We covered configuring snort as an IDS/IPS open-source solution. Snort operates as sniffer, packet logger and IPS/IDS. This was part of TryHackMe Snort.
Introduction to Snort and IDS/IPS Concepts:
- Snort can operate both as an IDS and IPS, depending on its configuration. IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) work by analyzing network traffic against a set of rules.
- IDS: Monitors and alerts when traffic matches rules but does not block the traffic.
- IPS: Monitors, alerts, and can actively block or reject malicious traffic.
Explanation of IDS and IPS:
- IDS: Logs and alerts when traffic matches pre-configured rules but does not interfere with the network traffic.
- IPS: In addition to logging and alerting, it can drop or reject packets or entire connections based on the detected threat.
- Difference between drop and reject: Dropping only removes the identified packet, while rejecting cuts off the entire connection.
- Both IDS and IPS work based on a set of rules that define acceptable and unacceptable network traffic patterns.
NIDS and HIDS (Network and Host Intrusion Detection Systems):
- NIDS (Network Intrusion Detection System): Operates on a network level and monitors traffic across an entire subnet or range of IPs.
- HIDS (Host Intrusion Detection System): Works on a single host or endpoint, monitoring traffic only for that specific machine.
Detection and Prevention Techniques:
- Signature-based detection: Matches known patterns (like malware or attack signatures) with network traffic.
- Behavior-based detection: Learns normal traffic behavior over time and flags abnormal behavior, even if it doesn’t match a known signature.
- Policy-based detection: Uses system configurations or security policies to define what traffic or actions are allowed or blocked.
Snort Overview:
- Snort is a flexible IDS/IPS tool capable of real-time traffic analysis and packet logging.
- It operates in three main modes:
- Sniffer mode: Captures and displays network traffic in real-time.
- Packet Logger mode: Logs packets for future analysis.
- NIDS/NIPS mode: Acts as either a network IDS or IPS, analyzing and acting on traffic in real-time.
Snort Configuration:
- Configuration file: Defines key settings such as the path to rules, variables for home and external networks, and plugins. By default, the configuration file is located in
/etc/snort/snort.conf. - Rules file: Located in
/etc/snort/local.rules, where specific traffic patterns are defined for Snort to detect and respond to.
Practical Demonstration:
- The instructor mentions a TryHackMe room designed to help practice using Snort in different modes: sniffer, logger, and NIDS/IPS.
- The video transitions into demonstrating how to configure and use Snort practically, walking through tasks in the lab environment.
Room Answers
Which snort mode can help you detect threats on a local network?
Which snort mode can help you detect the threats on a local machine?
Which snort mode can help you stop the threats on a local network?
Which snort mode works similar to NIPS mode?
According to the official description of the snort, what kind of NIPS is it?
NBA training period is also known as …
Run the Snort instance and check the build number.
Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.
Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.
Investigate the traffic with the default configuration file with ASCII mode.
sudo snort -dev -K ASCII -l .
sudo ./traffic-generator.sh
Use snort.log.1640048004
Read the snort.log file with Snort; what is the IP ID of the 10th packet?
snort -r snort.log.1640048004 -n 10
Read the “snort.log.1640048004″ file with Snort; what is the referer of the 4th packet?
Read the “snort.log.1640048004″ file with Snort; what is the Ack number of the 8th packet?
Read the “snort.log.1640048004″ file with Snort; what is the number of the “TCP port 80” packets?
Investigate the traffic with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l .
sudo ./traffic-generator.sh
Investigate the mx-1.pcap file with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap
Keep reading the output. How many TCP Segments are Queued?
Keep reading the output.How many “HTTP response headers” were extracted?
Investigate the mx-1.pcap file with the second configuration file.
sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap
Investigate the mx-2.pcap file with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap
Keep reading the output. What is the number of the detected TCP packets?
Investigate the mx-2.pcap and mx-3.pcap files with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"
Use “task9.pcap”.
Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet? snort -c local.rules -A full -l . -r task9.pcap
Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule.
Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule.
Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?
Case Example – An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?
Video Walkthrough
