Saturday, June 10, 2017

snort ips/ids

1- install snort

$ apt-get install snort

2- quick ids, change setting of /etc/snort/snort.debian.conf

DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="10.0.0.0/24"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0 eth1"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"




3- add below line to /etc/snort/snort.conf
output alert_syslog: LOG_AUTH LOG_ALERT

-restart snort
$ sudo /etc/init.d/snort restart

4- read alert and log
$ tail -f /var/log/auth.log

$ u2spewfoo /var/log/snort/snort.log


---------------
1- ips mode, add drop rule to /etc/snort/rules/icmp.rules
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)

2- run snort in inline mode
$ sudo snort -c /etc/snort/snort.conf --daq afpacket --daq-mode inline -S HOME_NET=[10.0.0.0/24] -i eth0:eth1 -Q -N -A Console


it will show a drop alert in the console and will drop the packet as well



3- test tool call IDSwakeup, can be used to trigger snort alert

$ wget http://www.hsc.fr/ressources/outils/idswakeup/download/IDSwakeup-1.0.tgz

$ wet http://packetfactory.openwall.net/libnet/dist/deprecated/libnet-1.0.2a.tar.gz


a- then compile libnet
b- edit Makefile of IDSwakeup include libnet header and lib
CPPFLAGS ='-I/home/user1/Libnet-1.0.2a/output/include'
LDFLAGS ='-L/home/user1/Libnet-1.0.2a/output/lib'

c- run
$ make

d- install hping3
$ sudo apt-et install hping3 2ping

e- update idswakeup script file
change from
HPING='./hping2'
to
HPING='/usr/sbin/hping3'


f- to run it
$ ./IDSwakeup 0 10.0.0.2 20 100

0 - src address random
10.0.0.2, target
20 make 20 packate
100 ttl


No comments:

Post a Comment