IDS

SETTING UP SNORT : IDS BASIC CONFIGURATION

IDS – Intrusion Detection System is used to detect for intruders who try to access the network of system in an organisation. An IDS can be an Hardware or Software IDS also, Here we will be using SNORT software based IDS, it is a open source network IDS/IPS.

We will be installing and configuring IDS in Windows Machine.

We need to Download the required files before installing

WinPcap from this link

Notepad ++ from here

Snort Installer from this link

In SNORT web page click Get started and in the Step 1 you will find lot of OS choose Windows, then download the installer.exe

Then go back to the front Page then Click on Rules Button then it will show you the rules set of packages which you can’t download without registration, so you need to sign up with the site then You can download the Rules.tar Package. You can go with either Signup with Subscription or Signup alone.

STEP 1:- Double click to install WinPcap.exe file to install it in the directory where OS is installed.

STEP 2:- Double click the Snort_installer.exe, Install it in the directory where he OS is installed.

STEP 3:- We can use Normal Notepad also for editing the configuration Files, but notepad++ will be very useful in editing with the line counts

STEP 4:- Extract the files and folders from Snortrules-snapshot.tar file then open that folder

CONFIGURATION:

1)Open the snortrules extracted folder then Navigate to etc folder then copy snort.conf file then paste it in C:\Snort\etc\ folder

2)Next open the Extracted Folder then Copy so_rules & preproc_rules folders then paste it in C:\Snort Directory path.

3)Then like the same copy the rules folder from the extracted one to the C:\Snort path.

4) Now open the command prompt from Start by searching cmd or command prompt then navigate to Snort Folder by using cd command then navigate to bin folder inside the Snort folder cd bin you can use Dir to list the files in the directory.

5) Simply type snort then press Enter, you can see Initialization complete message in the Display then Press CTRL + C to exit the snort.

6) Use snort -W it will Display the Network Card drivers Available in your System, Physical Address Note down the Indexing Number of you Network Card to use it further for Packet capturing.

7) Then Use snort -dev -i 4 then press Enter to start capturing the packets from the Network card where -i represents the Network card driver interface

8) A scroll text will be displayed in Command Prompt showing Commencing packet processing (pid=2868), i.e it is waiting for the intrusion, if some intrusion is made it will Alert or create an alarm here in this Scroll.

STEP 5:-Now navigate to C:\Snort\etc Directory then open the snort.conf file with Notepad++

STEP 6:- Scroll downwards to Step #1: Set the network variables section in snort.conf file in the HOME_NET line (line 45) replace any with IP address of the Machine in which IDS is needs to be installed here it is 192.168.0.106. the IP address may vary in your environment.

NOTE: Leave EXTERNAL_NET, DNS, SMTP, HTTP, SQL, SSH, TELNET servers info if you don’t have those servers running in your system, DO NOT make changes to those lines.

STEP 7:- Move to RULE_PATH (Line 104). In line 104 replace ../so_rules with C:\Snort\so_rules

STEP 8:- In line 109 and 110 replace ../rules with C:\Snort\rules

STEP 9:- Now we can move to Section Step 4#: Configure Dynamic loaded libraries section, at line 243 replace the location from /usr/local/lib/snort_dynamicpreprocessor/ to C:\Snort\lib\snort_dynamicpreprocessor.

At line 246 replace dynamic engine location to new one from /usr/local/lib/snort_dynamicengine/libsf_engine.so to C:\Snort\lib\snort_dynamicengine\sf_engine.dll.

We have to comment out line 249 with # the dynamic rules library line as you already configured the libraries in dynamic preprocessor libraries.

STEP 10:- Scroll down to Step 5#: Configure preprocesssors at line 253 it may change in yours a bit, we have to comment out the preprocessor listed in this section using # from 262-266

STEP 11:– Scroll down to line 326 and delete lzma keyword alone from that line.

Scroll down to Step #6: Configure output plugins (line 513), and in line 532 and 533 we will be providing the location of files in configuring output plugins using this paths i.e C:\Snort\etc\classification.config and C:\Snort\etc\reference.config.

STEP 12:- At line 534 add a new line as output alert_fast: alerts.ids, this line is used for dumping the logs in alerts.ids file.

In snort.conf file find and replace ipvar string with var, you can use CTRL + h to open the replace dialogue box then find ipvar in Find What box then var in Replace with box the click Replace All button, so we can see all the instance were replaced at once.

STEP 13:- Scroll to the lines 505-510 to remove backslash at each end of the line.

Save the snort.conf file and close it

Step 14:- We need to enable the rules set before launching Snort, we have to enable ICMP rule so that snort can able to detect any ping probes to the system having snort running.

Type alert icmp $EXTERNAL_NET any -> $HOME_NET 192.168.0.106 (msg:”ICMP-INFO PING”; icode:0; itype:8; reference:arachnids,135; reference:cve.1999-0265; classtype:bad-unknown; sid:472;rev:7;) in line 21 and save it. NOTE: IP address in HOME_NET may differ in Your environment.

Then open Command Prompt Navigate to C:\Snort\bin then type snort -iX -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii then press Enter. Here we are using X that represents index number of your Device replace it with yours.

Now Snort will be Actively look up for any intrusion to the system if any malicious activities or any intrusion is made then it will create a log and it will alarm or alert the user with the triggers.

We can access the log files from C:\Snort\log\IP folder so we can inspect the logs for further investigation or for any security measures.

Snort works on IP tables with set of rules to forward, drop like things. we need to configure Snort in each and every system we need, so we can go with Hardware IDS like Juniper

Knowledge of IDS and IPS is mandatory to become a Quality Penetration Tester and Security Administrator, so that we can get to know about Malicious network activity, and log information.

That’s it for today guys, see you guys in another blog another day.

Bye Bye!

Leave a Comment

Your email address will not be published. Required fields are marked *