Experiment - 9

Name: Ansari Mohammed Shanouf Valijan

Class: B.E. Computer Engineering, Semester - VII
UID: 2021300004
Batch: VII

Aim:
To configure and test the SNORT Intrusion Detection System.

Theory:
Snort is a widely used open-source network intrusion detection and prevention system
(IDS/IPS) that helps monitor network traffic for signs of malicious activity. Developed
originally by Sourcefire and now owned by Cisco, Snort analyses packet data in real time to
detect various types of network threats, including Denial of Service (DoS) attacks, port scans,
buffer overflows, and attempts to exploit vulnerabilities. It uses a combination of techniques
such as protocol analysis, content matching, and signature-based detection to identify
suspicious patterns in network traffic, making it an effective tool for both identifying and
preventing potential security breaches.

At the core of Snort's functionality is its rule-based configuration system. Snort’s detection
capabilities are driven by rules that define specific patterns or signatures of malicious activity
within network traffic. These rules are highly customizable, allowing administrators to tailor
the system to their specific environment and security requirements. Snort is also continuously
updated with new rules from both the open-source community and commercial vendors,
ensuring that it can detect the latest threats and vulnerabilities. This flexibility is one of the
reasons Snort remains popular in both small networks and large enterprise environments.

Snort can operate in different modes, including as an Intrusion Detection System (IDS) or as
an Intrusion Prevention System (IPS). In IDS mode, it monitors traffic and generates alerts
when it detects suspicious activities, allowing security teams to investigate and respond to
potential threats. In IPS mode, Snort can actively block malicious traffic, preventing attacks
before they reach critical systems. This makes Snort a versatile tool that can be used both for
passive monitoring and active threat mitigation, depending on the specific security
requirements of the organization.

Overall, Snort is a powerful and flexible tool for network security. It offers a combination of
signature-based, protocol, and anomaly detection to monitor traffic in real time and identify
a wide range of attacks. Its open-source nature allows for extensive customization and
integration with other security tools, making it a key component of many organizations'
security infrastructures. Whether used for threat detection, prevention, or traffic analysis,
Snort remains one of the most reliable and widely adopted solutions in the world of network
security.

Implementation:
Following is a step-by-step walkthrough of the process that was undertaken to download,
install and test the SNORT intrusion detection system-

Downloading the SNORT installer

Selecting all the components for installation

Confirming the proper installation of SNORT

Downloading the required rules and placing them in the respective bin directory
Once the installation and setup of the Intrusion Detection System was completed,
configuration file was edited based on the local system under utilization, resulting in the
following config file-
# ===========================
# GLOBAL CONFIGURATION OPTIONS
# ===========================

# Set the HOME_NET variable to the local network

# Modify as per your local network's IP range
ipvar HOME_NET 192.168.1.0/24

# Define external networks, typically the internet

# Modify according to your environment
ipvar EXTERNAL_NET any

# Set up path for Snort log and alert files

# Modify to an appropriate directory
output log_tcpdump: /var/log/snort/shanouf_log/tcpdump.log
output alert_fast: /var/log/snort/shanouf_log/alert.fast

# ============================
# RULE SET DIRECTORIES
# ============================

# Location for Snort rules

# Modify to your actual rules directory
var RULE_PATH /etc/snort/rules

# Location for custom rules

var CUSTOM_RULE_PATH /etc/snort/rules/shanouf

# ============================
# NETWORK VARIABLES
# ============================

# Define network for internal servers

# Customize as needed
ipvar INTERNAL_NET 10.0.0.0/24

# ============================
# OUTPUT PLUGINS
# ============================

# Example of an output plugin for unified2 (for output to a database or other systems)
# Comment out if not used
# output unified2: filename snort.unified2, limit 128

# ============================
# ENABLE THE PREPROCESSORS
# ============================

# Enable HTTP Inspect preprocessor

preprocessor http_inspect: global \
max_request_len 8192 \
oversize_dir length 400

# Enable DNS preprocessor

preprocessor dns: global

# ============================
# RULES INCLUDE STATEMENTS
# ============================

# Include the default Snort community rules

# Make sure you've downloaded or enabled these rules
include $RULE_PATH/community.rules

# Include custom rules written by shanouf (if any)

include $CUSTOM_RULE_PATH/shanouf.rules

# ============================
# DEFINE CUSTOM RULES (Optional)
# ============================

# Custom rule for monitoring a specific IP address

alert ip 192.168.1.100 any -> $HOME_NET any (msg:"Alert: Access from specific IP";
sid:1000001;)

# ============================
# SIDS AND RULE SETTINGS
# ============================

# Custom SID definitions (e.g., SID for shanouf's network)

# Sid for shanouf's network-specific rule
sid: 1000001;

Viewing the available SNORT interfaces

Executing the SNORT tool using the edited snort.conf file

The tool being able to identify simulated intrusion (inbuilt)

Conclusion:
By performing this experiment, I was able to learn a bit about the SNORT intrusion detection
system. By following the steps mentioned in the lab manual for this experiment, I was able to
successfully install and configure the tool on my system, verifying that it was able to detect
and notify about the simulated intrusion attack through command line.