Scribd
Upload
49 views

Lab7 Instruction

This document provides instructions for a lab assignment on the Snort intrusion detection system. It describes installing and configuring Snort on an Ubuntu virtual machine, writing custom Snort rules, and triggering alerts by sending network traffic. Students are asked to complete tasks with Snort like adding a rule to detect ICMP packets, then triggering an alert by pinging the VM. The document also lists assignment questions about zero-day attacks, Snort's detection capabilities, and calculating false alarm rates from detection rates and probabilities.

Uploaded by

zargham.raza
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
49 views

Lab7 Instruction

This document provides instructions for a lab assignment on the Snort intrusion detection system. It describes installing and configuring Snort on an Ubuntu virtual machine, writing custom Snort rules, and triggering alerts by sending network traffic. Students are asked to complete tasks with Snort like adding a rule to detect ICMP packets, then triggering an alert by pinging the VM. The document also lists assignment questions about zero-day attacks, Snort's detection capabilities, and calculating false alarm rates from detection rates and probabilities.

Uploaded by

zargham.raza
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

计算机科学与工程系

Department of Computer Science and Engineering


CS 315 Computer Security Course

Lab 7: Firewall & Intrusion Detection Systems

Introduction

In this lab students will explore the Snort Intrusion Detection Systems. The students will
study Snort IDS, a signature based intrusion detection system used to detect network
attacks. Snort can also be used as a simple packet logger. For the purpose of this lab
the students will use snort as a packet sniffer and write their own IDS rules.

Software Requirements
All required files are packed and configured in the provided virtual machine image.

- The VMWare Software


http://apps.eng.wayne.edu/MPStudents/Dreamspark.aspx

- The Ubuntu 14.04 Long Term Support (LTS) Version


http://www.ubuntu.com/download/desktop

- Snort: A signature-based Intrusion Detection System


https://www.snort.org/#get-started

Fengwei Zhang – CS 315 Computer Security Course 1


Starting the Lab 7 Virtual Machine

In this lab, we use Ubuntu as our VM image. Select the VM named “Lab8.

Login the Ubuntu image with username student, and password [TBA in the class].
Below is the screen snapshot after login.

Installing Snort into the Operating System

Fengwei Zhang – CS 315 Computer Security Course 2


In our Lab 7 Ubuntu VM image, the snort has been installed and setup for you. If you
want to use your own version of the image, you need to install snort into the operating
system. To install the latest version of the snort, you can follow the installation
instruction from the snort website. Note that installation instructions are vary from OSes.
The instruction below shows how to install snort from its source code on Linux.

You can find more information here:


https://www.snort.org/#get-started
While you install the snort, you system may miss some libraries. You need to install the
required libraries, too.

Configuring and Starting the Snort IDS

Fengwei Zhang – CS 315 Computer Security Course 3


After installing the Snort, we need to configure it. The configuration file of snort is stored
at /etc/snort/snort.conf. The screenshot below shows the commands to configure the
Snort. You need to switch to root to gain the permission to read the snort configurations
file.

After configuring the Snort, you need to start the Snort. You can simply type the
following command to start the service.
$ service snort start
or
$ /etc/init.d/snort start

Fengwei Zhang – CS 315 Computer Security Course 4


Snort Rules

Snort is a signature-based IDS, and it defines rules to detect the intrusions. All rules of
Snort are stored under /etc/snort/rules directory. The screenshot below shows the files
that contain rules of Snort.

The screenshot below shows real rules in the /etc/snort/rules/web-misc.rules. The slides
of Lab 7 has more information about Snort rules including syntax and format.

Fengwei Zhang – CS 315 Computer Security Course 5


Writing and Adding a Snort Rule

Next, we are going to add a simple snort rule. You should add your own rules at
/etc/snort/rules/local.rules. Add the following line into the local.rules file
alert icmp any any -> any any (msg:"ICMP Packet found"; sid:1000001; rev:1;)
Bascailly, this rule defines that an alert will be logged if an ICMP packet is found. The
ICMP packet could be from any IP address and the rule ID is 1000001. Make sure to
pick a SID greater 1000000 for your own rules. The screenshot below shows the
contents of the local.rules file after adding the rule.

Fengwei Zhang – CS 315 Computer Security Course 6


To make the rule become effective, you need to restart the snort service by typing the
following command.
$ service snort restart
or
$ /etc/init.d/snort restart

Triggering an Alert for the New Rule

To trigger an alert for the new rule, you only need to send an ICMP message to the VM
image where snort runs. First, you need to find the IP address of the VM by typing the
following command.
$ ifconfig
For instance, the screenshot shows the execution result on my VM image, and the IP
address is 172.16.108.242.

Fengwei Zhang – CS 315 Computer Security Course 7


Next, you can open a terminal in your host. If you host is a Windows OS, you can use
one of the following two ways to open a terminal
1. Press "Win-R," type "cmd" and press "Enter" to open a Command Prompt
session using just your keyboard.
2. Click the "Start | Program Files | Accessories | Command Prompt" to open a
Command Prompt session using just your mouse.

After you have a terminal, you can just type the following command to send ping
messages to the VM.
$ ping 172.16.108.242
After you send the ping messages, the alerts should be trigged and you can find the log
messages in /var/log/snort/snort.log. However, the snort.log file will be binary format.
You need to use a tool, called u2spewfoo, to read it. The screenshot below shows the
result of reading the snort alerts.

Fengwei Zhang – CS 315 Computer Security Course 8


You can see that the SID is 1000001, and the alerts are generated by the ICMP
messages.

Fengwei Zhang – CS 315 Computer Security Course 9


Assignments for Lab 7

1. Read the lab instructions above and finish all the tasks.
2. Answer the questions and justify your answers. Simple yes or no answer will not
get any credits.
a. What is a zero-day attack?
b. Can Snort catch zero-day network attacks? If not, why not? If yes, how?
c. Given a network that has 1 million connections daily where 0.1% (not
10%) are attacks. If the IDS has a true positive rate of 95%, and the
probability that an alarm is an attack is 95%. What is false alarm rate?
(You may use the math approach from the slides.)

3. Write a rule that will fire when you browse to craigslist.org or another particular
website from the machine Snort is running on; it should look for any outbound
TCP request to craigslist.org and alert on it.
a. The rule you added (from the rules file)
b. A description of how you triggered the alert
c. The alert itself from the log file (after converting it to readable text)

Extra Credit (3pt): Write and add a snort rule for detecting VPNs; it should trigger an alert
when a VPN service is running on your machine.

Happy Hacking!

Fengwei Zhang – CS 315 Computer Security Course 10

You might also like