Snort (NETLAB)

Use your Kali64 Machine

Open the Kali64 virtual machine. Log in as root with the password toor

Configuring Snort to Detect Pings

Snort starts with a long set of default configurations, but we will start with a very simple ping detector.

In your Kali64 machine, in a Terminal window, execute these commands:

cd /etc/snort

nano snort-test.conf

Enter this line, as shown below:
include /etc/snort/icmp-test.rules

Save the file with Ctrl+X, Y, Enter.

In your Kali64 machine, in a Terminal window, execute this command:

nano icmp-test.rules
Enter this line, as shown below:
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

Save the file with Ctrl+X, Y, Enter.

This is the structure of an alert:

<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)

Table: Rule structure and example
Structure Example
Rule Actions alert
Protocol icmp
Source IP Address any
Source Port any
Direction Operator ->
Destination IP Address any
Destination Port any
(rule options) (msg:”ICMP Packet”; sid:477; rev:3;)

Running Snort With Only One Rule

In your Kali64 machine, in a Terminal window, execute this command:

snort -i eth0 -c /etc/snort/snort-test.conf -l /var/log/snort
Note that the last switch is a lowercase L, not the numeral 1.

Your interface name may be different from eth0.

Snort starts, showing an "Initialization Complete" message, as shown below:

Click File, "Open Terminal" to open another Terminal window and execute this command:

ping -c 1 samsclass.info
In the Terminal window, enter this command, followed by the Enter key:
cat /var/log/snort/alert
You should see two alerts, as shown below. The first one shows an outgoing ICMP type 8 ECHO request, and the second shows an incoming ICMP type 0 ECHO response.

Stopping Snort

Click in the Terminal window running Snort, and press Ctrl+C.

Snort prints out a page of statistics about the packets it saw, as shown below:

Running Snort with Default Rules

In your Kali64 machine, in a Terminal window, execute this command:
snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
Note that the second switch is a lowercase L, not the numeral 1.

Snort starts, showing an "Commencing packet processing" message.

In the other Terminal window, execute this command:

tail -f /var/log/snort/alert

Start your Kali32 Machine

Open the Kali32 virtual machine. Log in as root with the password toor

Open a Terminal window and execute this command, to run an Nmap scan of your Kali64 machine, as shown below.

nmap 172.16.1.202

You should see messages scroll by on the Kali64 machine as snort sends alerts about the scans.

When the scan is complete, the Kali64 machine shows alerts, as shown below.

Sources

http://www.thegeekstuff.com/2010/08/snort-tutorial/

http://people.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf

http://www.snort.org/docs/faq

How to write Snort rules




Last modified 4-26-16
Modified 6-16-16 for NETLAB