Ece 4112 Internetwork Security Lab 7: Honeypots and Network Monitoring and Forensics
Just running snort with rules, as done above, will log only the packets that have signatures that match one of the rules, they will be logged in /var/log/snort. You can also output the alerts to the s
Download 113.51 Kb.
|
- Navigate this page:
- Configuring Snort
- Writing Snort Rules
Just running snort with rules, as done above, will log only the packets that have signatures that match one of the rules, they will be logged in /var/log/snort. You can also output the alerts to the screen with#snort –A console –c / Below is some information on the snort.conf file and how to make rules. Use this info and what you observed about the buffer overflow packets in exercise 3B to answer the questions in this part of the lab. Configuring Snort:Snort can be configured to watch incoming network traffic directed to the host that it is running on or to scan all network traffic that the host “sees.” This option is configured using the configuration variable HOME_NET in the snort.conf file. There are several different ways one can set this up. Here are four different choices.
There are a number of administrator configurable variables that snort rules use. By default these rules use HOME_NET as the target address(es). Each of these addresses can be set using the same type of strings as HOME_NET. Take care not to use any space characters when constructing these address lists. Content inspection of packets for each rule that snort uses can be very costly. You are advised to reduce the number of rules to improve overall performance. Attackers could use Snort’s rules to mask their attacks in a sea of alerts. Snort also comes with some interesting support modules. Among them portscan, portscan2, fragmented packet and the stream4 preprocessor stand out. The fragmented packet preprocessor allows snort to reassemble (intentionally) fragmented packets. The portscan and portscan2 preprocessors handle port-scanning techniques. Portscan2 is preferred as it is more general than portscan. The stream4 preprocessor allows for stateful inspection of TCP traffic. This is important to counter several IDS defeating techniques. Attackers often will send packets out of sequence or retransmit different byte ranges of data in order to evade detection by an IDS. Tools like snot will easily overload Snort with bogus alerts cloaking and attacker’s true attack. Snot is not used in the lab because it needs to be modified to use the newest version of libnet.
ACTION PROTOCOL IP[/mask] PORT -> IP[/mask] PORT (OPTIONS) ACTIONS
PROTOCOL
TCP, UDP, BGP, ARP, IP, ICMP, etc. IP
PORT
OPTIONS
The option field is enclosed by parenthesis using a semi-colon as an option delimiter. Snort will ignore white space in the options allowing users to create easy to read option rules. ( option ) ( option : option ) Option rules are applied to perform some action or select packet with finer granularity than the generic snort rule. There are a number of protocol specific options, but those will not be covered. Those require more knowledge about the different protocols. You can read about them in the referenced material.
(msg:"TEXT")
(logto:"FileName")
Q6.1: Write a rule to detect the imapd-ex attack. Add the rule to the SNORT rule base on the RH 7.2 server box
/usr/local/etc/snort/rules
to recognize your new rules file Run SNORT in IDS mode on the Red Hat 7.2 server box
Q6.2: Did SNORT give an alert? Attachment 3: Submit a screenshot or output of alert Directory: owen -> Academic -> ECE4112 -> Spring2005 owen -> Class struggles as pre-history of black oriented radio owen -> Changes in light fraction soil organic matter and in organic carbon and nitrogen in compost amended soils owen -> Season-long supply of plant-available nutrients from compost and fertiliser in a long term organic vs conventional snap bean rotations experiment owen -> Henry owens 76 lhp full Name Download 113.51 Kb. Share with your friends:
|