1. Experimental Purpose and Requirements:
1. Master the installation and configuration methods of Snort.
2. Master the method of defining Snort rules.
3. Master the use of Snort to analyze network status.
4. Specific Content:
1) Learn the working principle of Snort.
2) Configure Snort rule files.
3) Use Snort to detect network intrusion events.
2. Experimental Equipment and Environment:
3. Experimental Principle:
1. Overview, Function, and Principle of Intrusion Detection Systems (IDS)
Analyzing and dealing with malicious use behaviors aimed at computer and network resources is a technology based on detecting behavior that violates security policies on the computer, primarily ensuring the security of computer systems and detecting unauthorized or abnormal behavior. Intrusion can be classified into external and internal intrusions, based on their direction, intrusion detection is divided into network-based and file system change-based. Components of a network-based intrusion detection system include: data capturer, data processor, responder, and database. The flow is shown in Figure 1. This experiment is based on a network intrusion detection system.
2. Function of Snort Tool
It is an open-source, network intrusion detection software based on local detection rules. It mainly functions in packet sniffing (detection), packet recording (storage), and intrusion detection. The working process includes: 1) Capturing network data packets from the network card; 2) Decoding and filling data packets into the packet structure of the link layer protocol; 3) Preprocessor checks the data packet; 4) Detection engine processes the data packet, as shown in Figure 2. Snort command format: Snort [-a|-e|-s|-e|-t] [options];
3. Snort Rules
From a logical perspective, Snort rules = rule header + rule options; Rule header includes: rule actions, protocol types, addresses, port numbers, and direction operators; Rule options include, for example, msg, flags, sid, rev, classtype, etc.
4. Experimental Steps:
1. Environment Configuration
1. Environment Detection: Log in to host 1 and execute the command “sudo snort -V” to verify successful installation.
2. Configuration Modification:
1) Execute the command “sudo vi /etc/snort/snort.conf”; the snort.conf file contains a snort configuration sample with five steps. Set network variables, configure dynamic loading libraries, configure preprocessors, configure output plugins, add any runtime configuration guides, and modify property values of custom rule sets.
2) Modify the value of ipvar HOME_NET to denote the subnet of the machine: ipvar HOME_NET 30.0.1.0/24
3. Restart Snort: Execute “sudo service snort restart”
2. Configure Snort Detection Rules
1) Clear previous log files by executing “sudo rm /var/log/snort/snort.log” to prepare the environment for new rules.
2) Add content to the local rule file: any ICMP and HTTP data packets sent to the local machine will trigger Snort alerts. “/etc/snort/rules” is used to store rule files, which Snort uses to provide alerts and tips to users. Execute “sudo vi /etc/snort/rules/local.rules”:
– “alert icmp any any -> $HOME_NET any (msg:“ICMP Test NOW!!!”; classtype:not-suspicious; sid:1000001; rev:1;)”
– “alert tcp any any -> $HOME_NET 80 (msg:“HTTP Test NOW!!!”; classtype:not-suspicious; sid:1000002; rev:1;)”
3) Clear rules by executing “sudo vi /etc/snort/snort.conf” and comment out all rules except local.rules (comment out include statements following local.rules.)
4) Check configuration success by executing “sudo snort -T -c /etc/snort/snort.conf”, as shown in Figure 2.
2. Using Snort for Intrusion Analysis
1. Information Viewing: Execute “ifconfig” to view network card information of the host.
2. Intrusion Monitoring: Execute “sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0”
3. Begin Execution: Log in to host 2 and ping host 1 with “ping 30.0.1.4”
4. View Packet Information: Enter the terminal to examine.
5. Browser Interaction: Use host 2 to access host 1 via the browser. Input http://30.0.1.4 in the browser.
6. Return to the terminal window to review detected data.
5. Experimental Phenomena, Result Records, and Organization:
1. Snort tool successfully installed during environment detection.
2. Many configuration files can be modified during environment configuration adjustments, allowing modification based on user needs, such as regular path settings, network variables, load libraries, etc.
3. Configuration of detection rules can be based on user needs and actual situations, such as setting ICMP and HTTP data packets in this experiment.
4. During the trial, it was found that through Snort tools, data packet information was successfully detected.
6. Analysis, Discussion, and Solution to Thought Questions:
1. The detection engine of intrusion detection constitutes the core of Snort’s detection engine through the analysis of rule options. The main options can be divided into:
1) The first category is the description option related to various features of the data packet, such as content, flags, dsize, ttl, etc.
2) The second category includes some description options related to the rule itself, such as reference, sid, classtype, priority, etc.
3) The third category is of action options after rule matching, such as msg, resp, react, session, logto, tag, etc.
4) The fourth category modifies some options, such as case-insensitivity, offset, depth, regex, etc., related to content.
2. How can local networks be set in snort.conf configuration?
1) Clearly specify your local network
– var HOME_NET 192.168.1.0/24; if you want the Snort you build to support IPV6, modify the type of the network segment to pvar;
2) Use global variables: var HOME_NET $eth0_ADDRESS
3) Define a list of addresses, separated by commas: var HOME_NET [10.1.1.0/24, 192.168.1.0/24], the list cannot contain spaces;
4) Define any IP address: var HOME_NET any;
3. What are other free enterprise network intrusion detection tools?
1) OSSEC HIDS: Host-based open-source intrusion detection system.
2) Fragroute/Fragrouter: A toolbox capable of evading network intrusion detection.
3) BASE: Basic analysis and security engine, a PHP-based analysis engine.
4) Sguil: A console tool for network security experts to monitor network activities.
7. Experimental Screenshots