Objectives

You will learn how to configure Snort IDS in Network. Especially these skills.

  • Install Snort and verify Snort alerts
  • Configure and validate snort.conf file
  • Test working of Snort by carrying out attack test
  • Perform Intrusion detection

Why you need to know

An IDS/IPS is an important network security measures which is used to place behind firewall and works from inside the network. An IDS inspects the network traffic and looks for patterns match for the intrusions.

What is Snort

Snort is a free and open source network intrusion prevention system and network intrusion detection system.

Network Topology

Demo

1:login Domain Controller

2: Install Snort

3: Go to C:\Snort, and press Shift + right-click on bin and choose open command window here

4:Type snort and press Enter. This command will show you that snort has configured in your machine successfully. Press Ctrl + C to exit snort and comes back to C:\Snort\bin

5:Type snort -W. This command shows your machine Physical Address, and Ethernet Drivers, but all are disabled by default. Observe your Ethernet Driver index number and write it down (here 3)

6:To enable the Ethernet Driver, type snort -dev -i 3.

7: Leave the Snort command prompt windows open, and launch another command prompt. In a new command prompt, type ping 10.0.0.200 (Windows 10 ip address) . You can see that the ping command triggers Snort alert

8: Configure snort.conf file. Go to C:\Snort\etc and right-click snort.conf file and Edit with Notepad++

9:Scroll down to Line 41 (Step#1:Set the network varibles). Line 45 (HOME_NET line), replace with the IP address of the machine on which Snort in running. Here, 10.0.0.101

10: Scroll down to Line 104 (Rule_PATH) replace ../rules with C:\Snort\rules

In line 105 ../so_rules replace with C:\Snort\so_rules

In line 106 replace ../preproc_rules with C:\Snort\preproc_rules

11:In line 113 and 114, replace ../rules with C:\Snort\rules

12: Go to C:\Snort\rules, and create two text files; name them white_list and black_list and change their file extensions from .txt to .rules

13: Snort.conf in notepad++, Scroll down line 241 (Step#4: Configure dynamic loaded libraries) section, you can change as followings

14: Go to Step#5: Configure Preprocessors section. Comment all the preprocessors listed in this section by adding #

15: Remove backslash at the end of each line 507 to 511

16:add # from line 507 to 512

17: Step#6: Configure output plugins section and line 533 to 536 change as followings

18: Save the file.

19: Before running Snort, you need to enable detection rules in Snort file. we have enabled ICMP rule so that Snort can detect any host discovery ping probes to the system running Snort.

Go to C:\Snort\rules and open icmp-info.rules with Notepad ++.

Type following command

alert icmp $EXTERNAL_NET any -> $HOME_NET 10.0.0.101 (msg: “ICMP-INFO PING”; icode:0; itype8; reference:arachnids,135; reference:cve, 1999-0265; classtype: bad-known; sid:472; rev:7:)

20: Go to C:\Snort and press Shift + right-click on bin. choose open command window here.

21: Type the following command and press Enter

snort -i3 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii

22: Login Windows 10 client

23: open command prompt and ping 10.0.0.101 -t

24: Switch back to Domain Controller. You can see that from window 10 client (10.0.0.200) to Domain controler(10.0.0.101) icmp alert trrigers.

Conclusion

you learned how to

  • verify Snort alerts
  • configure and validate snort.conf file
  • Test working of Snort by carrying out attack test
  • perform intrusion detection