Practical Workbook

Topic
Snort

Air University Islamabad

Lab Intrusion Detection Systems

Introduction
In this lab you will explore the Snort Intrusion Detection Systems. The students will study Snort
IDS, a signature-based intrusion detection system used to detect network attacks. Snort can also
be used as a simple packet logger. For the purpose of this lab the students will use snort as a packet
sniffer and write their own IDS rules.

2|Page
Software Requirements

- The VMWare Software http://apps.eng.wayne.edu/MPStudents/Dreamspark.aspx

- The Ubuntu 14.04 Long Term Support (LTS) Version

http://www.ubuntu.com/download/desktop

- Snort: A signature-based Intrusion Detection System https://www.snort.org/#get-started

Starting the Lab Virtual Machine

In this lab, we use Ubuntu as our VM image.

3|Page
Installing Snort into the Operating System

To install the latest version of the snort, you can follow the installation instruction from the snort
website. Note that installation instructions are vary from OSes. The instruction below shows how
to install snort from its source code on Linux.

You can find more information here: https://www.snort.org/#get-started

While you install the snort, your system may miss some libraries. You need to install the required
libraries, too.

Or use this command

$ sudo ap-get install snort

To check network interfaces

$ ip addr

Configuring and Starting the Snort IDS

After installing the Snort, we need to configure it. The configuration file of snort is stored at cd
/etc/snort/snort.conf. The screenshot below shows the commands to configure the Snort. You need
to switch to root to gain the permission to read the snort configurations file.

4|Page
First list the files by using command

$ls -l

Use this command to configure the snort configuration file

$sudo gedit <config file name>

Inside snort.config need to do the following:

Step 1: Locate the HOME_NET variable, change the network address to the IP addresses you are
protecting. It can be a single IP address or a block of IP addresses by specifying a CIDR block.
For this lab, please setup the address to a block of IP addresses specific to your eth0.

Below “ipvar HOME_NET any” add this line

“ipvar HOME_NET 192.168.74.0/24”

Lastly, run sudo snort -T -I ens33 -c/etc/snort/snort.conf This is to validate the configuration file.

If you are doing everything correctly, you should see the last two lines as:

Snort successfully validated the configuration

Snort exiting

5|Page
Snort Rules

Snort is a signature-based IDS, and it defines rules to detect the intrusions. All rules of Snort are
stored under /etc/snort/rules directory. The screenshot below shows the files that contain rules of
Snort.

6|Page
To configure rules, you need to edit the file local rules file

In rule file write a rule so that Snort will generate an alert.

alert icmp any any -> $HOME_NET any (msg:"Testing ICMP alert"; sid:1000001; rev:1;)

Again, run the validation command to validate the configuration.

7|Page
Lastly, run Snort in IPS mode and tell it to output any alerts to the console by running the following
command:

Now snort will capture packets according to your rules and generate alerts to the console

Run the Ping command on other system to generate icmp traffic. Target should be the system on
which snort is running.

You will get this output

Assignments for Lab

1. Read the lab instructions above and finish all the tasks.

2. Write and add another snort rule and show me you trigger it.

a. The rule you added (from the rules file)

b. A description of how you triggered the alert

Question No. 2: Write a rule that will fire when you browse to snort.org from the machine Snort
is running on; it should look for any outbound TCP request to snort.org and alert on it.

8|Page