Lab: Network Intrusion Detection
In this lab, you will use a Network Intrusion Detection System (NIDS) to detect attacks through the network.
Our tool of choice is Snort, an open source
NIDS. Make sure to read a bit about
and the differences between anomaly-based and signature-based
intrusion detection systems.
Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)
1. Setup Snort
Extract the daq library code into
tar xjvf daq-<version> -C /usr/src
Enter the directory, compile and install the library:
cd /usr/src/daq-<version> ./configure make make install
Repeat the two steps above for the snort source package.
Copy the snort configuration directory from the source tree to
mkdir /etc/snort cp -r /usr/src/snort-<version>/etc/* /etc/snort/
Next, obtain a copy the latest, non-subscription ruleset from the strawman server. You can also check the MD5 hash at the snort download page to make sure the file is legitimate. Once downloaded, extract these rules in the
/etc/snortdirectory. Make sure the rules you download match the version of snort (see
Now edit snort.conf and customize it for your
network. Read through the comments in the file to determine how
you should set each variable.
This will take a significant amount of time if done correctly.
In the end your configuration should have the following:
- Snort listens on eth0, eth1, and tap0.
- Be sure to set your RULE_PATH correctly, to an absolute path.
- Snort should not be configured as an inline IPS.
- Set snort to use the lowmem search method (otherwise you will run out of memory)
All rules you downloaded from snort.org should be enabled through
Snort should log to the local syslog daemon via the
Once you are happy with your configuration and ruleset, try running Snort as root:
snort -c /etc/snort/snort.conf
Watch the output carefully, and address any errors in your config file. Continue re-running snort until you get it working correctly.
2. Testing Snort
Read about Snort's signature syntax in the Snort User's Manual. In particular, be sure to review the meta-data options
Once you are somewhat familiar with the rule language, read through some of the web attacks rules files. These are files named in the form
web-*.rules. Follow the references listed in a few of the rules and read about the type of attack the specific signatures are designed to detect. Also, review the snort rules documentation. The signature documentation is broken up into sections based on their signature IDs.
Now, select one web attack signature that seems straight-forward to understand. It would be simpler if you select a signature that looks for "evil" data in an HTTP URL string. Log into your Windows server and open a browser. Based on the documentation provided with the signature you have selected, attempt to trigger the Snort signature by making a request to the system
strawman.nslabwhich contains an attack string which should be detected.
Now verify in your Snort logs that your attack triggered an alert based on that signature. Hint:
/var/logwill probably have something.
For this lab, your team must submit a report with the following information:
Submit your Snort configuration file. You need only include your main snort.conf, not the downloaded signatures.
Which signature did you select to test Snort? Include a snippet of the log showing when the alert was triggered.
Suppose you are the administrator of a webserver that hosts a large eCommerce application. For security, your webserver is configured to communicate with all clients over SSL for every request. Your boss asks you to set up Snort to monitor attacks against the web server and application. He believes that the SSL implementation is secure and isn't concerned about monitoring the SSL tunnel itself. Propose a network design that would allow you to monitor this traffic without installing Snort on the webservers themselves. Draw a simple diagram that illustrates your design. NOTE: You do not need to worry about specific products and whether or not there exist products that do what you need for your design. If you need a router/server/etc that does something, assume you could build it.
Your grade for this lab will be composed of:
50% - Copy of your Snort configuration file.
40% - The test signature and log file.
10% - Answer to the last question.