Northeastern University

CSG 254 - Network Security

Lab: Network Intrusion Detection

In this lab, you will use a Network Intrusion Detection System (NIDS) to detect attacks through the network. Our tool of choice is Snort, an open source signature-based NIDS. Make sure to read a bit about snort and the differences between anomaly-based and signature-based intrusion detection systems.

1. Setup Snort

  1. Snort is already installed on your system, but it isn't configured and there aren't any signatures installed. First, create the directory /usr/local/etc/snort and make a copy of the sample snort configuration: 

    mkdir /usr/local/etc/snort
cp /usr/local/src/snort-2.4.3/etc/snort.conf /usr/local/etc/snort

  2. Next, obtain the latest, non-subscription ruleset from snort.org. You may register if you wish, but this isn't required. The rules for the latest release version will be sufficient. Once downloaded, extract these rules in the /usr/local/etc/snort directory. Make sure the rules you download match the version of snort. See snort -V.

  3. Now edit your copy of snort.conf and customize it for your network. Read through the comments in the file to determine how you should set each variable. This will take a significant amount of time if done correctly. In the end your configuration should have the following:
    • Snort listens on both eth0 and eth1.
    • Be sure to set your RULE_PATH correctly, to an absolute path.
    • Snort should not be configured as an inline IPS.
    • All rules you downloaded from snort.org should be enabled through include directives.
    • Snort will log to the local syslog daemon via the alert_syslog output plugin.

  4. Once you are happy with your configuration and ruleset, try running Snort as root: 

    snort -c /usr/local/etc/snort/snort.conf

    Watch the output carefully, and address any errors in your config file. Continue re-running snort until you get it working correctly.

2. Testing Snort

  1. Read about Snort's signature syntax in the Snort User's Manual. In particular, be sure to review the meta-data options reference and sid.

  2. Once you are somewhat familiar with the rule language, read through some of the web attacks rules files. These are files named in the form web-*.rules. Follow the references listed in a few of the rules and read about the type of attack the specific signatures are designed to detect. Also, review the documentation provided with your signatures. It should be in the /usr/local/etc/snort/doc/signatures directory. The signature documentation is broken up into files which are named based on their signature IDs.

  3. Now, select one web attack signature that seems straight-forward to understand. It would be simpler if you select a signature that looks for "evil" data in an HTTP URL string. Log into your Windows server and open a browser. Based on the documentation provided with the signature you have selected, attempt to trigger the Snort signature by making a request to the system strawman-fedora.nslab.ccs.neu.edu which contains an attack string which should be detected.

  4. Now verify in your Snort logs that your attack triggered an alert based on that signature. Hint: /var/log/messages will probably have something.

Report

For this lab, your team must submit a report with the following information:

  1. Submit your Snort configuration file. You need only include your main snort.conf, not the downloaded signatures.

  2. Which signature did you select to test Snort? Include a snippet of the log showing when the alert was triggered.

  3. Suppose you are the administrator of a webserver that hosts a large eCommerce application. For security, your webserver is configured to communicate with all clients over SSL for every request. Your boss asks you to set up Snort to monitor attacks against the web server and application. He believes that the SSL implementation is secure and isn't concerned about monitoring the SSL tunnel itself. Propose a network design that would allow you to monitor this traffic without installing Snort on the webservers themselves. Draw a simple diagram that illustrates your design. NOTE: You do not need to worry about specific products and whether or not there exist products that do what you need for your design. If you need a router/server/etc that does something, assume you could build it.

Grading

Your grade for this lab will be composed of:

Northeastern University.
College of Computer and Information Science.
XHTML 1.0 Strict.