Lab 14.1: Snort - squatchulator/Tech-Journal GitHub Wiki

Lab 14.1 - Snort Mini Lab (Project 3 Part 2)

 , ,_
o''   )~
 ''  ''

Setup

  • First we need to update our Jumpbox with VSFTPD FTP server. This can be installed with:
sudo apt install vsftpd
sudo systemctl start vsftpd
  • Now we need to update Edge01 firewall to allow pings from DMZ-to-LAN and back, and FTP to LAN from DMZ:
set firewall name DMZ-to-LAN rule 30 action accept
set firewall name DMZ-to-LAN rule 30 description "Allow ICMP from DMZ to LAN"
set firewall name DMZ-to-LAN rule 30 icmp type-name echo-request
set firewall name LAN-to-DMZ rule 30 action accept
set firewall name LAN-to-DMZ rule 30 description "Allow ICMP from LAN to DMZ"
set firewall name LAN-to-DMZ rule 30 icmp type-name echo-request
set firewall name LAN-to-DMZ rule 40 action accept
set firewall name LAN-to-DMZ rule 40 description "Allow FTP from LAN to DMZ"
set firewall name LAN-to-DMZ rule 40 protocol tcp
set firewall name LAN-to-DMZ rule 40 destination port 21
commit
save

Installing SNORT on Zeek

  • On the Zeek server, run sudo apt install snort to install. If prompted, we are using the ens160 interface (DMZ), and HOME_NET needs to be set to 172.16.50.0/29. We can also run snort -V to make sure it installed ok.
  • It didn't prompt me for the adapter, so edit /etc/snort/snort.debian.conf and make sure the right adapter is in there.
  • Now, edit /etc/snort/snort.conf and make sure that the ipvar HOME_NET is set correctly
  • Once that's done edit the /etc/snort/classification.config file. Append this line to create a custom event type for our rules:
config classification: SEC350-event, SEC350 Test Event,1
  • Now test the configs we edited with sudo snort -T -i ens160 -c /etc/snort/snort.conf. It should end with "Snort successfully validated the configuration".

Creating Custom Rule #1 - ICMP Ping Alerts

  • Just to test if snort works, we will make a new rule. To do so, edit the /etc/snort/rules/local.rules file and add the following line:
alert icmp any any -> 172.16.50.4 any (msg:”Jump ICMP Test”; sid:1000001; rev:1; classtype:SEC350-event;)
  • Now start snort in IDS mode and tell it to output alerts to the console:
sudo snort -A console -q -c /etc/snort/snort.conf -i ens160`
  • Once you run this, perform a ping from Jump to Wks01 and some alerts should generate!

Creating Custom Rule #2 - HTTP From WKS01 to Nginx

  • Edit the /etc/snort/rules/local.rules file again and add a line below our ICMP one that says:
alert tcp 172.16.150.100 any -> 172.16.50.3 any (msg:"WKS01 HTTP Connection"; sid:1000002; rev:1; classtype:SEC350-event;)
  • Run sudo snort -A console -q -c /etc/snort/snort.conf -i ens160 again and browse to Nginx from Wks01 to generate traffic.

Creating Custom Rule #3 - Failed FTP Logins

  • Repeat the same process as above, but add the following line to /etc/snort/rules/local.rules:
alert tcp 172.16.50.4 21 -> any any (msg: "FTP Login Failed"; content:"530 Login incorrect"; sid:1000003; rev:1; classtype:SEC350-event;)