Network Analysis

    Install Snort Open a terminal in your Kali, enter # snort Snort wil start to run in packet dump mode. If snort is not installed in your machine enter the folloiwng command snort will be installed . If you are using a old Kali you need to install from Wheezy database. After Snort installs, a blue screen appears asking for the "Address range for your local network". In MBV249, it's 192.168.1.0/24. If you are doing from home, check your subnet mask, if 255.255.255.0 then it is /24. Enter the range of your network set it to the IP address of the victim, your Kali machine), press Tab to highlight OK, and press Enter. (Later we will Check if snort is under /etc. If you find snort , change diretctory to snort ( cd snort ) Now do a ls so that you can see the all the files under snort directory. A few important locations: 1. SNORT configuration: /etc/snort/snort.conf 2. SNORT debian configuration: /etc/snort/snort.debian.conf 3. SNORT rules: /etc/snort/rules 4. SNORT exuecuble: /usr/sbin/snort Configure SNORT The main configuration file for SNORT is /etc/snort/snort.conf file. This is a big configuration file. (If required you can edit it, opening with an editor such as nano, vi, leafpad etc.) For this lab, we don’t need to touch the snort.conf now. To check what’s in it - use cat . Now cat it. Go over the config file, check it. Check the HOME_NET and Interface related configuration from /etc/snort/snort.debian.conf . During installation process if you have defined your HOME_NET properly; then you can leave it as it is and don’t need to edit it anymore. However, it is recommended that you must set the HOME_NET to the IP address of the victim machine, in your case the current ipAddress if your Kali VM. # nano snort.debian.conf and change the DEBIAN_SNORT_HOME_NET The default config file ( /etc/snort/snort.conf ) is quite self-explanatory, with helpful comments leading the user through the steps of customizing the configuration to its own needs. (In this lab we only set the network Variables, and customize the rule set. Also because we are using Kali, we edited snort.debin.conf. If you are using other Linux, you might need to open the snort.conf in order to edit. The network variables we modify are the HOME_NET and the EXTERNAL_NET, which can be configured by changing the following lines: ipvar HOME_NET 192.168.56.101 ( the internal network range, the subnet we are trying to protect. You can set it to the IP address of the victim machine) ipvar EXTERNAL_NET !$HOME_NET ( the external network range, in our case everything which is not in the internal network range) Again if you use a Debian distro like Kali, you need to open the snort.debian.conf Also In order to only alert to those packets you want, you may want to disable all predefined rules. To disable all the line having include $RULE_PATH, you can comment them out (put #). Include a new rules file Instead of changing the snort.conf in this lab we will create our own .conf file. Use and editor to create a file in snort-ITN266.conf under /etc/snort Then create a rule with your last name. In the terminal type # nano snort-ITN266.conf include /etc/snort/myName-icmp.rules ( for me it is include /etc/snort/sdas-icmp.rules) Save the file with Ctrl+X, Y, Enter. Now create the rule We will start with a very simple rule into our myName-icmp.rules file: alert icmp any any > any any (msg:"Ping detected";sid:1000477; rev:1;) (Please read how to crate snort rule https://blog.rapid7.com/2016/12/09/understanding-andconfiguring-snort-rules/ ) Note each rule you write should have a unique SID. The sid: 1000477; rev:1 ; in the rule are required to keep Snort happy. Run Snort, (check the alert/packets) snort -c /etc/snort/snort-ITN266.conf -l /var/log/snort -i eth0 Your interface name may be different from eth0. Also the last switch is a lowercase L, not the number 1. Soon your snort – will start to throw alert . But we only want to alert for ping! So we can include a new option in the rule. Open the myName.rules in an editor and modify it. # nano myName-icmp.rules alert icmp any any -> any any (msg:"Ping detected"; itype:8; sid:1000477; rev:1) The option itype stands for ICMP packet type. If we run Snort as below, (in packet sniffer mode ) you can see it in the packets. snort -dev -c /etc/snort/snort.conf -l /var/log/snort/ -i eth0 Now check if your rule is actually working, ping 8.8.8.8 from another terminal. Snort will catch the outgoing (ICMP Echo request) and incoming (ICMP Echo reply) packets. You can see that the ECHO packets have type 8 and the ECHO REPLY packets have type 0, so we chose type 8 correctly. You can stop Snort anytime by pressing Ctrl+C. Stop snort, and check the alert output file at /var/log/snort The snort.config file has several rules, very well defined. Let’s use some of them. In a Terminal window, run snort (use the –v switch) snort -v -i eth0 -l /var/log/snort -c /etc/snort/snort.conf Snort starts, showing a "Commencing packet processing" message. Meanwhile Open another Terminal on your other vm or in host machine, run a default Nmap scan of your Kali Linux machine, you will see snort will start throwing this. After we stop running Snort, it outputs some useful statistics. Many of these are selfexplanatory, the main parts and the interesting section, where we can check the following: Processing rates, Packet I/O Totals, Protocol statistics, Actions, Limits, and Verdicts etc. Go ahead and check the snort log file ( tail -f /var/log/snort/alert ) we will see an alter that a nmap scan was being run. In part II (Not now, May be extra credit) we will use Snort to throw Alert for browsing any particular website Useful Sites: https://www.securityarchitecture.com/learning/intrusion-detection-systems-learning-withsnort/configuring-snort-on-linux/ https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/