Scribd
Upload
65 views

Lab 9 - Ids and Ips Xstud 0

This document provides instructions for installing, configuring, and testing the Snort intrusion detection and prevention system on Kali Linux. It outlines downloading and installing Snort, editing the configuration file to include a custom rules file, creating a rule to detect ICMP ping attacks, launching a ping attack against the system, and reviewing the log file to confirm the attack was logged. The key steps are: 1) Installing Snort, 2) Configuring Snort by editing files to include custom rules and configure logging, 3) Creating a rule to detect ping attacks, 4) Launching a ping attack against the system, and 5) Checking the log file for an alert with the message for the ping attack rule.

Uploaded by

Mona Bakri
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
65 views

Lab 9 - Ids and Ips Xstud 0

This document provides instructions for installing, configuring, and testing the Snort intrusion detection and prevention system on Kali Linux. It outlines downloading and installing Snort, editing the configuration file to include a custom rules file, creating a rule to detect ICMP ping attacks, launching a ping attack against the system, and reviewing the log file to confirm the attack was logged. The key steps are: 1) Installing Snort, 2) Configuring Snort by editing files to include custom rules and configure logging, 3) Creating a rule to detect ping attacks, 4) Launching a ping attack against the system, and 5) Checking the log file for an alert with the message for the ping attack rule.

Uploaded by

Mona Bakri
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 2

LAB 9 – INTRUSION DETECTION AND

PREVENTION SYSTEMS

HANDS ON INSTALLING, CONFIGURING AND TESTING SNORT


USING KALI LINUX

Scope
Download and install

Configuration:

Edit configuration file

Configuring logs

Create a custom rule with message

Launching the attack

Capture & review the log file with the alerts configured in the custom rule

1. Download and Install


[All commands are highlighted in Red
text]
Access the terminal of the kali Linux

apt-get install snort

when it asks for the address range, retrieve the IP address using ifconfig on a separate terminal
window
check the subnet mask if its 16 bit or 24 bit and based on that give the ipaddress in the
range
Example: if ipaddress is 192.168.1.100 and Subnet mask is 255.255.255.0 [24 bit], then range in
snort
should be 192.168.0.0/24
Let the installation complete! At successful installation it will return to default prompt.

2. Edit Snort Configuration File and Rules Creation


2.1. Create a blank rules file to place your custom rules in, this is different than the default rules used by
snort
touch /etc/snort/rules/custom.rules

2.2. edit the Snort configuration file to add to snort the newly created custom.rules file

vi /etc/snort/snort.conf

2.3. type /include $RULE_PATH (this command will take you the rule inclusion page in the vi editor)

scroll down using pgdown or arrow keys till you reach the end of the include $RULE_PATH entries
press ‘i’ key on keyboard edit the file in the vi editor

1
after the last default entry in the include $RULE_PATH
type include $RULE_PATH/custom.rules
press ‘esc’ key on keyboard and then ‘wq’ to save and quit the snort configuration
file

2.4. Creating a location for log files and verify if the log file are getting populated
mkdir log

snort – l ./log –b –c /etc/snort/snort.conf (this will start snort and run the live traffic on the computer
and
network against the rules in the snort.conf)
ctrl+z

cd log

ls

if the list command results with files such as ‘alert’ and ‘snort.log.<<randomnumbers>>’ then your
snort is running and generating logs as well successfully

rm* (Removes the contents of the log files)

2.5. Creating custom rule to detect icmp attack or ping attack


vi /etc/snort/rules/custom.rules

press ‘i’ to enter into insert mode

alert icmp any any -> any any (msg: “Possible ping attack”; sid: 999995;)

press ‘esc’ key and then ‘wq’ to save the custom.rules file

3. Launching the attack


Launch the snort on the Kali
Linux
snort -l ./log -p -c /etc/snort/snort.conf

From any other machine in the network ping the Kali Linux machine with unlimited number of
packets
Let the snort run for a minute for the capture to work and log file get populated

4. Reviewing the log file with attacks captured


cd log

ls

leafpad alert

The alert file should be populated with the alert message “Possible ping attack’ as configured in the
custom
rule file.

You might also like