1 00:00:00,05 --> 00:00:02,05 - [Instructor] Let's run Snort 2 00:00:02,05 --> 00:00:04,08 as an intrusion detection system. 3 00:00:04,08 --> 00:00:08,06 Before we put Snort in its intrusion detection mode, 4 00:00:08,06 --> 00:00:11,04 we have to do some prep work. 5 00:00:11,04 --> 00:00:15,00 First, we'll introduce a new Snort rule 6 00:00:15,00 --> 00:00:16,06 by creating a file. 7 00:00:16,06 --> 00:00:20,08 Let's go to /etc/snort/rules 8 00:00:20,08 --> 00:00:30,08 by typing cd /etc/snort/rules/. 9 00:00:30,08 --> 00:00:33,02 Press Enter. 10 00:00:33,02 --> 00:00:38,06 We'll create our rule file called my.rules. 11 00:00:38,06 --> 00:00:45,04 Type sudo nano 12 00:00:45,04 --> 00:00:49,06 my.rules. 13 00:00:49,06 --> 00:00:51,09 Press Enter. 14 00:00:51,09 --> 00:00:54,03 The new rule we're creating 15 00:00:54,03 --> 00:00:56,02 will detect any ping attempts 16 00:00:56,02 --> 00:00:58,08 to the interface we want to monitor. 17 00:00:58,08 --> 00:01:01,06 Type alert. 18 00:01:01,06 --> 00:01:05,03 Meaning whenever there is a ping attempt, 19 00:01:05,03 --> 00:01:07,01 send an alert. 20 00:01:07,01 --> 00:01:10,01 Space, the next thing to type 21 00:01:10,01 --> 00:01:12,04 is a protocol to detect. 22 00:01:12,04 --> 00:01:19,05 Ping uses the Internet Control Message Protocol or ICMP. 23 00:01:19,05 --> 00:01:25,05 Therefore, type icmp space. 24 00:01:25,05 --> 00:01:29,00 We don't care where the ping message is coming from. 25 00:01:29,00 --> 00:01:33,00 It could be any IP address or any port number. 26 00:01:33,00 --> 00:01:37,08 That's why we type any space any 27 00:01:37,08 --> 00:01:41,05 in terms of where the packet is coming from. 28 00:01:41,05 --> 00:01:43,00 Any 29 00:01:43,00 --> 00:01:45,00 space 30 00:01:45,00 --> 00:01:47,08 any space. 31 00:01:47,08 --> 00:01:49,06 Type a dash 32 00:01:49,06 --> 00:01:52,02 and a greater than sign, 33 00:01:52,02 --> 00:01:57,00 space, to indicate the destination. 34 00:01:57,00 --> 00:02:00,05 We want to detect every ICMP message. 35 00:02:00,05 --> 00:02:03,03 Therefore, the destination IP 36 00:02:03,03 --> 00:02:09,08 and the destination port number are any and any too. 37 00:02:09,08 --> 00:02:13,02 Space any. 38 00:02:13,02 --> 00:02:16,05 Next, open a parentheses. 39 00:02:16,05 --> 00:02:20,04 Type msg: 40 00:02:20,04 --> 00:02:26,01 space to indicate the start of the alert message. 41 00:02:26,01 --> 00:02:29,08 The message will say ping detected. 42 00:02:29,08 --> 00:02:34,05 Ping detected. 43 00:02:34,05 --> 00:02:37,06 And then exclamation 44 00:02:37,06 --> 00:02:41,01 and then type a semicolon. 45 00:02:41,01 --> 00:02:46,02 The last step is assigning an ID to the alert. 46 00:02:46,02 --> 00:02:52,03 It's 1,000,001, which is a number I picked arbitrarily. 47 00:02:52,03 --> 00:03:00,05 Type sid:1000001. 48 00:03:00,05 --> 00:03:03,09 Sid here stands for Snort Rule ID. 49 00:03:03,09 --> 00:03:08,02 Don't forget another semicolon here at the end 50 00:03:08,02 --> 00:03:12,01 because if you miss it, you'll get an error. 51 00:03:12,01 --> 00:03:14,06 Close parentheses. 52 00:03:14,06 --> 00:03:17,07 Now we're done with creating our rule, 53 00:03:17,07 --> 00:03:24,03 let's save the file by pressing Control and X together. 54 00:03:24,03 --> 00:03:27,09 Type Y, press Enter. 55 00:03:27,09 --> 00:03:31,02 For Snort to be able to use this new rule file, 56 00:03:31,02 --> 00:03:34,00 we have to make the Snort configuration file refer 57 00:03:34,00 --> 00:03:36,07 to the new rule file. 58 00:03:36,07 --> 00:03:41,03 To do that, let's go to /etc/snort. 59 00:03:41,03 --> 00:03:48,07 Type cd .. to go up one level. 60 00:03:48,07 --> 00:03:50,08 Press Enter. 61 00:03:50,08 --> 00:03:55,01 Type ls, press Enter. 62 00:03:55,01 --> 00:03:58,07 Do you see the snort.conf file? 63 00:03:58,07 --> 00:04:00,02 Let's edit it. 64 00:04:00,02 --> 00:04:05,07 Type sudo nano 65 00:04:05,07 --> 00:04:11,01 snort.conf. 66 00:04:11,01 --> 00:04:13,05 Press Enter. 67 00:04:13,05 --> 00:04:15,03 Let's look for the area 68 00:04:15,03 --> 00:04:19,06 where the rule file locations are specified. 69 00:04:19,06 --> 00:04:25,00 Add a line to refer to the new rule right here. 70 00:04:25,00 --> 00:04:30,01 Type include space 71 00:04:30,01 --> 00:04:35,07 RULE_PATH/ 72 00:04:35,07 --> 00:04:37,09 and then the name of the rule file, 73 00:04:37,09 --> 00:04:43,04 which is my.rules. 74 00:04:43,04 --> 00:04:48,01 Save the file by pressing Control and X together. 75 00:04:48,01 --> 00:04:50,00 Type Y. 76 00:04:50,00 --> 00:04:55,01 Press Enter to accept the current file name. 77 00:04:55,01 --> 00:04:58,01 Now we're ready to run Snort 78 00:04:58,01 --> 00:05:01,00 to use our newly created rule file.