SNORT WORKSHOP Install and Configure rules: https://upcloud.com/community/tutorials/install-snort-ubuntu/ wget https://snort.org/downloads/snort/snort-2.9.16.1.tar.gz sudo -apt-get remove --auto-remove snort https://www.cloudsavvyit.com/6424/how-to-use-the-snort-intrusion-detection-system-on-linux/ snort instalaltion snow network setup ip addr backup snort.conf create test_snort.conf remove all the rules #Test SNORT config sudo snort -T -i enp0s3 -c /etc/snort/test_snort.conf #Run rule on console output sudo snort -A console -q -i enp0s3 -c /etc/snort/test_snort.conf ' #Rule 1 (ICMP Detection) alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;) #Rule 2 (FTP Connection attempt) alert tcp any any -> $HOME_NET 21 (msg:"FTP Connection attempt"; sid:1000002; rev:1;) #Log alert as Ascii sudo snort -A console -q -i enp0s3 -c /etc/snort/test_snort.conf -K ascii #Rule3 :(FTP Connection failed attempt) alert tcp $HOME_NET 21 -> any any (msg:"FTP Failed Login"; content:"Login or password incorrect!"; sid:1000003; rev:1;) #alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;) #alert tcp 192.168.56.1 any -> $HOME_NET 21 (msg:"FTP Connection attempt"; sid:1000002; rev:1;) SNORPY http://snorpy.com/ https://github.com/chrisjd20/Snorpy https://handlers.sans.org/gbruneau/snorpy_setup.htm

1. SNORT Test LAB – Virtual Box
Victim : Windows Box
IP Address : 192.168. 56.106
IP Address : 192.168. 56.1
Ubuntu – SNORT Box
Sniffing network traffic
Interface: enp0s3
promiscuous mode
All Hosts on : ”Host Only Adapter”
IP Address : 192.168. 56.112

2. SNORT: Workshop Plan
1.Setup SNORT
2.Configure 3 SNORT Rules
A. ICMP detection Rule
B. FTP Connection Detection Rule
C. FTP Connection Failed Attempt

3. SNORT Rule Syntax

4. Snorpy
A Web Based Snort Rule Creator / Maker for Building Simple Snort Rules
http://snorpy.com/
https://github.com/chrisjd20/Snorpy
https://handlers.sans.org/gbruneau/snorpy_setup.htm

5. SNORT :ICMP detection Rule
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;)
Rule Header
alert Rule action. Snort will generate an alert when the set condition is met.
any Source IP. Snort will look at all sources.
any Source port. Snort will look at all ports.
-> Direction. From source to destination.
$HOME_NET Destination IP. We are using the HOME_NET value from the snort.conf file.
any Destination port. Snort will look at all ports on the protected network.
Rule Options
msg:”ICMP test” Snort will include this message with the alert.
sid:1000001 Snort rule ID. Remember all numbers < 1,000,000
rev:1 Revision number. This option allows for easier rule maintenance.
classtype: Categorizes the rule as an “icmp-event”, one of the predefined Snort categories

6. SNORT :FTP Connection Detection Rule
alert tcp any any -> $HOME_NET 21 (msg:"FTP Connection attempt"; sid:1000002; rev:1;)

7. SNORT :FTP Connection Failed Attempt
alert tcp $HOME_NET 21 -> any any (msg:"FTP Failed Login"; content:"Login or password incorrect!"; sid:1000003; rev:1;)