Northeastern University

CS 4740/6740 - Network Security

Lab: Network Intrusion Detection

In this lab, you will use a Network Intrusion Detection System (NIDS) to detect attacks through the network. Our tool of choice is Snort, an open source signature-based NIDS. Make sure to read a bit about snort and the differences between anomaly-based and signature-based intrusion detection systems.

Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)

1. Setup Snort

  1. Download the snort source code, and the daq source code library into your team's linux router. Make sure the code you downloaded is legitimate by checking the MD5 checksums from the snort website.

  2. Extract the daq library code into /usr/src:

    tar xjvf daq-<version> -C /usr/src

  3. Enter the directory, compile and install the library:

          cd /usr/src/daq-<version>
      ./configure
      make
      make install

  4. Repeat the two steps above for the snort source package.

  5. Copy the snort configuration directory from the source tree to /etc/snort 

            mkdir /etc/snort
        cp -r /usr/src/snort-<version>/etc/* /etc/snort/

  6. Next, obtain a copy the latest, non-subscription ruleset from the strawman server. You can also check the MD5 hash at the snort download page to make sure the file is legitimate. Once downloaded, extract these rules in the /etc/snort directory. Make sure the rules you download match the version of snort (see snort -V).

  7. Now edit snort.conf and customize it for your network. Read through the comments in the file to determine how you should set each variable. This will take a significant amount of time if done correctly. In the end your configuration should have the following:
    • Snort listens on eth0, eth1, and tap0.
    • Be sure to set your RULE_PATH correctly, to an absolute path.
    • Snort should not be configured as an inline IPS.
    • Set snort to use the lowmem search method (otherwise you will run out of memory)
    • All rules you downloaded from snort.org should be enabled through include directives.
    • Snort should log to the local syslog daemon via the alert_syslog output plugin.

  8. Once you are happy with your configuration and ruleset, try running Snort as root: 

    snort -c /etc/snort/snort.conf

    Watch the output carefully, and address any errors in your config file. Continue re-running snort until you get it working correctly.

2. Testing Snort

  1. Read about Snort's signature syntax in the Snort User's Manual. In particular, be sure to review the meta-data options reference and sid.

  2. Once you are somewhat familiar with the rule language, read through some of the web attacks rules files. These are files named in the form web-*.rules. Follow the references listed in a few of the rules and read about the type of attack the specific signatures are designed to detect. Also, review the snort rules documentation. The signature documentation is broken up into sections based on their signature IDs.

  3. Now, select one web attack signature that seems straight-forward to understand. It would be simpler if you select a signature that looks for "evil" data in an HTTP URL string. Log into your Windows server and open a browser. Based on the documentation provided with the signature you have selected, attempt to trigger the Snort signature by making a request to the system strawman.nslab which contains an attack string which should be detected.

  4. Now verify in your Snort logs that your attack triggered an alert based on that signature. Hint: /var/log will probably have something.

Report

For this lab, your team must submit a report with the following information:

  1. Submit your Snort configuration file. You need only include your main snort.conf, not the downloaded signatures.

  2. Which signature did you select to test Snort? Include a snippet of the log showing when the alert was triggered.

  3. Suppose you are the administrator of a webserver that hosts a large eCommerce application. For security, your webserver is configured to communicate with all clients over SSL for every request. Your boss asks you to set up Snort to monitor attacks against the web server and application. He believes that the SSL implementation is secure and isn't concerned about monitoring the SSL tunnel itself. Propose a network design that would allow you to monitor this traffic without installing Snort on the webservers themselves. Draw a simple diagram that illustrates your design. NOTE: You do not need to worry about specific products and whether or not there exist products that do what you need for your design. If you need a router/server/etc that does something, assume you could build it.

Grading

Your grade for this lab will be composed of:

Northeastern University.
College of Computer and Information Science.
XHTML 1.0 Strict.