{ "id": "b3b68fdd-3eca-4ad6-9912-2afde6006d16", "name": "Using Snort IDS", "slug": "using-snort-ids", "status": "published", "lab_type": "pta", "is_sample": false, "duration_in_seconds": 1800, "metadata": { "courses": [ "cd60ce4a-1b83-48c4-8d38-7e6bfeab4a1e" ], "pta_sdn": "58", "pta_namespace": "my.ine", "learning_paths": [], "has_published_parent": true }, "session": null, "company": "a491bc32-c056-4946-9169-cc053387bada", "created": "2022-03-30T03:12:19.413295Z", "modified": "2024-04-30T14:39:01.750922Z", "is_beta": false, "lab_objectives": [], "main_learning_area": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa", "learning_areas": [ { "id": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa", "name": "Cyber Security", "slug": "cyber-security" } ], "categories": [], "tags": [], "difficulty": null, "is_web_access": false, "is_lab_experience": false, "is_featured": false, "cve": null, "severity": null, "year": null, "classification": null, "external_url": "", "solution_video": null, "explanation_video": null, "description": "# Scenario\n\nSnort is a powerful open source IDS which can be used to perform many tasks. This lab will go through the basic usages and functionalities that snort provides.\n\n# Goals\n\n- Understand the basics of snort.\n- Work with different modes of snort\n- Explore the different functionalities provided by snort\n\n# What you will learn\n\n- How to run Snort in different modes\n- Understand the most important Snort configuration directives\n- How to write Snort rules of your own for suspicious network traffic\n- How to craft packets to do basic network traffic testing\n\n# Recommended tools\n\n- **Snort**", "description_html": "

Scenario

\n

Snort is a powerful open source IDS which can be used to perform many tasks. This lab will go through the basic usages and functionalities that snort provides.

\n

Goals

\n\n

What you will learn

\n\n

Recommended tools

\n", "tasks": "# Tasks\n\n## Task 1: Examine The First 5 Packets Of The First PCAP File\n\nExamine the first five packets in the **example.com-7** PCAP file located in **/opt/samples/** and state the source and destination IP addresses for the first IP packet you encounter, using Snort.\n\n## Task 2: Get Quick Statistical Overview\n\nUse snort to get a quick statistical overview of the in-scope PCAP file. How many IP TCP UDP and ICMP packets are there?\n\n## Task 3: Trying The Sniffing Mode\n\nLet's briefly try sniffing mode; run snort on sniffing mode on the eth0 interface for a few moments and get the info from the first back at you capture.\n\n## Task 4: Run Snort In Logging Mode\n\nCreate a new directory on your machine and run snort in the logging mode to log and dump the running packets in an ASCII format.\n\n## Task 5: Extract The UDP Traffic\n\nDump the traffic from **example.com-7.pcap** into a new directory and open it using Wireshark.\n\n## Task 6: Locate Snort's Config File And Take A Backup Of It\n\nSnort's config file is of great importance. Locate it inside the > Security Onion machine and take a backup of it.\n\n## Task 7: Open The Configuration File For Examination\n\nWhat is ipvar and portvar? On which ports does snort expect web and > ftp servers to run on? Which ports should be checked for shellcodes?\n\n## Task 8: Adding A Snort Rule\n\nMake sure to check the config file before exiting. After that, create a new directory for snort rules and add a rule that detects icmp echo messages.\n\n## Task 9: Run Snort Again with the Rules You Added. Make Sure That Snort Is Giving The Proper Alert\n\nIt is now time to test the added rule. Make sure that Snort throws the proper alert.\n\n## Task 10: Create a telnet detection rule\n\nRepeat the same process you did earlier, only this time to create a rule to detect the usage of telnet communications.", "tasks_html": "

Tasks

\n

Task 1: Examine The First 5 Packets Of The First PCAP File

\n

Examine the first five packets in the example.com-7 PCAP file located in /opt/samples/ and state the source and destination IP addresses for the first IP packet you encounter, using Snort.

\n

Task 2: Get Quick Statistical Overview

\n

Use snort to get a quick statistical overview of the in-scope PCAP file. How many IP TCP UDP and ICMP packets are there?

\n

Task 3: Trying The Sniffing Mode

\n

Let's briefly try sniffing mode; run snort on sniffing mode on the eth0 interface for a few moments and get the info from the first back at you capture.

\n

Task 4: Run Snort In Logging Mode

\n

Create a new directory on your machine and run snort in the logging mode to log and dump the running packets in an ASCII format.

\n

Task 5: Extract The UDP Traffic

\n

Dump the traffic from example.com-7.pcap into a new directory and open it using Wireshark.

\n

Task 6: Locate Snort's Config File And Take A Backup Of It

\n

Snort's config file is of great importance. Locate it inside the > Security Onion machine and take a backup of it.

\n

Task 7: Open The Configuration File For Examination

\n

What is ipvar and portvar? On which ports does snort expect web and > ftp servers to run on? Which ports should be checked for shellcodes?

\n

Task 8: Adding A Snort Rule

\n

Make sure to check the config file before exiting. After that, create a new directory for snort rules and add a rule that detects icmp echo messages.

\n

Task 9: Run Snort Again with the Rules You Added. Make Sure That Snort Is Giving The Proper Alert

\n

It is now time to test the added rule. Make sure that Snort throws the proper alert.

\n

Task 10: Create a telnet detection rule

\n

Repeat the same process you did earlier, only this time to create a rule to detect the usage of telnet communications.

", "published_date": "2020-10-20T15:32:26Z", "solutions": "# Solutions\n\n## Task 1: Examine The First 5 Packets Of The First PCAP File\n\nWe can examine a pcap file in snort using this command:\n\n**snort -r file.cap**\n\nBut, since we need to read a specific number of packets, we need to add the --n option to specify the number of packets we want to display.\n\n```\n# snort -r example.com-7.pcap -n 5\n```\n\n![1](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/1.png)\n\nAfter issuing the command, snort will start the initialization process and display the packets we specified.\n\n![2](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/2.png)\n\nThe first packet originated from **192.168.10.125** and sent to **80.157.169.154** we only want the addresses for now; however, if we wanted to examine the payload of the packets, we could have added the **-d** option.\n\n```\n# snort -r example.com-7.pcap -n 5 -d\n```\n\n## Task 2: Get Quick Statistical Overview\n\nWhenever Snort is invoked on a file, it displays statistics on that file at the end of the result. However, we have to invoke the command again to get the result about the whole file.\n\n```\n# snort -r example.com-7.pcap\n```\n\n![3](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/3.png)\n\nIt seems the file contains 1383 IPv4 packets where 1309 of them are TCP segments, and 74 of them are UDP datagrams.\n\n## Task 3: Trying The Sniffing Mode\n\nWe can run snort on sniffing mode using the following command\n\n```\n# sudo snort -vv -i eth0\n```\n\nThe result of running that command may vary depending on the protocols and services on the machine you're working at.\n\n![4](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/4.png)\n\n## Task 4: Run Snort In Logging Mode\n\nLet's prepare the logging directory by issuing the command\n\n```\n# mkdir logdir\n```\n\nJust to avoid having permission issues, we'll change the ownership of the file to our current account using the following command\n\n```\n# sudo chown $(whoami) -R logdir\n```\n\nLet's then run snort in sniffing mode and pass the new directory as a parameter to it.\n\n```\n# sudo snort -v -i eth0 -l logdir -K ASCII\n```\n\nWhile the sniffing is in progress, you'll notice that snort creates a folder for every IP address that participates in the communication.\n\n![5](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/5.png)\n\nInside each folder, snort will dump each connection's packet in a separate file\n\n![6](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/6.png)\n\n## Task 5: Extract The UDP Traffic\n\nThe way snort organized the directory we used for logging can make the analysis process much easier.\n\nHowever, what if we wanted to dump specific packets from a previously captured file? In that case, we need to read the file and log it into the destination directory and provide the BPF to select which traffic we want to filter.\n\nFor example, we can filter UDP traffic using the following command (after creating another directory like we did earlier):\n\n```\n# sudo snort -r example.com-7.pcap udp -l logdir2\n```\n\nAccess the folder and examine the file inside using Wireshark\n\n```\n# sudo Wireshark snort.log.1517270987\n```\n\n![8](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/8.png) \n\n![9](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/9.png)\n\n## Task 6: Locate Snort's Config File And Take A Backup Of It\n\nThe file is located at: `/etc/snort/snort.conf`\n\nLet's copy it using the **cp** command to any other destination.\n\n```\n# cp /etc/snort/snort.conf /root/Desktop/\n```\n![10](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/10.png)\n\n## Task 7: Open The Configuration File For Examination\n\nWe can open the config file\n\n![11](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/11.png)\n\nIt seems that **IPVAR** is snort's way of declaring an IP address variable and **PORTVAR** is the type of port address variable.\n\n![12](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/12.png)\n\nBelow, we can find the clear declaration of which ports does snort expect some of the network services or attacks.\n\n## Task 8: Adding A Snort Rule\n\nTo check the syntax of the config file, we can use this command:\n\n```\n# snort -T -c snort.conf\n```\n\nThis will parse the file looking for any improper configuration and display it on the screen.\n\nOnce we've verified that everything is OK, let's go ahead and create a directory and a rule file inside it.\n\nWe'll call the rule file **ICMP.rules,** and open it using featherpad.\n\n```\n# featherpad rules/ICMP.rules\n```\n\nWe want to detect any ICMP packet destined to our network; such a rule can be made like this:\n\n**alert icmp any any -> any any (msg:\"ICMP Packet Detected\"; sid:100001;)**\n\nJust a quick reminder that the general rule syntax is:\n\n****\n\n| **Rule Action** | alert |\n| ---------------- | ----------------------------------------- |\n| **Protocol** | icmp |\n| **Src IP** | any |\n| **Dest IP** | any |\n| **Direction** | -> |\n| **Dest IP** | any |\n| **Dest PORT** | any |\n| **Rule Options** | (msg:\"ICMP Packet Detected\"; sid:100001;) |\n\n## Task 9: Run Snort Again with the Rules You Added. Make Sure That Snort Is Giving The Proper Alert\n\nNow it's time to start Snort with the rule above, which can be done like this:\n\n```\n# sudo snort -c rules/icmp.rules -l logdir\n```\n\n![13](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/13.png) \n\nNow from another terminal, try to ping any IP address on your network.\n\nAfter that, go to the logdir directory and open the **alerts** file to verify that snort has indeed logged alerts for the ICMP messages that went through eth0.\n\n```\n# featherpad alert\n```\n\n![15](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/15.png)\n\n## Task 10: Create a telnet detection rule\n\nLet's create another rule to raise an alert if someone tries to use telnet.\n\nWill have to repeat the same steps we did in the last task, however, the rule this time will be like this\n\n**alert tcp any any -> any 23 (msg: \"Policy Violation: someone is using telnet in our network!\";sid:100005;)**\n\n```\n# sudo snort -c rules/telnet.rules -l logdir -K ascii\n```\n\n![16](https://assets.ine.com/content/ptp/lab_23_sing_snort_ids_digital_forensics_system/16.png) Finally, to test whether the new rule works or not, we can open port 23 on our machine using netcat\n\n```\n# nc -lvp 23\n```\n\nAnd try to connect to it from another terminal also using netcat or nmap\n\n```\n# nc -nv 172.16.81.101 23\n```\n\nAfter that, open the **Alerts** file and examine the messages.", "solutions_html": "

Solutions

\n

Task 1: Examine The First 5 Packets Of The First PCAP File

\n

We can examine a pcap file in snort using this command:

\n

snort -r file.cap

\n

But, since we need to read a specific number of packets, we need to add the --n option to specify the number of packets we want to display.

\n
# snort -r example.com-7.pcap -n 5
\n\n

\"1\"

\n

After issuing the command, snort will start the initialization process and display the packets we specified.

\n

\"2\"

\n

The first packet originated from 192.168.10.125 and sent to 80.157.169.154 we only want the addresses for now; however, if we wanted to examine the payload of the packets, we could have added the -d option.

\n
# snort -r example.com-7.pcap -n 5 -d
\n\n

Task 2: Get Quick Statistical Overview

\n

Whenever Snort is invoked on a file, it displays statistics on that file at the end of the result. However, we have to invoke the command again to get the result about the whole file.

\n
# snort -r example.com-7.pcap
\n\n

\"3\"

\n

It seems the file contains 1383 IPv4 packets where 1309 of them are TCP segments, and 74 of them are UDP datagrams.

\n

Task 3: Trying The Sniffing Mode

\n

We can run snort on sniffing mode using the following command

\n
# sudo snort -vv -i eth0
\n\n

The result of running that command may vary depending on the protocols and services on the machine you're working at.

\n

\"4\"

\n

Task 4: Run Snort In Logging Mode

\n

Let's prepare the logging directory by issuing the command

\n
# mkdir logdir
\n\n

Just to avoid having permission issues, we'll change the ownership of the file to our current account using the following command

\n
# sudo chown $(whoami) -R logdir
\n\n

Let's then run snort in sniffing mode and pass the new directory as a parameter to it.

\n
# sudo snort -v -i eth0 -l logdir -K ASCII
\n\n

While the sniffing is in progress, you'll notice that snort creates a folder for every IP address that participates in the communication.

\n

\"5\"

\n

Inside each folder, snort will dump each connection's packet in a separate file

\n

\"6\"

\n

Task 5: Extract The UDP Traffic

\n

The way snort organized the directory we used for logging can make the analysis process much easier.

\n

However, what if we wanted to dump specific packets from a previously captured file? In that case, we need to read the file and log it into the destination directory and provide the BPF to select which traffic we want to filter.

\n

For example, we can filter UDP traffic using the following command (after creating another directory like we did earlier):

\n
# sudo snort -r example.com-7.pcap udp -l logdir2
\n\n

Access the folder and examine the file inside using Wireshark

\n
# sudo Wireshark snort.log.1517270987
\n\n

\"8\"

\n

\"9\"

\n

Task 6: Locate Snort's Config File And Take A Backup Of It

\n

The file is located at: /etc/snort/snort.conf

\n

Let's copy it using the cp command to any other destination.

\n

# cp /etc/snort/snort.conf /root/Desktop/
\n\"10\"

\n

Task 7: Open The Configuration File For Examination

\n

We can open the config file

\n

\"11\"

\n

It seems that IPVAR is snort's way of declaring an IP address variable and PORTVAR is the type of port address variable.

\n

\"12\"

\n

Below, we can find the clear declaration of which ports does snort expect some of the network services or attacks.

\n

Task 8: Adding A Snort Rule

\n

To check the syntax of the config file, we can use this command:

\n
# snort -T -c snort.conf
\n\n

This will parse the file looking for any improper configuration and display it on the screen.

\n

Once we've verified that everything is OK, let's go ahead and create a directory and a rule file inside it.

\n

We'll call the rule file ICMP.rules, and open it using featherpad.

\n
# featherpad rules/ICMP.rules
\n\n

We want to detect any ICMP packet destined to our network; such a rule can be made like this:

\n

alert icmp any any -> any any (msg:\"ICMP Packet Detected\"; sid:100001;)

\n

Just a quick reminder that the general rule syntax is:

\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Rule Actionalert
Protocolicmp
Src IPany
Dest IPany
Direction->
Dest IPany
Dest PORTany
Rule Options(msg:\"ICMP Packet Detected\"; sid:100001;)
\n

Task 9: Run Snort Again with the Rules You Added. Make Sure That Snort Is Giving The Proper Alert

\n

Now it's time to start Snort with the rule above, which can be done like this:

\n
# sudo snort -c rules/icmp.rules -l logdir
\n\n

\"13\"

\n

Now from another terminal, try to ping any IP address on your network.

\n

After that, go to the logdir directory and open the alerts file to verify that snort has indeed logged alerts for the ICMP messages that went through eth0.

\n
# featherpad alert
\n\n

\"15\"

\n

Task 10: Create a telnet detection rule

\n

Let's create another rule to raise an alert if someone tries to use telnet.

\n

Will have to repeat the same steps we did in the last task, however, the rule this time will be like this

\n

alert tcp any any -> any 23 (msg: \"Policy Violation: someone is using telnet in our network!\";sid:100005;)

\n
# sudo snort -c rules/telnet.rules -l logdir -K ascii
\n\n

\"16\" Finally, to test whether the new rule works or not, we can open port 23 on our machine using netcat

\n
# nc -lvp 23
\n\n

And try to connect to it from another terminal also using netcat or nmap

\n
# nc -nv 172.16.81.101 23
\n\n

After that, open the Alerts file and examine the messages.

", "flags": [], "min_points_to_pass": null, "access_type": "default", "user_status": "unstarted", "user_lab_status": null, "user_status_modified": null, "user_flags": [], "global_running_session": null }