So yeah, this is a quick and dirty tutorial on IDS (more particularly Snort). Take it as a real fast introduction; if you spend time reading this, you should spend more time studying that kind of stuff deeper somewhere else (I will try to share some resources).
I) First offWhat's an IDS?> Short for "Intrusion Detection System"
What does an IDS basically do?> It analyses packets, find suspect ones and alert the network administrator for potential intrusions. Though, it is NOT a firewall.
Example please?> Sure thing. Well, with an IDS on your network, you can either detect scans (port scans/sweep, OS fingerprinting), Denial of Service attacks, bots and any kind of activities against the policies of your work place. I'll provide some examples of alerts later.
II) Snort"Snort performs real time traffic analysis and packet logging on IP networks" -
https://www.snort.org/Snort is a Network-based Intrusion Detection System (detect intrusions attempts on a network, by comparing the traffic to a database of known attack patterns). Basically, it is used to monitor the network for possible intrusions, manage logs and sniff the network.
You give Snort a list of predefined rules (some lines that you write to log the packets you want to log), and it will alert you each time a packet that meets these rules is coming.
I greatly recommend running Snort on a Linux distribution for various reasons, but the most important one being that Linux updates for Snort are released far before the Windows ones - therefore it's mostly for security reasons - plus both are free...
I personally will use Debian for the demonstrations of this tutorial. You can get your version on the official website:
http://www.debian.org/I won't go through each step of installing the software on your machine, the Snort website has excellent documentations about that, e.g. for Debian users, look for "Snort 2.9.3.1 on Debian 6.0.5" by Jason Weir. -
It is important that once installed, you make sure that Snort is up and running properly; For this, you can create a simple rule that will detect incoming PINGs; If you have correctly followed an installation documentation such as the one I've provided just above, you should edit your 'local.rules' file and add this line:
alert icmp any any -> $HOME_NET any (msg:"ICMP testing"; sid:10000001;)And then start Snort from your terminal:
/usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0If you use Linux in a VM, simply ping it with your host and you should see the alerts appearing in your terminal where Snort is running.
If nothing appears, it's most likely that you made a wrong installation, didn't edit the 'snort.conf' file properly or that you are missing the IDS pre-requisites, which are:
libpcap, libdet and daq.
Let's analyze this rule now, what does it mean?>
'alert icmp':
'alert' is there at the beginning of each rule, this is mandatory so you really just have to put it there.
'icmp' is the type of the packet you want to alert. PING packets use the ICMP protocol (this is the kind of thing you have to learn, I can't go through that...).
>
'any any ->': the first
'any' represents the IP address
FROM WHERE the packet is coming - you could set it to
$EXTERNAL_NET by the way, which are all IP addresses outside of the
$HOME_NET (you set this in the
'snort.conf' file). The second
'any' is the port - here you don't really need to set any port, it's simply for testing purposes.
>
'any any': the second part is actually not so much different - the only real difference being that these two
'any' refer to
WHERE the packet
GOES TO.
>
'(msg:"ICMP testing"; sid:10000001;)': the
'msg' is the message you want to display each time the alert is logged. Concerning the
'sid', it defines the ID of the alert's rule - It is extremely important that each rule has a different SID, otherwise it will simply give you an error.
To resume things, this is the format of a rule:> alert icmp(or tcp or udp...)
source_address source_port ->
destination_address destination_port (msg:"test"; sid:10000002;)
For more options to add, see
http://manual.snort.org/node291.html-
Now, something important to know: YOU CANNOT have one rule to detect, for example, ALL NETWORK SCANS on your network. Take NMAP as an example - If you decide to launch a simple TCP Syn scan against a remote address, you will do:
nmap -v -sS addressTo write a rule in order to detect that particular scan, you will have to analyze the packet that NMAP uses. Luckily, NMAP is a widely used software, so finding information on how it works ain't really difficult. Small researches will show that this TCP scan uses a particular TCP flag: S, along with an acknowledgement number of 0. You can then add this to some rule:
"flags: S; ack: 0;"However NMAP is a tool that can have very personalized scans, and the user can easily modify things such as the flags... This show the importance to keep up-to-dates rules, especially if you are using Snort or any other IDS in your organization.
Another simple but interesting rule would be one that could detect simple UDP flooding (such as the one used by e.g. LOIC during a DoS attack):
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOIC UDP flooding"; threshold: type threshold, track by_src, count 100, seconds 5; sid: 10000002; rev: 1;)This rule will trigger every 100th event on this SID in a 5 seconds internal - This can be enough to detect a LOIC UDP flood at minimum speed. You can check out this website for more info:
some LOIC rules.
-
I'm not quite sure what to tell you guys more, but if you are willing to learn deeper about Snort and IDS in general, there are tons of resources out there, beginning with the Snort official website.
You could practice by setting up Snort on a VM, and create rules to detect network scans/OS fingerprinting (using nmap or any other tool), detect DoS attacks (you can use LOIC, Slowloris, etc...).
You can also try to detect bot activities - for that one I recommend running the bot and at the same time run Snort into sniffer mode (with the -dev flag) - and you could also try to detect any kind of let's say Dropbox activity, or any website access through any web browser.
Snort, in my opinion, is good for your work place, but also at home - you can just monitor anything you wish - but as you guys all know, nothing is 100% secure, this is not an exception: if somebody wants to go through your IDS, he will, especially that you cannot have all the rules in the world for all types of activities.
PLEASE tell me if I can add more things to this tutorial, I can edit it when I have time. Also don't hesitate if you have some questions, I will do what I can to answer to it, and maybe add a FAQ...Thanks for reading if you did, this is taken from a coursework I recently wrote. I hope I haven't missed any references, also the formatting isn't great but I hope it's pleasant enough... and let me know if you spot some errors... I tried to write it fast.
Cheers~
