Snort Home Lab - Workshop
SNORT WORKSHOP Install and Configure rules: https://upcloud.com/community/tutorials/install-snort-ubuntu/ wget https://snort.org/downloads/snort/snort-2.9.16.1.tar.gz sudo -apt-get remove --auto-remove snort https://www.cloudsavvyit.com/6424/how-to-use-the-snort-intrusion-detection-system-on-linux/ snort instalaltion snow network setup ip addr backup snort.conf create test_snort.conf remove all the rules #Test SNORT config sudo snort -T -i enp0s3 -c /etc/snort/test_snort.conf #Run rule on console output sudo snort -A console -q -i enp0s3 -c /etc/snort/test_snort.conf ' #Rule 1 (ICMP Detection) alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;) #Rule 2 (FTP Connection attempt) alert tcp any any -> $HOME_NET 21 (msg:"FTP Connection attempt"; sid:1000002; rev:1;) #Log alert as Ascii sudo snort -A console -q -i enp0s3 -c /etc/snort/test_snort.conf -K ascii #Rule3 :(FTP Connection failed attempt) alert tcp $HOME_NET 21 -> any any (msg:"FTP Failed Login"; content:"Login or password incorrect!"; sid:1000003; rev:1;) #alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;) #alert tcp 192.168.56.1 any -> $HOME_NET 21 (msg:"FTP Connection attempt"; sid:1000002; rev:1;) SNORPY http://snorpy.com/ https://github.com/chrisjd20/Snorpy https://handlers.sans.org/gbruneau/snorpy_setup.htm
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Snort Home Lab - Workshop
Similar to Snort Home Lab - Workshop (20)
Recently uploaded
Recently uploaded (20)
Snort Home Lab - Workshop
- 1. SNORT Test LAB – Virtual Box Victim : Windows Box IP Address : 192.168. 56.106 IP Address : 192.168. 56.1 Ubuntu – SNORT Box Sniffing network traffic Interface: enp0s3 promiscuous mode All Hosts on : ”Host Only Adapter” IP Address : 192.168. 56.112
- 2. SNORT: Workshop Plan 1.Setup SNORT 2.Configure 3 SNORT Rules A. ICMP detection Rule B. FTP Connection Detection Rule C. FTP Connection Failed Attempt
- 4. Snorpy A Web Based Snort Rule Creator / Maker for Building Simple Snort Rules http://snorpy.com/ https://github.com/chrisjd20/Snorpy https://handlers.sans.org/gbruneau/snorpy_setup.htm
- 5. SNORT :ICMP detection Rule alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;) Rule Header alert Rule action. Snort will generate an alert when the set condition is met. any Source IP. Snort will look at all sources. any Source port. Snort will look at all ports. -> Direction. From source to destination. $HOME_NET Destination IP. We are using the HOME_NET value from the snort.conf file. any Destination port. Snort will look at all ports on the protected network. Rule Options msg:”ICMP test” Snort will include this message with the alert. sid:1000001 Snort rule ID. Remember all numbers < 1,000,000 rev:1 Revision number. This option allows for easier rule maintenance. classtype: Categorizes the rule as an “icmp-event”, one of the predefined Snort categories
- 6. SNORT :FTP Connection Detection Rule alert tcp any any -> $HOME_NET 21 (msg:"FTP Connection attempt"; sid:1000002; rev:1;)
- 7. SNORT :FTP Connection Failed Attempt alert tcp $HOME_NET 21 -> any any (msg:"FTP Failed Login"; content:"Login or password incorrect!"; sid:1000003; rev:1;)