Scribd
Upload
46 views9 pages

Lab 1 Network Scan Using Snort

This document provides instructions for using Snort to analyze network traffic in an Ubuntu virtual machine. It describes how to install Snort and Wireshark, configure Snort's HOME_NET variable, add rules to detect ICMP and FTP traffic, and view alerts and logs. Learners are guided to test the rules by pinging and connecting to FTP from a Kali Linux virtual machine, then view the resulting alerts and packet captures in Snort's logs and Wireshark.

Uploaded by

Humera Gull
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views9 pages

Lab 1 Network Scan Using Snort

This document provides instructions for using Snort to analyze network traffic in an Ubuntu virtual machine. It describes how to install Snort and Wireshark, configure Snort's HOME_NET variable, add rules to detect ICMP and FTP traffic, and view alerts and logs. Learners are guided to test the rules by pinging and connecting to FTP from a Kali Linux virtual machine, then view the resulting alerts and packet captures in Snort's logs and Wireshark.

Uploaded by

Humera Gull
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Incident Response Management

Lab 1: Network Analysis using Snort

In this lab we are going to detect attacks on network using Snort.


Snort is an open-source network intrusion prevention and
detection system (IDS/IPS) developed by Sourcefire.
You need the following software:
• VMware or Virtual Box
• 1 Ubuntu virtual machines:

Instructions on how to install Ubuntu on VMware:


https://linuxhint.com/install_ubuntu_vmware_workstation/
• Kali Linux: [username: kali Password: kali]: here choose “open
a virtual machine” form VMWare and choose the downloaded
Kali file.
https://www.kali.org/get-kali/#kali-virtual-machines

Dr. Sarah Abu Ghazalah


• Install Snort in Ubuntu virtual machine:

Type on Terminal: $ sudo apt install snort

Once the installation is completed, run the command below


the verify.
snort -V

• Install Wireshark on Ubuntu:


Type on Terminal:
$ sudo apt install wireshark

Dr. Sarah Abu Ghazalah


Task1: Use Snort to analyze traffic:
1- we need to configure our HOME_NET value, so in Ubuntu
Terminal type:
ifconfig
then observe the network interface name and IP address

2- Then open Snort config file to change HOME_NET value.


sudo gedit /etc/snort/snort.conf

3- When the snort.conf file opens, scroll down until you find
the ipvar HOME_NET setting, change the IP address part
to match your Ubuntu Server VM IP, making sure to leave
the “.0/24″ on the end. Save it.

4- Now we need to check if there is any Snort rule exist. To


d so type in Terminal:

sudo snort -T -i ens33 -c /etc/snort/snort.conf

t: Test

i: interface

c: location

Dr. Sarah Abu Ghazalah


5- Scroll up until you see “0 Snort rules read”.

6- Now let’s add our first rule. First open the rule file:

sudo gedit /etc/snort/rules/local.rules

7- Add the rule:

alert icmp any any -> $HOME_NET any (msg:”ICMP Test”;


sid:1000001; rev:1;)

Dr. Sarah Abu Ghazalah


• alert – Rule action. Snort will generate an alert
when the set condition is met.
• any – Source IP. Snort will look at all sources.
• any – Source port. Snort will look at all ports.
• -> – Direction. From source to destination.
• $HOME_NET – Destination IP. We are using the
HOME_NET value from the snort.conf file.
• any – Destination port. Snort will look at all ports
on the protected network.
Rule options:

• msg:”ICMP test” – Snort will include this message


with the alert.
• sid:1000001 – Snort rule ID. Remember all
numbers smaller than 1,000,000 are reserved; this
is why we are starting with 1,000,001.
• rev:1 – Revision number. This option allows for
easier rule maintenance.

8- Save the file.


9- Now, let’s start Snort in IDS mode and tell it to display
alerts to the console:
sudo snort -A console -q -c /etc/snort/snort.conf -i ens33

[make sure you type your interface name correctly]

Dr. Sarah Abu Ghazalah


10- Now to test the previous rule, we need to do some
action, such as ping the Ubuntu VM from Kali VM. Open
the Terminal in Kali machine and type:

ping 192.168.x.x
[make sure you type the IP address of the Ubuntu VM]

Let it run for a couple of seconds and hit Ctrl+c to stop and return
to prompt.

11- Now return to your Ubuntu running Snort IDS. You


should see alerts generated for every ICMP Echo request
and Echo reply message.

Dr. Sarah Abu Ghazalah


12- Now let’s write another rule. Open our local.rules file in
a text editor:

sudo gedit /etc/snort/rules/local.rules

13- First, let’s comment out our first rule. Put a pound sign
(#) in front of it. On a new line, write the following rule
(using your Kali Linux IP for x.x):

alert tcp 192.168.x.x any -> $HOME_NET 21 (msg:”FTP


connection attempt”; sid:1000002; rev:1;)

Here we changed the protocol to TCP, used a specific source


IP, set the destination port number to 21 (default port for
FTP connections) and changed the alert message text. Save
and close the file.

14- Now let’s run Snort in IDS mode again, but this time, we
are going to add one more option, as follows:

Dr. Sarah Abu Ghazalah


sudo snort -A console -q -c /etc/snort/snort.conf -i ens33 -K
ascii

15- Go to your Kali Linux VM and enter the following


command in a terminal shell (using your Ubuntu IP
address):

ftp 192.168.x.x

16- Go back to Ubuntu Server. You should see that an alert


has been generated.

17- Now run the following command to do the listing of the


Snort log directory:

ls /var/log/snort

The snort.log.* file (you may have more than one if you generated
more than one alert-generating activity earlier) is the .pcap log file.
It cannot be read with a text editor.

18- Now, we can use Wireshark to read Snort log file (pcap
file).
19- Open Wireshark. Open -> file. Then browse to
/var/log/snort directory, select the snort.log.* (* means
the number displayed to you, each run rule is captured in
a separate log file) file and click Open.

Dr. Sarah Abu Ghazalah


[[[In case you got a permission error on any file, then o the
following to change permission:]]]

sudo chmod 770 snort.log.xxxxxxxxx

20- You can see the whole traffic in Wireshark clearly.

Analyze the traffic using Wireshark.

Dr. Sarah Abu Ghazalah

You might also like