
Unit 1 started monitoring and logging:
sudo snort -i ens37 -b tcp and src 192.168.204.132 and dst port 23
Request from unit 2:
sudo telnet 192.168.204.131
Unit 1:
Wireshark open log:
sudo wireshark /var/log/snort/snort.log.1605864340
Part C:
Create a new snort rule set file in the snort rule set directory IDS / rules of unit 1 new.rules To alarm the request packets from the external host and the target is the current host 80 / TCP port. The alarm message is user-defined
sudo gedit /etc/snort/rules/local.rules
Input:alert tcp any any -> 192.168.204.131 80 (msg:"WARNING! There is http connect!" ;sid:26287)
edit snort.conf Configuration file to include loacl.rules Rule set file:
gedit /etc/snort/rules/local.rules
add to:include $RULE_PATH/local.rules
Install Apache:
sudo apt install apache2 -y
Open Apache:
sudo service apache2 start
Start snort for monitoring in the form of intrusion detection
snort -c /etc/snort/snort.conf -A console -i ens37
Host 2 accesses the server of host 1 in the browser:
Engine 1 warning:
4、 Experimental summary
Through this experiment, I learned the deployment of Snort and the use of related commands, and realized the power of snort. In the process of using, I constantly encounter problems and solve problems. From this process, I also learned a lot of knowledge, and learned three ways of snort, sniffer mode, packet logger mode, and network intrusion detection system mode. Sniffer mode is only to capture network packets displayed on the terminal, packet recorder mode is to store the captured packets to disk, intrusion detection mode is the most complex, which can analyze data packets, detect according to rules, and make response. However, Snort also has some disadvantages. Snort is operated by various functional plug-ins, and its installation is complicated. Sometimes, the software plug-ins may affect the program operation due to version problems; snort matches all the traffic data according to the rules, and sometimes produces many false positives of legitimate programs.