Project 15 for CNIT 120 - Snort (15 pts.)

What You Need

Starting the Linux Machine

Start your machine as usual. Open a Terminal window.

In a Terminal window, enter this commands, and then press Enter:

ping samsclass.info
Make sure you are getting replies, and then press Ctrl+C to stop the pings.

In a Terminal window, enter this commands, and then press Enter:

ifconfig
Find the interface that goes to the Internet and make a note of it. In my case it is eth2, as shown below:

Installing Snort

In a Terminal window, execute these commands:
apt-get update

apt-get install snort -y

Troubleshooting

If you see a message saying "Unable to locate package snort", execute this command:
nano /etc/apt/sources.list
Add this line to the end of the file, as shown below:
deb http://ftp.us.debian.org/debian wheezy main

Press Ctrl+X, Y, Enter to save the file.

Then execute these commands:

apt-get update

apt-get install snort -y

After Snort installs, a blue screen appears asking for the "Address range for your local network". In S214, it's 192.168.1.0/24

Enter the range, press Tab to highlight Ok, and press Enter.

Configuring Snort to Detect Pings

Snort starts with a long set of default configurations, but we will start with a very simple ping detector.

In a Terminal window, enter these commands, pressing Enter after each one:

cd /etc/snort

nano snort-test.conf

Enter this line, as shown below:
include /etc/snort/icmp-test.rules

Save the file with Ctrl+X, Y, Enter.

In a Terminal window, execute this command:

nano icmp-test.rules
Enter this line, as shown below:
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

Save the file with Ctrl+X, Y, Enter.

This is the structure of an alert:

<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)

Table: Rule structure and example
Structure Example
Rule Actions alert
Protocol icmp
Source IP Address any
Source Port any
Direction Operator ->
Destination IP Address any
Destination Port any
(rule options) (msg:”ICMP Packet”; sid:477; rev:3;)

Running Snort With Only One Rule

In a Terminal window, enter this command, followed by the Enter key:

snort -i eth0 -c /etc/snort/snort-test.conf -l /var/log/snort
Note that the last switch is a lowercase L, not the numeral 1.

Your interface name may be different from eth0.

Snort starts, showing an "Initialization Complete" message, as shown below:

Open another Terminal window or tab and enter this command, followed by the Enter key:

ping -c 1 8.8.8.8
In the Terminal window, enter this command, followed by the Enter key:
cat /var/log/snort/alert
You should see two alerts, as shown below. The first one shows an outgoing ICMP type 8 ECHO request, and the second shows an incoming ICMP type 0 ECHO response.

Saving the Screen Image

Make sure you can see the ICMP Type:8 and ICMP Type 0: packets in your alert file. Save a screen capture with a filename of "Proj 15a from YOUR NAME".

Stopping Snort

In the Terminal window or tab running Snort, press Ctrl+C.

Snort prints out a page of statistics about the packets it saw, as shown below:

Running Snort with Default Rules

In a Terminal window, enter this command, followed by the Enter key:

snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
Note that the second switch is a lowercase L, not the numeral 1.

Snort starts, showing an "Commencing packet processing" message.

Open another Terminal window or tab and enter this command, followed by the Enter key:

tail -f /var/log/snort/alert
On your other computer, run a default Nmap scan of your Linux machine, as shown below:

You should see messages scroll by on the Linux machine as snort sends alerts about the scans.

Troubleshooting

If Snort doesn't detect the Nmap scan, you may have the wrong "address range for your local network" configured.

To fix that problem, execute this command:

nano /etc/snort/snort.conf
Scroll down to find the "Step #1: Set the network variables" section, as shown below:

Add a # to the existing "ipvar HOME_NET any" line and add this line below it, as shown below. If you are using S214, the correct network specifier is 192.168.0.0./16. If you are using some other network, you need to specify its CIDR network address here.

ipvar HOME_NET 192.168.0.0/16

Press Ctrl+X, Y, Enter to save the file.

When the scan is complete,

When the scan is complete, the Kali64 machine shows alerts, as shown below.

Saving the Screen Image

Make sure you can see the alerts, as shown above.

Save a whole-desktop image with a filename of "Proj 15b from YOUR NAME".

Turning In Your Project

Email the images to cnit.120@gmail.com with a subject of "Project 15 from YOUR NAME".


Sources

http://www.thegeekstuff.com/2010/08/snort-tutorial/

http://people.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf

http://www.snort.org/docs/faq

How to write Snort rules




Last modified 6-16-16