LAB3SNORTS

IT 643 Lab 3: Using Snort IDS

Lab 3 Procedure

The following requirements must be met in order to set up this lab:

·        VirtualMachine from Lab 1 (Ubuntu Linux 14.04 VM in either VMware or Virtual Box)

·        Internet access for adding packages to the install of Ubuntu

Logging In to VM

1.      When Ubuntu starts, LightDM will show normal-user selected. Type in the password you used during the installation and press <Enter>.

2.      Type <ALT>+<F2>, which will bring up the “Run Command” menu. Type in “gnome-terminal” and press <Enter>. You can also select the terminal if it was attached to the Launcher panel.

3.      This will load up a terminal to run commands with. With the terminal open, the operating system will need to be updated before continuing (even since you completed Lab 2). Type in the following to update and install security patches for Ubuntu:

4.      Once the update is complete, click the gear in the top right corner and select “Shut down” and then select “Restart” to reboot the system.

Installing the Snort Package

1.      For the purposes of this lab, we will use the Snort package, which is included as an Ubuntu package. Open up the terminal and run the following command to install Snort and Apache2, which will be used for demonstration of web detection.

2.      Type “snort -V” to verify that Snort is installed correctly. The output in the terminal should look similar to the screenshot in Figure 1.

Figure 1: Screenshot of Snort Running a Version Check

3.      Run the following command to test the Snort configuration.

4.      Snort will start up and validate the configuration. The output will look similar to Figure 2.

Figure 2: Output From Snort Validate

Lab 3 Assignment

Using similar information to Hands-On Project 8-4 on pages 298–299 in our textbook, perform the following steps to explore Snort’s Logging function:

1.      If necessary, open the terminal window in Linux, type sudo snort –vd but do not press Enter yet.

2.      Open a Web browser (the Firefox icon is on the Launcher Panel on the left). In the address bar, type www.snhu.edu, but do not press Enter yet.

3.      Go back to the terminal window and press Enter. Then immediately go back to the Web browser window and press Enter.

4.      Go back to the terminal window and press Ctrl+C quickly and examine the results.

5.      Take a series of screenshots and paste them to a Word document to show your results. Submit these along with answers to the questions below.

Lab 3 Questions

  1. Lab Question 1: Take a look at the information captured in the above lab. What is some of the information contained in the results?
  1. Lab Question 2: Snort rules are written into a text file that can be easily viewed by a security engineer or analyst (with the exception being shared object rules). Is this a good thing? Think of a reason why this may be a bad thing (Hint: Think about the attacker).
  1. Lab Question 3: Open-source Snort provides complete control over how it is deployed. What are some of the limitations to how Snort was configured for this lab that might be different in an enterprise setting?
  1.  Lab Question 4: Research and explain the difference between the “alert” Snort action and “drop” action. What is required to use the drop action in Snort?