We covered configuring snort as an IDS/IPS open-source solution. Snort operates as sniffer, packet logger and IPS/IDS. This was part of TryHackMe Snort.
Intrusion Detection System (IDS)
IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event.
There are two main types of IDS systems;
- Network Intrusion Detection System (NIDS) – NIDS monitors the traffic flow from various areas of the network. The aim is to investigate the traffic on the entire subnet. If a signature is identified, an alert is created.
- Host-based Intrusion Detection System (HIDS) – HIDS monitors the traffic flow from a single endpoint device. The aim is to investigate the traffic on a particular device. If a signature is identified, an alert is created.
IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for stopping/preventing/terminating the suspicious event as soon as the detection is performed.
There are four main types of IPS systems;
- Network Intrusion Prevention System (NIPS) – NIPS monitors the traffic flow from various areas of the network. The aim is to protect the traffic on the entire subnet. If a signature is identified, the connection is terminated.
- Behaviour-based Intrusion Prevention System (Network Behaviour Analysis – NBA) – Behaviour-based systems monitor the traffic flow from various areas of the network. The aim is to protect the traffic on the entire subnet. If a signature is identified, the connection is terminated.
SNORT
SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS). It was developed and still maintained by Martin Roesch, open-source contributors, and the Cisco Talos team.
Capabilities of Snort;
- Live traffic analysis
- Attack and probe detection
- Packet logging
- Protocol analysis
- Real-time alerting
- Modules & plugins
- Pre-processors
- Cross-platform support! (Linux & Windows)
Snort has three main use models;
- Sniffer Mode – Read IP packets and prompt them in the console application.
- Packet Logger Mode – Log all IP packets (inbound and outbound) that visit the network.
- NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System) Modes – Log/drop the packets that are deemed as malicious according to the user-defined rules.
Room Answers
Which snort mode can help you detect threats on a local network?
Which snort mode can help you detect the threats on a local machine?
Which snort mode can help you stop the threats on a local network?
Which snort mode works similar to NIPS mode?
According to the official description of the snort, what kind of NIPS is it?
NBA training period is also known as …
Run the Snort instance and check the build number.
Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.
Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.
Investigate the traffic with the default configuration file with ASCII mode.
sudo snort -dev -K ASCII -l .
sudo ./traffic-generator.sh
Use snort.log.1640048004
Read the snort.log file with Snort; what is the IP ID of the 10th packet?
snort -r snort.log.1640048004 -n 10
Read the “snort.log.1640048004″ file with Snort; what is the referer of the 4th packet?
Read the “snort.log.1640048004″ file with Snort; what is the Ack number of the 8th packet?
Read the “snort.log.1640048004″ file with Snort; what is the number of the “TCP port 80” packets?
Investigate the traffic with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l .
sudo ./traffic-generator.sh
Investigate the mx-1.pcap file with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap
Keep reading the output. How many TCP Segments are Queued?
Keep reading the output.How many “HTTP response headers” were extracted?
Investigate the mx-1.pcap file with the second configuration file.
sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap
Investigate the mx-2.pcap file with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap
Keep reading the output. What is the number of the detected TCP packets?
Investigate the mx-2.pcap and mx-3.pcap files with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"
Use “task9.pcap”.
Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet? snort -c local.rules -A full -l . -r task9.pcap
Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule.
Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule.
Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?
Case Example – An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?
Video Walkthrough
