Network Analysis

Install Snort
Open a terminal in your Kali, enter # snort Snort wil start to run in packet dump mode.
If snort is not installed in your machine enter the folloiwng command snort will be installed .
If you are using a old Kali you need to install from Wheezy database.
After Snort installs, a blue screen appears asking for the “Address range for your local
network”. In MBV249, it’s 192.168.1.0/24. If you are doing from home, check your subnet
mask, if 255.255.255.0 then it is /24. Enter the range of your network set it to the IP address of
the victim, your Kali machine), press Tab to highlight OK, and press Enter. (Later we will
Check if snort is under /etc. If you find snort , change diretctory to snort ( cd snort )
Now do a ls so that you can see the all the files under snort directory.
A few important locations:

  1. SNORT configuration: /etc/snort/snort.conf
  2. SNORT debian configuration: /etc/snort/snort.debian.conf
  3. SNORT rules: /etc/snort/rules
  4. SNORT exuecuble: /usr/sbin/snort
    Configure SNORT
    The main configuration file for SNORT is /etc/snort/snort.conf file. This is a big configuration
    file. (If required you can edit it, opening with an editor such as nano, vi, leafpad etc.) For this
    lab, we don’t need to touch the snort.conf now. To check what’s in it – use cat .
    Now cat it. Go over the config file, check it.
    Check the HOME_NET and Interface related configuration from /etc/snort/snort.debian.conf .
    During installation process if you have defined your HOME_NET properly; then you can leave it
    as it is and don’t need to edit it anymore. However, it is recommended that you must set the
    HOME_NET to the IP address of the victim machine, in your case the current ipAddress if your
    Kali VM.

nano snort.debian.conf and change the DEBIAN_SNORT_HOME_NET

The default config file ( /etc/snort/snort.conf ) is quite self-explanatory, with helpful comments
leading the user through the steps of customizing the configuration to its own needs.
(In this lab we only set the network Variables, and customize the rule set. Also because we are
using Kali, we edited snort.debin.conf.
If you are using other Linux, you might need to open the snort.conf in order to edit. The
network variables we modify are the HOME_NET and the EXTERNAL_NET, which can be
configured by changing the following lines:
ipvar HOME_NET 192.168.56.101 ( the internal network range, the subnet we are trying
to protect. You can set it to the IP address of the victim machine)
ipvar EXTERNAL_NET !$HOME_NET ( the external network range, in our case everything
which is not in the internal network range)
Again if you use a Debian distro like Kali, you need to open the snort.debian.conf
Also In order to only alert to those packets you want, you may want to disable all predefined
rules. To disable all the line having include $RULE_PATH, you can comment them out (put #).
Include a new rules file
Instead of changing the snort.conf in this lab we will create our own .conf file. Use and editor to
create a file in snort-ITN266.conf under /etc/snort
Then create a rule with your last name.
In the terminal type # nano snort-ITN266.conf
include /etc/snort/myName-icmp.rules ( for me it is include /etc/snort/sdas-icmp.rules)
Save the file with Ctrl+X, Y, Enter.
Now create the rule
We will start with a very simple rule into our myName-icmp.rules file:
alert icmp any any > any any (msg:”Ping detected”;sid:1000477; rev:1;)
(Please read how to crate snort rule https://blog.rapid7.com/2016/12/09/understanding-andconfiguring-snort-rules/ )
Note each rule you write should have a unique SID. The sid: 1000477; rev:1 ; in the rule are
required to keep Snort happy.
Run Snort, (check the alert/packets)
snort -c /etc/snort/snort-ITN266.conf -l /var/log/snort -i eth0
Your interface name may be different from eth0. Also the last switch is a lowercase L, not the
number 1. Soon your snort – will start to throw alert .
But we only want to alert for ping! So we can include a new option in the rule. Open the
myName.rules in an editor and modify it.

nano myName-icmp.rules

alert icmp any any -> any any (msg:”Ping detected”; itype:8; sid:1000477; rev:1)
The option itype stands for ICMP packet type.
If we run Snort as below, (in packet sniffer mode ) you can see it in the packets.
snort -dev -c /etc/snort/snort.conf -l /var/log/snort/ -i eth0
Now check if your rule is actually working, ping 8.8.8.8 from another terminal. Snort will catch
the outgoing (ICMP Echo request) and incoming (ICMP Echo reply) packets.
You can see that the ECHO packets have type 8 and the ECHO REPLY packets have type 0, so we
chose type 8 correctly.
You can stop Snort anytime by pressing Ctrl+C.
Stop snort, and check the alert output file at /var/log/snort
The snort.config file has several rules, very well defined. Let’s use some of them. In a Terminal
window, run snort (use the –v switch) snort -v -i eth0 -l /var/log/snort -c
/etc/snort/snort.conf
Snort starts, showing a “Commencing packet processing” message.
Meanwhile Open another Terminal on your other vm or in host machine, run a default Nmap
scan of your Kali Linux machine, you will see snort will start throwing this.
After we stop running Snort, it outputs some useful statistics. Many of these are selfexplanatory, the main parts and the interesting section, where we can check the following:
Processing rates, Packet I/O Totals, Protocol statistics, Actions, Limits, and Verdicts etc.
Go ahead and check the snort log file ( tail -f /var/log/snort/alert ) we will see an alter that
a nmap scan was being run.
In part II (Not now, May be extra credit) we will use Snort to throw Alert for browsing any
particular website
Useful Sites:
https://www.securityarchitecture.com/learning/intrusion-detection-systems-learning-withsnort/configuring-snort-on-linux/
https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/

Sample Solution

ACED ESSAYS