setting up honepots and configuring ides

 

 Snort

Exercise 2 - Test Snort

Snort is an open source intrusion detection system that can monitor and log the traffic in real time. With the help of signatures, it can respond to a number of threats.

Task 1 - Running Snort Tool

To start running Snort tool, perform the following steps:

Step 1

On PLABWIN10 device, right-click Start and click on Command Prompt (Admin).

Click Yes to the User Account Control.

Figure 2.1 Screenshot of PLABWIN10: Starting up Command Prompt Admin.

Step 2

On the command prompt window, change to different directory by typing:

Cd\snort\bin

Press Enter.

Figure 2.2 Screenshot of PLABWIN10: Command Prompt locating the Snort directory.

Step 3

While in the c:>\snort\bin path, to display the available network interfaces for Snort type:

snort -W

Press Enter.

The result of this command displays two network interfaces #1 as indicated by the Index column.

Figure 2.3 Screenshot of PLABWIN10: Command Prompt applying Snort commands.

Step 4

Let's use network interface 1 to listen to all traffic.

Type the following command:

snort -i 1 -v

Press Enter.

Step 5

Snort will listen to network traffic on network interface #1.

Notice that the Snort runs continuously.

Figure 2.4 Screenshot of PLABWIN10: Command Prompt viewing Snort output.

Step 6

First, break the previous command by pressing CTRL + C.

Snort will exit.

Note that a list of protocol is displayed with packet details.

Figure 2.5 Screenshot of PLABWIN10: Command Prompt viewing Snort output.

Step 7

Enter the following command to capture and display packet payload:

snort -i 1 -vd

Press Enter.

Figure 2.6 Screenshot of PLABWIN10: Command Prompt viewing Snort output.

Step 8

Note the following output.

Snort will continue running as it listens on the selected interface.

Figure 2.7 Screenshot of PLABWIN10: Command Prompt viewing Snort output.

Step 9

Press CTRL + C to break it.

After you break the command, the protocol and packet details are displayed.

Step 10

Let's run Snort in the IDS mode.

Type the following command:

snort -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

Press Enter.

Figure 2.8 Screenshot of PLABWIN10: Command Prompt with Snort code.

Step 11

Snort reports a fatal error.

You will need to resolve this error to ensure that you are able to run Snort in IDS mode.

Minimize command prompt window.

Figure 2.9 Screenshot of PLABWIN10: Command Prompt with Snort in IDS mode.

Keep all devices powered on in their current state and proceed to the next task.

Task 2 - Create folder and rules file in snort folder

To create the folder and rules file, follow these steps:

Step 1

On PLABWIN10, launch Windows Explorer on taskbar.

Navigate to C:\snort\lib path

Create a folder called snort_dynamicrules

Figure 2.10 Screenshot of PLABWIN10: Snort lib directory.

Step 2

Press the ALT key to display the top menus.

Click View menu and select Options then Change folder and search options…

Figure 2.11 Screenshot of PLABWIN10: Modifying the view options.

Step 3

On the Folder options, click View tab.

On the View tab, clear Hide extensions for known file types check box.

Click OK.

Figure 2.12 Screenshot of PLABWIN10: Folder options changed to permit viewing extensions.

Step 4

Back in Windows Explorer window.

Navigate to c:\snort\rules folder path.

Create two text files.

Right-click on the details pane and select New > Text Document.

Figure 2.13 Screenshot of PLABWIN10: Making a new folder.

Step 5

Rename the text file to:

white_list.rules

Click Yes when you get a warning about renaming a file.

Step 6

Right-click on white_list.rules file and select Copy and then Paste.

Step 7

Rename it to:

black_list.rules

While retaining the “.rules” extension name.

Figure 2.14 Screenshot of PLABWIN10: Making rule files.

Step 8

The black_list.rules and white_list.rules are now created.

Please note that these two rules file are empty.

If you want to get more information about writing your own rules, consult the snort documentation file.

Step 9

Navigate to c:\Snort\etc folder.

Create a folder called WHITE_LIST_PATH.

From the c:\Snort\rules folder, copy white_list.rules into c:\Snort\etc\WHITE_LIST_PATH folder.

Step 10

Navigate to c:\Snort\etc folder.

Create a folder called BLACK_LIST_PATH.

From the c:\Snort\rules folder, copy black_list.rules into c:\Snort\etc\BLACK_LIST_PATH folder.

Minimize Win

• Access your Practice Lab titles
• Access your exercise content
• Access your reports
• Access your settings
• Access help and support

CompTIA Security+

Configuring IDS and Honeypots

Exercise 3 - Configure and Re-Test Snort

Exercise 3 - Configure and Re-Test Snort

This exercise will consist of modifying the configuration files and then re-testing snort to confirm that it works.

Task 1 - Modify snort configuration file

In this task, you will modify a configuration file to resolve the error that you found in the earlier task.

Step 1

On PLABWIN10 device, click Start and click on Notepad++.

Figure 3.1 Screenshot of PLABWIN10: Starting up Notepad ++.

Step 2

On Notepad++, click File menu and select Open.

Figure 3.2 Screenshot of PLABWIN10: Opening files with Notepad++.

Step 3

On the Open dialog box, expand Local Disk C, expand Snort folder.

Click on etc folder.

Notice that a number of files are available.

On the details pane, click snort.conf file and select Open.

Figure 3.4 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 4

The snort.conf file opens.

Click on Search menu and select Replace…

Figure 3.5 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 5

You will find all instances of ipvar and replace with var.

On the Replace dialog box, click in the Find what text box and type:

ipvar

Click in the Replace with text box, and type:

var

Click Replace All.

The Replace dialog box is displayed indicating it has searched the document and made 11 occurrences were replaced.

Click Close.

Figure 3.6 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 6

Click Search menu and select Find…

On the Find dialog box, click in the Find what text box and type:

dynamicpreprocessor directory

Click the forward Find.

Figure 3.7 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 7

Once the dynamicpreprocessor directory keyword is found, you will notice a highlight or a selection at the back of the Find dialog box.

Move the Find dialog box out of the way so you can see highlighted section.

Locate the dynamicpreprocessor directory section.

Change the path located beside dynamicpreprocessor directory to:

c:\Snort\lib\snort_dynamicpreprocessor

Figure 3.8 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 8

Click on the Find dialog box to activate it.

Then click Close button.

Perform the same editing changes to the following lines numbered 250 and 253.

dynamicengine /usr/local/lib/snort_dynamicengine/sf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules

So that they read as the following.

dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll
dynamicdetection directory c:\Snort\lib\snort_dynamicrules

Figure 3.8 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 9

For this step, you will comment on keywords that start with pre-processor normalize.

Click Search and select Replace…

Figure 3.9 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 10

On the Replace dialog box, click in the Find what text box and type:

preprocessor normalize

Click in the Replace with text box and type:

#preprocessor normalize

Click Replace All.

The Replace dialog box reports that “5 occurrences were replaced.”

Click Close button.

Figure 3.10 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 11

Notice that “#” is now appended to the preprocessor normalize keywords.

Figure 3.11 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 12

Click Search menu and select Find…

Figure 3.12 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 13

On the Find dialog box, click in the Find what text box, type:

var WHITE_LIST_PATH

Click Find Next.

Step 14

As before, move the Find dialog box out of the way.

Beside the var WHITE_LIST_PATH keyword, replace the .. /rules with:

c:\Snort\rules

Beside the var BLACK_LIST_PATH keyword, replace the .. /rules with:

c:\Snort\rules

Figure 3.13 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 15

Click again on Find dialog box to activate it.

Click in the Find what text box and type:

$WHITE_LIST

Click Find Next.

Step 16

Beside the whitelist keyword, change $WHITE_LIST_PATH/white_list.rules, \

to:

$WHITE_LIST_PATH\white_list.rules, \

Change $BLACK_LIST_PATH/black_list.rules

to:

$BLACK_LIST_PATH\black_list.rules

Figure 3.14 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 17

Click again on Find dialog box.

In the Find what text box, type:

$RULE_PATH/blacklist.rules

Click Find Next.

Step 18

The Find Next command found the keyword and makes a selection.

Click and drag the Find dialog box to see the highlighted keyword.

Now change the following entry $RULE_PATH/blacklist.rules

To:

$RULE_PATH\black_list.rules

Figure 3.15 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 19

Since you do not have rule files available for other rules see #site specific rules section, you need comment all of them by adding the “#” symbol.

Else, you will get error on each line where Snort finds missing rules file.

Click the Find dialog box and click Close button.

Step 20

To add the “#” symbol to other traffic rules, click Search menu and select Replace…

On the Replace dialog box, click in the Find what text box and type:

include $RULE_PATH/

Click in the Replace with text box and type:

#include $RULE_PATH/

Click Replace All button

Step 21

The Replace dialog box, reports “All 104 occurrences were replaced.”

Click Close button.

Figure 3.16 Screenshot of PLABWIN10: Editing the snort.conf file.

Step 22

Finally click File menu and select Save.

Minimize C:\snort\etc\snort.conf - Notepad++ (Administrator) window.

Figure 3.17 Screenshot of PLABWIN10: Editing the snort.conf file.

Keep all devices powered on in their current state and proceed to the next task.

Task 2 - Re-run Snort IDS tool

After configuring the snort.conf file in earlier task, you will retry running the snort IDS tool.

To re-run the snort IDS tool, perform the following steps:

Step 1

On PLABWIN10 device, open the Command Prompt (Admin).

Figure 3.18 Screenshot of PLABWIN10: Desktop.

Step 2

Re-navigate to the Snort directory.

Test the snort configuration by typing the following command:

snort -i 1 -l  c:\Snort\log  -c  c:\Snort\etc\snort.conf  -T

Press Enter.

Figure 3.19 Screenshot of PLABWIN10: Command Prompt entering Snort commands.

Step 3

You should get successful result.

Figure 3.20 Screenshot of PLABWIN10: Command Prompt entering Snort commands.

Step 4

Enter the following command:

snort -c  c:\Snort\etc\snort.conf  -l  c:\Snort\log  -K ascii

Press Enter.

Figure 3.21 Screenshot of PLABWIN10: Command Prompt entering Snort commands.

Step 5

Note that Snort IDS is now up and running.

Close the command prompt window.

Figure 3.22 Screenshot of PLABWIN10: Command Prompt entering Snort commands.