http://it4training.

com

Lab Answers for Snort

. Module 3: Snort Installation

- The lab for this module is to perform the installation and configuration of the following:

. Snort

o Snort startup scripts

Successful completion of this exercise would yield a fully functional Snort installation with a GUI application
(BASE) to view alert data and a database with which to store alert data.
_
- Module 4: Managing Unified Output with Barnyard2

Lab #7: Barnyard2 Installation

Lab #2: Database Configuration

ln order to prepare your installation for Barnyard2, prepare the MySQL as outlined in the chapter.

Lab #3: BASE Instollation

Follow the directions in the chapter to install and configure BASE.

Lab #4: Barnyard2 Configuration

ln order to prepare your installation for Barnyard2, make the following change to your Snort configuration
file:

o Add the unified2 output plug-in

Next, make the following edits to the Barnyard2 configuration file:

o Set the hostname and interface directive in the Barnyard2 configuration file as follows:
config hostname: snortbox
config interface: ethl
o Uncomment the following entries and modify as needed:
confi g wa ldo_file: /tm p/wa ldo
config archivedir: /tmp
confi g process_new_records_on ly

- . Setthe Barnyard2 database output plug-in as follows:

output database: 1og, mysq1, user=snort password=password dbname=snort
host=localhost
http://it4training.com
 http://it4training.com

snort can read in its new configuration'

with these changes in place, you must restart the snort process so
Barnyard2 with the following command:
once you complete the Barnyard2 configuration, you can start

barnyard2 \
-c / etc/ snortlbarnYard2' conf \
-d, /var/Loglsnort \
-f merged. log

You can generate some traffic using the

At this point, Barnyard2 should start in the console window.
scanning tools on student desktop and attitato
generate some alerts. To stop the Barnyard process, press
process'
tctrll [c]
+ in the console window where you started the Barnyard

Lab #5: Implementing the Barnyard? Startup Script

The student guide provides details on how to use chkconfig
to have barnyard2 start as a daemon'

Module 5: OPerating Snort

Lab #7: OPerating Snort

section of the modure to produce various forms of
In this rab you use the exampres in the snort operation
are specified in the lab:
output with Snort at the command line. The following tasks

o UsinE BpF - lssue the command shown below and

initiate an FTP session between student desktop
and bleda.

L92'L68'10'90 and tcp

lrootGsnortbox Iocall# snort -i ethl -dev host
porL 2L
are part of
you should see the captured packets displayed in your console window' Verify that they
theFTPsessionyouinitiatedandnotgeneralnetworktraffic.
general network traffic'
Log binary packet data - use the command shown below to capture

frootGsnortbox locall# snort -i ethl -b -1 /var/]-.og/snort -L classroom'1og

traffic'
use the toofs you have available to generate some network
AIso, initiate another FTP session to bledofromstudentdesktop'
and apply a BPF to
Read in the captured data - read the pcap file you created in the previous step

display just the FTP session data with the following

command:
 http://it4training.com

[rootGsnortbox 1oca1]# snort -dev -r /vac/Log/snort,/classoom.log.(tine stamp]

port 21

. Locate the Snort@ startup script and review - lssue the command shown below and observe the
configuration options.

[root@snortbox local] # less /ete/LnLt.d/snortd

IrootGsnortbox loca1] # ].ess /eLc/sysconfig/snort

The /etc/sysconfig/snort file is a resource file used by the init script.

. Test the Snorto configuration file - Use the command shown below to test the Snort@
configuration.

IrootGsnortbox J-ocal] # snort -c /et.c/snortr/snort.conf -T

Review the output to become familiar feedback provided during startup.

 http://it4training.com

Module 5: Snort Configuration

Lab #7: ConfigureYour IDS/IPS Installation

ln this lab, you configure various aspects of the primary Snort configuration file: snort.conf

o Set the $HoME_NETvariable

ipvar HOME NET 11,92.168 . 133 .0 /24, L92.168 .10 .0 /241

o Create variables for the host attila and the DMZ

ipvar ATTIIA L92.1-68.133.50
ipvar DMZ L92.L68.10 .0/24
o service snortd restart

Module 6: Preprocessor Configuration

Lab #7: Configuring preprocessors

The completed sfPortscan preprocessor configuration should look as follows:
preprocessor sfportscan: proto { alt } memcap { 10000000 } sense level
{low} watch_ip { 192.168.1-33.0/24 } scan_type { all }
Restart snort with the following command:
service snortd restart
From a putty session in attila perform an nmap scan:
froot@attila-]# nmap -sS -O 1-92.168 . 133. 1 , 60,253 792.768 .10 .90,99,253

Examine the Portscan alerts in the BASE console.

Lab #2: Streum Reassembly

This lab uses a pre-configured Snort configuration file to read and process a PCAP file that contains an FTP

session capture. The configuration file contains two rules:

o One that triggers a rule with client-side reassembly enabled and a client-side content match

o One that triggers a rule with server-side reassembly enabled and a server-side content match

To perform this lab, you issue a command that displays the alert data in the console window with a

command line switch that shows the reassembled session data along with the alert. The ctient-side alert
shows the reassembled client-side session data, and the server-side alert shows the reassembled server-side
session data.
 http://it4training.com

- Lab #3: Reassembly Policy

- This lab uses a pre-configured Snort configuration file that sets up a reassembly policy of BSD. To execute
- the lab, you were issue a command that has Snort read in two PCAP files:

_ o One file contains a session from a BSD-based host

- . The other file contains a session from a host that uses the first packet it sees for TCP reassembly and
ignores subsequent packets if there is an overlap (several operating systems exhibit this behavior)

Since the Snort reassembly policy is set to perform BSD-style reassembly, the alert data displayed in the
console after running the command shows a correctly reassembled session as indicated by the complete
alphabet in the session payload. The alert that triggers for the first-style PCAP shows that some of the letters
- of the alphabet are missing from the session payload. This indicates that with Snort correctly configured, the
session is rebuilt properly whereas the session data from the other host is not.

Module 8: Keeping Rules Up To Date

- Lab #7: PulledPorklnstallation
lnstallthe PulledPork application per the instructions outlined in the student guide.

Lab #2: PulledPork Configuration Lab

In this lab, you perform the following tasks:

- . Configure the PulledPork configuration file to grab an updated rule set from the host Snortbox in
your virtual network infrastructure. Make the entries outlined in the lab section of the student
guide.

Lab #3: Modify the Optional Settings

configure the snort.conf as directed in the lab

Lab #4: Modify the snorLconf

configure the snort.conf as directed in the lab

- Lab #5: Modify the disablesid.conf

configure the disablesid.conf as directed in the lab
:
Lab #6: Run the Rule Update
o Run the update with the following command:

IrootGsnortbox local]# puJ-ledpork.pI -c /etc/pulledpork/pulledpork.eonf

-\r1,

The -w allows us to see the actions that are occuring. Restart Barnyard2 and Snort.
 http://it4training.com

service snortd restart && service barnyard2 restart

Lab #7 : Verify the updote
o Verify the Rule Count by examinin g /var/log/messages for the string "Snort rules read":
cat /var/log/messages I grep "Snort rules read,,
There will be multiple entries however there should be a difference between the last entry and the others.
Do not be alarmed if the total number of rules is slightly lower after an update. The VRT may occasionally
streamline rulesets to take advantage of new features in Snort resulting in the same detection with fewer
rules.

ftIcdeule *: Rules
Lab #7: Writing Custom Rules
Edit your local-. rul-es file on snortbox so it contains the following rules:

o A simple content match rule using your first name.

o A second rulethat matches on your first name and is several bytes deeper into the payload.
Augment the rule with offset and depth constraints.

o A third rule with multiple content statements using your first and last name. Place the second
content statement a distance of 2 bytes from the first content statement. Constrain the first content
with offset/depth and the second with distance/within,

o Move the content in the payload to see what it takes to break the rule.

You will use the UDPflood tool on student desktop to enter content into the payload and deliver the
packets.

1. Assuming your name is Joe Smith, the first rule would look as follows:
al-ert udp any any -> any any (msg:"Lab ru1e L"; content:,,joe,,; \
nocase; sid:1000000; )

2. Assuming you have moved the content to start at the 3td byte in the payload, your next rule would
look as follows:

J o e

alert udp any any -> any any (msg:"Lab rule 2"; content:"joe",. \
offset:2; depth:3; nocase; sid:1000001; )
 http://it4training.com

3. Assuming you keep your content in the same position and you put the next content statement a

distance of 2 from the previous content statement, your rule would look as follows:

J o e s m I t h

afert udp any any -> any any (msg:"Lab rule 2"; content:"joe"; \
offset:2; depth:3,' nocasei content:"smith"; distance:2; within:5; \
nocase; sid:1000002; )

4. For the last portion of the lab, experiment with moving the content to different parts of the payload
and adjusting your rule accordingly.

Module 10: Using PCRE in Rules

Lab #7: Using PCRETEST to Test Regex Options

Use the PCRETEST tool to test the regular expression examples illustrated in the module. You can
experiment with variations of the examples to get a feelfor what you can and cannot do with RegEx.

Lab #2: Use PCRETEST to Test o Custom Regular Expression

You want to identify when someone tries to obfuscate a directory change within FTP. The command in question would
normally be transmitted as CWD test. Someone is trying to bypass detection by doing the following:

CWD /./test

CWD /././test

cw} l./.l.ltest

The following regular expression is one solution:

/cwD\s ( \/\. ) +\/test/

 http://it4training.com

Lab #3: Writing Rules That Contain pCRE

Write a rule that triggers when someone attempts to access the "test" directory on bledo,s FTp server
with techniques
above' Keep in mind that when you issue the command from the FTP client it is cd
/./test what gets transmitted is CWD
/.ltest.
. A sample rule is shown below:

al_ert tcp any any -> any 21, (msg:,,pCRE Rule Lab,, ; \
pcre: "/CIdD\s (\/\. ) +\/tesL/,, ; sid: 1000004; )

o To test the rule, you can use the directions in the lab to verify if the rule triggers.

Lab #4: Use PCRETESTTo Test a Custom Regular Expression

This lab instructs you to create a regular expression that matches on a Social Security Number w1h
the
following caveats:

. lt must match with dashes used as delimiters

. lt must match with spaces used as delimiters

. lt must match with no delimiters

o The delimiters, if used, must be the same

The following regular expression is one solution:

. /\di3) (t -l?)\d{2}\1\d{4}/
Module 12: Basic Snort Tuning

Lab #7: Using Event Filtering

The student guide provides a step-by-step walk through how to set up event filter rules. Follow the
instructions as presented in the student guide to configure event filtering.

Lab #2: Using Suppression

The student guide provides a step-by-step walk through how to set up suppression rules. Follow the
instructions as presented in the student guide to configure suppression rules.
 http://it4training.com

Lab #7: Install Swatch

Using the instructions outlined in the student guide, install Swatch. Use the commands given to install
Swatch from source.

Lab #2: Actively Responding to SnortAlertswith Swatch

Using the instructions outlined in the student guide, configure and test Swatch.

v
Lab #3: Execute a Scriptwith Swatch
Assuming you have Swatch and Snort working together property, this lab gives you an opportunity to
execute a preconfigured script in response to an alert. Follow the instructions in the manual to create an
lPTables entry automaticly. Be sure to execute swatch from the /etc/snort directory.
:
 http://it4training.com

Module 14: Building a Snort IPS

This module provides explicit step-by-step instructions for building an inline Snort IPS installation. Carefully
review each of the steps to make sure everything you need is in ptace and configured correctly.

Lab #7: Using the Drop Action

This lab demonstrates one of the key capabilities of an intine installation which is the ability to block or drop
offending connections.

ln your /etclsnorl/rules/local.rules file, add the following rule:

drop icmp SfXff nruRl_NET any -> 192.168.10.90 any ( msg/'Drop ping to Bleda"; sid:1000010;)

With this rule, you should be able to ping lamp, but not bleda.

Lab #2: Replacing Content

Another interesting capability of and inline sensor is the ability to replace content as it passes through the
sensor if a rule is triggered. This lab demonstrates that capability. ln this lab, you will write a rule that
triggers when it detects an FTP connection in which the client attempts to enter the 'test' directory on
bleda's FTP server. When this condition is detected, it will replace the string 'test' with the string 'best'.

ln your local.rules file, add the following rule:

alert tcp any any -> 192.158.10.90 21 \

(msg:"Replace content lab"; content: "cwd test"; nocase; replace:"CWD best"; sid:1000011;)

Test the rule as indicated by the student guide.

 http://it4training.com

Module 15: Building a Distributed Snort Installation

This module provides detailed instructions on how to build a distributed installation in which multiple
Snort

sensors report back to a common database. This installation includes secure, encrypted communications
between allof the hosts in this framework.

Lab #7: Performthe Distributed Installation

Once the
Using the procedures outlined in the student guide, perform the distributed installation.
installation is complete, you can test it as described in the module by sending scans from attila and student
desktop, and using the class_test.pl script on attila to generate alerts'

in the BASE
lf the installation is working properly, you should see alerts from both of the sensors displayed
interface on the LAMP server.

Module 16: Miscellaneous Alerting and Detection Features

Lab #7: Implementing a Host Attribute Table

The goat of this lab is to use the host attribute table to define a host that is running
multiple HTTP services

on different ports and implement a rule that triggers on any of the HTTP services
running on that host even

if the destination port of the rule only specifies port 80'

192.158.133.253 as
The Host Attribute Table file is already configured. lt has defined a host at lP address
having HTTP services on ports 80 and 10000.

The rule you would write to trigger events on either of the ports is as follows:

alert tcp any any -> t92.t68.L33.0/24 80 \

(msg:"Host Attribute Table Lab"; metadata: service http; sid:1000100;)

file. The entry should

Next, you must configure the snort.conf file with a pointer to the host attribute table
look as foIlows: attribute-ta ble filena me I etc/ snort I attrib-ta ble'xm l

alert and reviewing

After you restart the snort process, follow the instructions in the lab for triggering the
the event feedback to test whether or not your rule triggered properly.
 http://it4training.com

Module 17: Alert Database Management

Lab #7: Exploring the Dotabase

Use the examples given in the student guide under the Basic MySQL Commands section to explore the
database schema for the Snort database on lamp.

Lab #2: Backing up Your Database

The student guide provides detailed step-by-step instructions on how to perform a backup. Reference the
guide to perform this lab.

Lab #3: Creating an Archive Database

Use the procedure outlined in the student guide under the Archive Database section to create an archive
database. When the archive database is ready, use the BASE interface to move alert data into and out of the
archive database.

Lab #4: Creating AlertGroups

Use the procedures outlined in the student guide under the General Alert Management section to create
and use an alert group.

Lab #5: Database Maintenance

Remove alert records using the interface provided.

Module 18: Sensor Performance & Performance Monitoring

Lab #7: Profiling lab

Use the information provided in the Performance Profiling section to configure both rule and preprocessor
profiling.

Lab #2: Testing Ruleswith Perfprofiling

Use the instructions outlined in the student guide for testing the perfprofiling features
 http://it4training.com

Linux Commands
- Svstem Commands

.- date [MMDDhhmm] - Set system date and time to the curent month, day, hour, minute.

ifconfig -a -
List information for all Ethernet interfaces.
ifconfig ethO - List information for just eth0.

kill -9 <pid> - Kill a process by process id (found by using grep or pgrep).

_
\- ln -s /folderl/filel lfolder2lfrle2 - Create a symbolic link between a target file (1) and
another location/di rectory (2).

man <cmd> - Open the help file for the specified command.

netstat Jtn - Show which processes are running, their names and ports.

ps -ef I grep <string> - Used to search to see if a process is running; i.e., snort.
pgrep <string> - A shortened version of the above command; shows only the PID.

service <service name> startlstoplrestart - Used to start, stop or restart a service.

(Linux and Fedora O/S's only.)

tail <filename> - Read the last 10 lines of a file.

tail -f <filename> - Read the last 10 lines of a file and keep the file 'open'.

cp <path/filo <path/file> - Copy a file.

less <filename> - Open a file (read only) with the ability to scroll 'up' and 'down'.

.. more <filename> - Open a file (read only) and format (size) to window.
rm [filename] [directory] - Delete the listed file or directory.
rm -rf rfirenamel rdirectorvl same
: fr'.'k*J:.3trj1"i:i"[:J1lll1"Jl"#l'.'"tilr,
mv </path/file> </path/file> - To rename a file.

tar -zxvf <path>/<file> - To untar a file from anywhere to current directory

Tar options: -z: gzip, -x: extract; -v: verbose; -f; file.
:

:
 http://it4training.com

Basic VI/VIM Commands

Command Operation

File Actions:

:q Exit file, do not save changes

<shrfbZZ Close file and save changes
:wq Close file and save changes

Text Editing Actions:

a Insert character(s) following current cursor position

A Insert character(s) at end ofcurrentline
i Insert character(s) before current cursor position
I Insert character(s) at the beginning of the current line
o Insert line after current line
O Insert line before current line
r Replace only the current cursor position
R Replace 'n' characters from the current position until <Esc>
$ Go to end of current line
dd Delete the current line
#dd Delete (#) number of lines from the current line
x Delete single character at current cursor position
#x Delete '#' of characters from cursor position forward
/<tex> Search the file for the selected text
#G Move to line number #
<shifbg Go to bottom of file
gg Go to top of file
 http://it4training.com

Linux Path and File Information for a Snort Installation

/ (root) ----l l..-- rcl.d (single user mode)

I l--- rc2.d
I l-..- rc3.d (startup in CLI environment)
l----: letc --------l--- rc4.d l--- Actually, a
l-:- rcS.d (startup in GUI) I symbolic
l..-- rc6.d (shutdown) I link:
I I letckc.dl...
l---/etc/init.d (startup scripts) ---------l
I

l-----/etc/snort
I

l-----/etc/snort/rules
I

| ---letc/sysconfi g/snort (snort startup confi g file)

l..-- /bin
l--.- /sbin
I

l------ /usr /usrflocaU

tt I

I 1"..--- /usr/bin l--- /usr/locaUsrc (class software)

ttt /usr/sbin
I l....--- l--.- /usr/IocaUbin (Snort binary)
I

l--- /var - lvarilog

/varllog/snort
/varlwww/html
l--- adodb
l--- base-l.4.5

Folder File(s)
/etclsnort Contains the Snort configuration file 'snort.conf' as well as several
'x.config' and '*.map' files. Barnyard 'conf' file will also be place here.
/etcisysconfig Contains the 'snort' file used at Snort startup. Read by the snortd script.
letclrcl.d Startup folder with the S99snortd entry that is linked to letclinrt.d/snortd to
start Snort at system startup.
lvarllog The "messages" file can be read to see latest process activity.
/varllog/snort Location of Snort 'Alert', 'Log' and 'Unified' files.
letclirnt.d Linux startup scripts, e.g. mysql, snortd
/etc/snort/rules Default Snort rule files as well as the "local.rules" file
/varllog/snort Location of Snort 'Alert', 'Log', and 'Unified' files
/usr/local Location of untar'd applications (Snort, PCRE, libpcap, libnet, etc.)
/usr/local/src Location of all the S/W we use in class
/usr/local/bin Location of the Snort binary. Linked to iusr/sbin.
lbin & /sbin System O/S binaries
 http://it4training.com

Thank you for selecting Sourcefire as your security education patner. We hope you found this class
informative and enjoyable. In order to keep Sourcefire training at the security forefront, please complete
this evaluation form. For additional questions or comments email [email protected] or call 734-
743-6550.

1. Name:

2. Write the name of the class you are in:

3. I understood the prerequisites for this class.

[]StronglyAgree []Agree []Disagree Il StronglyDisagree t] N/A

4. The training team was helpful and courteous during the registration process.

[]StronglyAgree []Agree IIDisagree II StronglyDisagree tl N/A

5. The written courseware materials were informative and easy to follow.

[]StronglyAgree []Agree []Disagree [] StronglyDisagree tl N/A

6. The course provided "real world" examples that I can use in my day-to-day
environment.

[]StronglyAgree []Agree []Disagree [] StronglyDisagree tl N/A

7. The classroom labs were challenging and helped me better understand the
product features and functionality.

llStronglyAgree []Agree IlDisagree [] StronglyDisagree II N/A

8. The instructor was knowledgeable and informative on the subject matter.

[]StronglyAgree []Agree []Disagree II StronglyDisagree t] N/A

9. Overall, X was satisfied with the instructor.

[]StronglyAgree []Agree []Disagree [] StronglyDisagree tl N/A

:v

10. The training room was technically well equipped and functioned well.

[]StronglyAgree []Agree IlDisagree [] StronglyDisagree tl N/A

11. Breaks and caterinq were aooropriate and met

 http://it4training.com

[]StronglyAgree []Agree []Disagree Il StronglyDisagree tl N/A

12. The overall atmosphere of the training room was very comfortable and promoted
a good learning environment.

[]StronglyAgree []Agree []Disagree II StronglyDisagree tl N/A

13. I clearly understood the objectives of this course and my expectations were met.
[]StronglyAgree []Agree IlDisagree Il StronglyDisagree t] N/A

14. Overall, I would recommend this course to others.

[]StronglyAgree []Agree IIDisagree Il StronglyDisagree t] N/A

15. What did you like about this course?

16, Do you have any suggestions on what should be added or removed from this
course?

17. Would you be willing to act as a reference for this training program? ff yes,
please provide your contact information below.

18. Would you be interested in seeing a Sourcefire Demo or speaking to a sales

representative? If yes, please provide your contact information below.