Project 8: Snort (15 Points)

What You Need for This Project

Purpose

Splunk is an old standard tool for detecting network attacks. In this project you'll install and configure Splunk, and send suspicious traffic to provoke alerts.

Starting the Linux Machine

Start your Linux machine and log in as usual. I recommend controlling your machine via SSH.

In a Terminal window, execute this command to find its IP address: 

sudo ifconfig
Make a note of your IP address, as shown below.

Installing Snort

On your Linux machine, in a Terminal window, execute these commands: 
sudo apt update
sudo apt install snort -y
A blue screen appears asking for the address range of the local network.

Enter your network's subnet, as shown below, press Tab to highlight OK and press Enter.

Starting Snort

On your Linux machine, in a Terminal window, execute this command: 
snort -c /etc/snort/snort.conf -i eth0 -A full
Several screens of messages scroll by, ending with "Commencing packet processing", as shown below.

Monitoring Snort Alerts

Open a second Terminal window on your Linux machine. If you are using SSH, make a second SSH connection.

In the new window, execute this command: 

tail -f /var/log/snort/alert
Leave this window running, as shown below.

Starting your Windows Server

Start your Windows machine and log in as usual.

Open a Command Prompt and execute this command, replacing the IP address with the IP address of your Linux machine. 

ping 192.168.225.130
You should see replies, as shown below. If you do not, you need to troubleshoot your networking before proceeding with this project.

Installing the TFTP Client

On your Windows desktop, click Start. Open "Server Manager".

In Server Manager, click "2 Add roles and features", as shown below.

In the "Before you Begin" box, click Next.

In the "Installation Type" box, click Next.

In the "Server Selection" box, click Next.

In the "Server Roles" box, click Next.

In the "Select features" box, check "TFTP Client", as shown below, and click Next.

In the "Confirm installation selections" box, click Install.

Wait a few seconds for the installation to finish.

Sending Suspicious Traffic

On your Windows machine, in a Command Prompt window, execute this command, replacing the IP address with the IP address of your Linux machine. 
tftp 192.168.225.130 GET /etc/shadow
Windows says the request failed, as shown below, but it still sends the traffic to the Linux server.

The Linux terminal should show a Snort alert detecting this traffic, as shown below.

Viewing the Snort Rule

On your Linux machine, open a third Terminal window and execute this command: 
less /etc/snort/snort.conf
The Snort configuration file is shown, as shown below.

Press the SPACEBAR to move down a screen at a time, and/or the up-arrow and down-arrow keys to move one line at a time, until you find the tftp.rules entry as shown below.

The TFTP alerts come from this file. To see it, press Q to exit "less" and execute this command: 

less /etc/snort/rules/tftp.rules
Scroll down and find the TFTP rule for "GET shadow", as shown below.

Notice the format of the rule--this is the famous "Snort Rule" format, used by many IDS products.

The pattern used by this rule is

content:"shadow"

which is a simple pattern match.

Sending Less Suspicious Traffic

From your Windows machine, in a Command Prompt, execute this command, replacing the IP address with the IP address of your Linux machine. 
tftp 192.168.225.130 GET /theshadowknows
Windows returns the same error message, as shown below.

Snort sends an alert again, as shown below.

As you can see, this Snort rule is really stupid--it will trigger on any request containing the word "shadow". This is a simple, primitive form of defense.

Sending a Long Filename

From the Windows machine, From your Windows machine, in a Command Prompt, execute this command, replacing the IP address with the IP address of your Linux machine. The command has 110 "A" characters in it. 
tftp 192.168.225.130 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Snort sends an alert again, as shown below. Find the alert numbered "1:1941", and note the text that is covered by a green box in the image below.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Alert text:

https://www.colasoft.com/packet_player/

Source I saw this demonstrated by Marco Palacios at @hackvalley27.

Posted 9-16-18
tail command corrected 9-29-18