Lab9 SNORT

We will be using SNORT NIDS in this assignment. Its easy to use it or install it within Linux based systems. If
you have one, you dont need to use Deterlab for this assignment. If you dont have one, reserve one machine
in Deterlaband use it for this assignment (Reserve one or two machines)

You can use the NS file below (to reserve 2 nodes)

-------------------------------- SNORT.ns-----------------------------------

set ns [new Simulator]

sourcetb_compat.tcl

set node1 [$ns node]

set node2 [$ns node]

tb-set-node-os $node1 Ubuntu1804-64-STD

tb-set-node-os $node2 Ubuntu1804-64-STD

#tb-set-node-memory-size $node1 512

#tb-set-node-memory-size $node2 512

#tb-set-node-startcmd node0 startupcmd

set link0 [$ns duplex-link $node1 $node2 100000.0kb 0.0ms DropTail]

$ns rtproto Static

$ns run

-------------------------------------------------------------------------------------------------------------------

Step 1: Install and configure snort

$sudo apt-get install snort

Read the comments in /etc/snort/snort.conf carefully and pay attention to the definition of variable
HOME_NET and EXTERNAL_NET.
You can test configuration by:

sudosnort -T -c /etc/snort/snort.conf
Then try running Snort as root: (basic command with no options sudo snort, monitoring mode). Image
below after trying ping to the node.
 $sudo snort -c /etc/snort/snort.conf

Watch the output carefully, and address any errors in your config file. (Hint: some default .rules files
contain deprecated format, try to comment those files in the config file). Continue re-running snort until
you get it working correctly.

The command to run SNORT in IDS mode:

sudo snort -q -A console -c /etc/snort/snort.conf

Step 2: Read about Snort's signature syntax in the Snort User's Manual which is located on the class wiki. In
particular, be sure to review the meta-data options reference and sid. Once you are somewhat familiar with the
rule language, read through some of the web attacks rules files. These are files named in the form web-*.rules
under /etc/snort/rules/. Follow the references listed in a few of the rules and read about the type of attack
the specific signatures are designed to detect.

The file (local.rule) is created for users to add their own rules (as its empty by default). We will add our
experimental rules to this one

Image below shows an example of 2 rules added to local.rules

Optional : You can create a new rule file (for our testing)

Try to add rules to your new rule file

Make sure you add your rule file to config (you can do that in command line )
Now, select two web attack signatures that seem straight-forward to understand. It would be simpler if you
select a signature that looks for "evil" data in an HTTP URL string. Log into your Windows server and open a
browser. Based on the documentation provided with the signature you have selected, attempt to trigger the
Snort signature by making a HTTP request to which contains an attack string which should be detected.

Next, verify in your Snort logs that your attack triggered an alert based on that. (Hint:/var/log/snort/)

Step 3: Snort also allows us to write custom rules. Open the file /etc/snort/rules/local.rules and add one rule
that detects each visit to www.google.com that is made by the virtual machine. The rule should look for any
outbound TCP traffic that is going to port 80 and contains the pattern "www.google.com" in the URL and trigger
an alert when it gets a match. Give the rule an SID of 1000000 or higher. Then visit Google with a web browser
and check if your rule triggered an alert.

Record your screenshots as steps to write and test your (google) created rule

Questions:
1. In step 1, how did you modify the config file to make it work?
2. In step 2, describe the two attack signatures you chose and explain the corresponding rules against them.
How did you attempt to trigger the alert? How did snort process your requests?

3. In step 3, copy/paste your new rule here. How did you confirm that your rule was enforced by snort?