Scribd
Upload
56 views

HW4

This document discusses configuring and running the Snort intrusion detection system on an Ubuntu 12.04 system. It installs Snort version 2.9.2, edits the configuration file at /etc/snort/snort.conf to enable the default ruleset, and starts Snort. It checks that Snort is running correctly using ps auxw and grep. The first question is answered by referring to the book "Snort for Dummies" which states that by default Snort saves log files to /var/log/snort.

Uploaded by

ahmad5335
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56 views

HW4

This document discusses configuring and running the Snort intrusion detection system on an Ubuntu 12.04 system. It installs Snort version 2.9.2, edits the configuration file at /etc/snort/snort.conf to enable the default ruleset, and starts Snort. It checks that Snort is running correctly using ps auxw and grep. The first question is answered by referring to the book "Snort for Dummies" which states that by default Snort saves log files to /var/log/snort.

Uploaded by

ahmad5335
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

157B

150B

2 . ................................................................................................................................
15B

4 ........................... ................................................................................................:
152B

7 ............................. ................................................................................................:
153B

9 .......................... ................................................................................................ :
154B

16 ........................ ................................................................................................:

156B

15B

19 ......................... ................................................................................................ :
20 ................................................................................................................................


15B

Ubuntu 12.04 - precise .


Snort 2.9.2 .
16B


#apt-get install snort
17B


18B

#apt-get upgrade
19B

20B

snort .
21B

/etc/snort/snort.conf
.

. HOME_NET EXTERNAL_NET
any
. 1 Snort
F0

comment # .

Ruleset

23

Snort
B

.
sourcefire . .
24B

Snort .
#/etc/init.d/snot start
25B

26B


#Ps auxw | grep snort
27B

28B

snort .

29

:
30B

][Snort for dummies Charlie Scott, Paul Wolfe, Bert Hayes


.
31B

snort log /var/log/snort


.
# snort -l alternative_path
32B

Snort log alert tcpdump binary


3B

.
Snort
34B

.
:Tcpdump binary
35B

.
36B

.
snort .
.

.

37B

ASCII .
logging
.

:Log_tcpdump tcpdump .
38B

. .dump.
:ASCII logging
39B

40B

snort .

.

alert log .
41B

alert .
) (Step #6
.
:Alert_fast .
42B

. -A fast snort
.
:Alert_full ASCII
43B

drop . -A full
snort .
:Alert_syslog fast . snort
4B

. syslog
deamon . alert_syslog
. log
.

CSV :Alert-CSV comma Separate Values


45B

. snort snort
alert_CVS.

:
46B

] [Snort for dummies Charlie Scott, Paul Wolfe, Bert Hayes


] [snort manuals .
47B

.
#snort -vd -A full -r source_file -c config_file -l destination_folder
48B

:-v IP, TCP, UDP ICMP .


49B

:-d -v packet logging Packet .


50B

logging pcap ascii none .


:-A fast, full nune . full
51B

alert .
.
:-r -r .
52B

:-c .
53B

:-l .
54B

root@ubuntu:/# snort -d -A full -r ./root/Desktop/HW4/icmp.tcpdump -c


./etc/snort/snort.conf -l ./root/Desktop/HW4/LOGS
5B

root@ubuntu:/# snort -d -A full -r ./root/Desktop/HW4/udp.tcpdump -c


./etc/snort/snort.conf -l ./root/Desktop/HW4/LOGS
56B

root@ubuntu:/# snort -d -A full -r ./root/Desktop/HW4/tcp.tcpdump -c


./etc/snort/snort.conf -l ./root/Desktop/HW4/LOGS
57B

-v :
58B

-1 .
12B

-d -2 .tcpdump -v.
13B

-3 .
14B

59B

) alert-(icmp|tcp|udp)-(No. of alerts .

134 alert-icmp 37 alert-tcp 165 udp-tcp


60B

. ascii .

:
61B

:
62B

63B

.
icmp.tcpdump 134 tcp.tcpdump 37 udp.tcpdump
165 .

64

0B

:1 icmp

65

1B

:2 tcp

2B

:3 udp

67B


.
#!/bin/bash
while read line
do
;)"ATTACK=$( echo $line | grep -P "\[[*]{2}\]$
if [ "$ATTACK" != "" ]; then
;echo $ATTACK
fi
done <alert_file
# it could be alert-tcp, alert-udp and alert-icmp file.
68B

69B

70B

71B

72B

73B

74B

75B

76B

alert_file alert-tcp
. .
7B

alert_count .

78

79B

3B

:4

336 = 165+37+134
10

:
80B

81B

tcp.tcpdump .
#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |wc -l
82B

83B

4B

:5

85B

84B

30 tcp.tcpdump .

.
#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |sort -rn
86B

5B

87B

:6 alert-tcp

11

8B

.
#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |sort -rn |head -n 1
89B

90B

6B

:7 alert-tcp

91B

SHELLCODE x86 setuid 0


. ICMP Destination unreachable Port unreachable
.

:SHELLCODE x86 setuid 0


92B

93B

.
94B

.
95B

format
string .
:ICMP Destination unreachable Port unreachable
96B

97B


.
. udp scan services.

:
9B

98B

.
"*#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |sort -rn | grep -P ".*DOS.
10B

12

10B

alert_count .
102B

icmp, tcp udp .


103B

:alert-icmp

104

7B

:8 icmp.tcpdump

105B

:DOS ath
106B

107B

IP
. .
.

:DDOS tfn2k
108B

109B

icmp ) tribe flood network 2000


( . tfn2k
icmp id 0 A
64 .
10B

:alert-tcp

12B

8B

:9 tcp.tcpdump

.
13

:DDOS mstream handler to client


13B

14B

mstream handler .
15B

.
.
udp 10498 ping
.
16B

:alert-udp

17

9B

:10 udp.tcpdump

18B

11 10
.
:Dos Ascend Route
19B

120B

12B

.
udp .
14

11+2+2 .
12B

15

:
123B

124B

.
TCP UDP . IP

. IP

.
TCP UDP
.
125B

any 129.105.100.0/24 .
any !$HOME_NET .
126B

127

16

: | |3a
128B

] [EZ Snort Rules, Find the Truffles, Leave the Dirt, David J. Bianco
.
129B

20 " "PASS |3a| RECV .


Alert tcp $EXTERNAL_NET any -> $HOME_NET 8008 (msg: "Worm Ditty!"; content:
;)"|03 0E FE CC A0|"; content: "PASS |3a| RECV"; distance:0; within:20; sid:1000053
130B

Alert udp $EXTERNAL_NET any -> $HOME_NET 4004 (msg: "Worm Ditty!"; content:
;)"|03 0E FE CC A0|"; content: "PASS |3a| RECV"; distance:0; within:20; sid:1000054
13B

132B

/etc/snort/rules ditty.rules
snort.conf include .

13

134

17

135B

.
#snort -T -c /etc/snort/snort.conf
136B

138B

137B

18

:
139B

. tcp
udp IP
. tcp 4004 )
( .
iptables -t filter -A INPUT -p tcp ! --source 129.105.100.0/24 -d 129.105.100.0/24
--dport 8008 -j DROP -m comment --comment Worm Ditty
140B

iptables -t filter -A INPUT -p udp ! --source 129.105.100.0/24 --sport 1:65535 -d


129.105.100.0/24 --dport 4004 -j DROP -m comment --comment Worm Ditty
14B

IPTABLES
142B

IPTABLES .

10

1B

:11

--sport 1:65535 --sport


143B

any.

19


[1]. Snort for dummies Charlie Scott, Paul Wolfe, Bert Hayes
14B

[2]. Snort manuals


145B

[3]. http://Snort.org
146B

[4]. EZ Snort Rules, Find the Truffles, Leave the Dirt, David J. Bianco
147B

[5]. Network security Hacks, Andrew Lockhart; OREILY


148B

[6]. http://ipset.netfilter.org/iptables.man.html
149B

20

You might also like