Lab 8 - Snort Intrusion Detection

Due: Wednesday at 5:00pm

The purpose of this lab is to install and test an intrusion detection system called Snort.

Snort is an open-source (and free) intrusion detection system that allows the users of the system to write custom rules. This makes it a good system to learn about how to write signatures. Snort looks for patterns in the network packets passing by the system and issues alerts when matches are found.

Snort can be run on a variety of platforms. View the download documents on the Snort homepage if you wish to see how to install Snort. Otherwise, download the Snort VMware image tarball to the workstation in 315. Move the tarball to the ~/vmware directory and unpack it using the command: 

tar -xvzf lab8_snort.tgz
This will create a directory called cs476_snort which contains a virtual machine for this lab. The virtual machine is Ubuntu 9.10 with Snort installed.

Start VMware Workstation. Then select File-<Open and navigate to the cs476_snort directory and select Ubuntu.vmx, then click Open. Log in as the user cs476 (nicknamed Snort Tester in the graphical user selection box) with the password cs476.

Snort is a rule-based intrusion detection system where each rule specifies a pattern or condition that may indicate an intrusion has occured. Snort provides the user the opportunity to edit and add their own rules. Read Chapter 3 in the Snort User Manual to see how to write rules. That chapter covers the complete rule syntax.

Lab Assignment

Open the file /etc/snort/rules/local.rules and add one rule that detects each visit to www.google.com that is made by the virtual machine. The rule should look for any outbound TCP traffic that is going to port 80 and contains the pattern "www.google.com" in the URL and trigger an alert when it gets a match. Give the rule an SID of 1000000 or higher.

Once you have added the rule to local.rules, restart Snort with the command: 

sudo /etc/init.d/snort restart
Then visit Google with a web browser. Look in the file /var/log/snort/alert and see if your rule triggered an alert.

When you have a working local.rules file, scp that file from the virtual machine to Sleipnir using the command: 

scp /etc/snort/rules/local.rules <username>@sleipnir.cs.csubak.edu:<filename>
replacing <username> with your Sleipnir username and <filename> with the directory and/or filename you want local.rules to be uploaded to. Email the uploaded file to me.