1. Experiment Objectives and Requirements:
1. Master the installation and configuration methods of Snort.
2. Master the methods of defining Snort rules.
3. Master the method of using Snort to analyze network status.
4. Specific contents:
1) Learn the working principles of Snort.
2) Configure Snort rule files.
3) Use Snort to detect network intrusion events.
2. Experiment Equipment and Environment:
3. Experiment Principle:
1. Overview, Role, and Principle of Intrusion Detection System (IDS)
It analyzes and deals with malicious behaviors against computer and network resources. It is a technology that detects behaviors violating security policies in computers, primarily to ensure the security of computer systems by detecting unauthorized and abnormal actions.
Intrusions can be classified as external or internal; intrusion detection can be categorized by direction as network-based or file system changes.
The components of a network-based IDS include: data capturer, data processor, responder, and database.
The process is shown in Figure 1:
This experiment is based on a network intrusion detection system.
2. Role of Snort Tool
Snort is an open-source, local rule-based network intrusion detection software. Its primary functionalities include packet sniffing (detection), packet logging (storage), and intrusion detection.
Working process: 1) First, capture network packets from the network card; 2) Decode the packets and insert them into the link layer protocol packet structure; 3) The preprocessor checks the packets; 4) The detection engine processes the packets. As shown in Figure 2.
Snort command format: Snort [-a|-e|s|e|t] [options];
3. Snort Rules
From a logical perspective, Snort rules = rule header + rule options;
Rule Header: Rule action, protocol type, address, port number, direction operator;
Rule Options: For instance, msg, flags, sid, rev, classtype, etc.
4. Experiment Steps:
(1) Environment Configuration
1. Environment detection: Log in to host 1, execute the command “sudo snort -V” to check if it was installed successfully;
2. Configuration modifications:
① Execute the command “sudo vi /etc/snort/snort.conf”, the snort.conf file contains a Snort configuration sample, divided into five steps. Set network variables, configure dynamically loadable libraries, configure preprocessors, configure output plugins, add any runtime configuration wizards, and modify property values for custom rule sets.
var RULE_PATH /etc/snort/rules (configure rules file path)
var SO_RULE_PATH /etc/snort/so_rules (configure so_rules path)
var PREPROC_RULE_PATH /etc/snort/preproc rules (experimental rules)
② Modify the ipvar HOME_NET value, which is the network segment where the local machine resides:
ipvar HOME_NET 30.0.1.0/24
③ Modify the output unified2 value, set the snort.unified2 format dataset. Define a unified output file, named snort.log, with a limit of 128, mpls event types, vlan event types:
“output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types”
④ Restart Snort: Execute the command “sudo service snort restart”;
3. Configure Snort detection rules:
① Delete previous log files: Execute the command “sudo rm /var/log/snort/snort.log” to prepare the environment for new rules.
② Add content to the local rules file: Any ICMP and HTTP packets sent to the local machine will trigger Snort alerts; “/etc/snort/rules” is the path used to store rule files, and Snort utilizes numerous rule files to provide alerts and warnings to users. Execute the command “sudo vi /etc/snort/rules/local.rules”:
“alert icmp any any -> $HOME_NET any (msg:“ICMP Test NOW!!!”; classtype:not-suspicious; sid:1000001;rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:“HTTP Test NOW!!!”; classtype:not-suspicious; sid:1000002;rev:1;)”
③ Clear rules: Execute the command “sudo vi /etc/snort/snort.conf” to comment out all rules except for local.rules (comment out the include statements following local.rules);
④ Verify successful configuration: Execute the command “sudo snort -T -c /etc/snort/snort.conf”; as shown in Figure 2;
(2) Use Snort for Intrusion Analysis
1. View information: Execute the command “ifconfig” to view the network card information on the host:
eth0 is the local machine’s network card. If there are multiple network cards, it will display eth1, eth2… and so on.
2. Monitor intrusion: Execute the command “sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0”
3. Start execution: Log in to host 2 and ping host 1, “ping 30.0.1.4 “
4. View packet information: Enter the terminal to check;
5. Browser interaction: Use host 2 to visit host 1 through a browser. Enter http://30.0.1.4 in the browser.
6. Return to the terminal window to examine the detected data
5. Experiment Phenomena, Result Recording, and Analysis:
1. During the environment detection, the Snort tool was successfully installed;
2. In configuration modifications, many configuration files can be altered as needed; such as regular path settings, network variables, loaded libraries, etc.;
3. In configuring detection rules, users can set rules according to their needs and the actual situation. In this experiment, ICMP and HTTP packets were set;
4. During the experiment, it was found that through the Snort tool, packet information was successfully detected.
6. Analysis, Discussion, and Response to Reflection Questions:
1. The detection engine of intrusion detection is composed of analysis of rule options, which forms the core of the Snort detection engine. What are the main types of options?
① The first category describes the various features of packets, such as: content, flags, dsize, ttl, etc.;
② The second category includes explanatory options related to the rule itself, such as: reference, sid, classtype, priority, etc.;
③ The third category refers to action options after rule matching, such as: msg, resp, react, session, logto, tag, etc.;
④ The fourth category consists of modifiers for certain options, such as nocase, offset, depth, regex, which belong to content.
2. In configuring snort.conf, what ways can local networks be set?
① Clearly specify your local network
var HOME_NET 192.168.1.0/24; If you want Snort to support IPV6, change the type of segment definition to pvar;
② Use global variables: var HOME_NET $eth0_ADDRESS
③ Define a list of addresses, separated by commas: var HOME_NET [10.1.1.0/24,192.168.1.0/24], there should be no spaces in the list;
④ Define any IP address: var HOME_NET any;
3. What other free enterprise-class network intrusion detection tools are there?
① OSSEC HIDS: A host-based open-source intrusion detection system;
② Fragroute/Fragrouter: A toolkit capable of evading network intrusion detection;
③ BASE: Basic Analysis and Security Engine, a PHP-based analysis engine;
④ Sguil: A console tool for network security experts to monitor network activity.