Scribd
Upload
360 views10 pages

Wazuh & Snort

The document provides a step-by-step guide on installing and configuring Snort, an open-source Intrusion Detection and Prevention System (IDS/IPS), on Ubuntu. It includes instructions for setting up the network interface, configuring rules for alerts, and integrating Snort with a Wazuh server for log management. Additionally, it outlines the process for testing configurations and running attacks using Metasploit to verify Snort's alert functionality.

Uploaded by

Khaled Guessoum
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
360 views10 pages

Wazuh & Snort

The document provides a step-by-step guide on installing and configuring Snort, an open-source Intrusion Detection and Prevention System (IDS/IPS), on Ubuntu. It includes instructions for setting up the network interface, configuring rules for alerts, and integrating Snort with a Wazuh server for log management. Additionally, it outlines the process for testing configurations and running attacks using Metasploit to verify Snort's alert functionality.

Uploaded by

Khaled Guessoum
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

MOD:14

IDS AND IPS WAZUH WITH SNORT


Snort is an open-source Intrusion Detection and Prevention System (IDS/IPS) that
monitors network traffic for signs of potential security threats or breaches. By analyzing
packets in real time, Snort can detect various types of attacks and provide alerts,
helping to secure your network.

1. How to Install Snort (Ubuntu)


• Apt-get update and upgrade
• Apt install snort -y

2. Set yours interface: how to check the interface in machine


• Ip a (eg: ens33,eth0,ens,etc)
3. While install snort sometime it default set the interface and sometime we
will message which interface to set once done interface lets network
interface

4. Once we done set interface snort ready install and verify snort version
5. Now the set the ip address in snort.conf
• Open with Nano or vim /etc/snort/snort.conf

6. Open it and scroll nearby Network to set ip address like (192.168.1.0/24,etc)

7. Before running Snort, always test your configuration to ensure no errors:


• Snort -T -i ens33 -c /etc/snort/snort.conf
• If successful, you’ll see:
• Snort successfully validated the configuration!
Snort exiting

8. Next lets set the rule alert if someone ping ip address get from snort..
• Open with nano or vim /etc/snort/rules/local.rules
9. Inside the rule lets create ( alert tcp any any -> $HOME_NET any (msg: “ICMP
DETECTED” rev:1000001; rev:1;)

10. Save it and exit then restart snort


11. Systemctl restart snort
12. Once we create the rule check one more test configuration no error:(snort -T
-I ens33 -c /etc/snort/snort.conf)Once we get the successful message we are
good to go..)

13. Now lets deploy snort configurtation:


• Snort -q -l /var/log/snort -A console -I ens33 -c /etc/snort/snort.conf
and give enter ,,Start the ip address and see alert
Above image I have received notifications someone ping ip alert from snort

Configuration Work snort wazuh server alert the logs:

14. First install wazuh agent machine were you install snort only we can able
logs message :
• To install agent (wget
https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-
agent/wazuh-agent_4.11.1-1_amd64.deb)
• sudo dpkg -i wazuh-agent_4.11.1-1_amd64.deb
• Now set the wazuh server ip address to wazuh-agent machine of snort
• Open with nano or vim /var/osses/etc/ossec.conf
• Inside wazuh there MANAGER IP ADDRESS WORD remove it and set
the wazuh server ip
• Next lets set the rule to configure Snort logs to wazuh server
• Nearby down log analyse

<localfile>

<log_format>syslog</log_format>

<location>/var/log/snort/alert</location>

</localfile>

15. Save the rule and exit


16. Restart wazuh-agent(Systemctl restart wazuh-agent)
17. Install windows 7 iso from browser and turn on kali machine to do attack of
eternalblue mode

18. Open kali machine with root user and type msfconsole:
19. Next search eternalblue and set use 0

• Inside exploit set rhosts ip of windows 7 machine and next give exploit

20. Before attacking machine set the rules in snort machine detect alert
messages smb attack detected and warning
21. Lets set this: open the browser go-to snort.org -Downloads-rules-extract it

22. Once download open it press ctrl+f and search eternalblue:

23. Now lets jump in to snort machine set the above the rule:
24. Save and exit and run one more time Test configuration success or
error(Snort -T -i ens33 -c /etc/snort/snort.conf)it has successfully
configuration ..Rule has been set work fine..
25. Now lets jump to kali machine attack eternalblue to windows 7
26. Warning (Before when exploiting machine we need run background snort
configure ON (snort -q -l /var/log/snort -A console -I ens33 -c
/etc/snort/snort.conf)this rule ON. Because only that will be get the alert
notification log:)

Above the Metasploit it has been exploit and check snort machine alert and
notification:
Now lets check the logs:

27. Now lets wazuh server : Go to threat hunting:


Above the images log has given alert wazuh server:

Ruleset and Refer:

https://snort.org/

<localfile> -- wazuh-agent

<log_format>syslog</log_format>

<location>/var/log/snort/alert</location>

</localfile>

To learn about the snort installation (https://youtu.be/Gh0sweT-


G30?si=DVdc5VU9PiF1fP6f

https://youtu.be/U6xMp-MIEfA?si=SIjdETaHw-iPhuGT

https://youtu.be/RzF5-fVz7Oc?si=qJzLghFzqk9GezL2)

You might also like