Search

Setting up Snort: Intrusion Detection System Configuration

Introduction

IDS – Intrusion Detection System is used to detect for intruders who try to access the network of system in an organisation for snort IDS setup. An IDS can be an Hardware or Software IDS also, Here we will be using SNORT software based IDS, it is a open source network IDS/IPS.

We will be installing and configuring IDS in Windows Machine.

We need to Download the required files before installing

WinPcap from this link

Notepad ++ from here

Snort Installer from this link

In SNORT web page click Get started and in the Step 1 you will find lot of OS choose Windows, then download the installer.exe

Then go back to the front Page then Click on Rules Button then it will show you the rules set of packages which you can’t download without registration, so you need to sign up with the site then You can download the Rules.tar Package. You can go with either Signup with Subscription or Signup alone.

STEP 1:- Double click to install WinPcap.exe file to install it in the directory where OS is installed.

STEP 2:- Double click the Snort_installer.exe, Install it in the directory where he OS is installed.

STEP 3:- We can use Normal Notepad also for editing the configuration Files, but notepad++ will be very useful in editing with the line counts

STEP 4:- Extract the files and folders from Snortrules-snapshot.tar file then open that folder

CONFIGURATION:

1)Open the snortrules extracted folder then Navigate to etc folder then copy snort.conf file then paste it in C:Snortetc folder

2)Next open the Extracted Folder then Copy so_rules & preproc_rules folders then paste it in C:Snort Directory path.

3)Then like the same copy the rules folder from the extracted one to the C:Snort path.

4) Now open the command prompt from Start by searching cmd or command prompt then navigate to Snort Folder by using cd command then navigate to bin folder inside the Snort folder cd bin you can use Dir to list the files in the directory.

6) Use snort -W it will Display the Network Card drivers Available in your System, Physical Address Note down the Indexing Number of you Network Card to use it further for Packet capturing.

7) Then Use snort -dev -i 4 then press Enter to start capturing the packets from the Network card where -i represents the Network card driver interface
8) A scroll text will be displayed in Command Prompt showing Commencing packet processing (pid=2868), i.e it is waiting for the intrusion, if some intrusion is made it will Alert or create an alarm here in this Scroll.
STEP 5:-Now navigate to C:Snortetc Directory then open the snort.conf file with Notepad++
STEP 6:- Scroll downwards to Step #1: Set the network variables section in snort.conf file in the HOME_NET line (line 45) replace any with IP address of the Machine in which IDS is needs to be installed here it is 192.168.0.106. the IP address may vary in your environment.

NOTE: Leave EXTERNAL_NET, DNS, SMTP, HTTP, SQL, SSH, TELNET servers info if you don’t have those servers running in your system, DO NOT make changes to those lines.

STEP 7:- Move to RULE_PATH (Line 104). In line 104 replace ../so_rules with C:Snortso_rules

STEP 8:- In line 109 and 110 replace ../rules with C:Snortrules
STEP 9:- Now we can move to Section Step 4#: Configure Dynamic loaded libraries section, at line 243 replace the location from /usr/local/lib/snort_dynamicpreprocessor/ to C:Snortlibsnort_dynamicpreprocessor.
At line 246 replace dynamic engine location to new one from /usr/local/lib/snort_dynamicengine/libsf_engine.so to C:Snortlibsnort_dynamicenginesf_engine.dll.
We have to comment out line 249 with # the dynamic rules library line as you already configured the libraries in dynamic preprocessor libraries.

STEP 10:- Scroll down to Step 5#: Configure preprocesssors at line 253 it may change in yours a bit, we have to comment out the preprocessor listed in this section using # from 262-266

STEP 11:– Scroll down to line 326 and delete lzma keyword alone from that line.
Scroll down to Step #6: Configure output plugins (line 513), and in line 532 and 533 we will be providing the location of files in configuring output plugins using this paths i.e C:Snortetcclassification.config and C:Snortetcreference.config.
STEP 12:- At line 534 add a new line as output alert_fast: alerts.ids, this line is used for dumping the logs in alerts.ids file.
In snort.conf file find and replace ipvar string with var, you can use CTRL + h to open the replace dialogue box then find ipvar in Find What box then var in Replace with box the click Replace All button, so we can see all the instance were replaced at once.
STEP 13:- Scroll to the lines 505-510 to remove backslash at each end of the line for Snort IDS setup.
Save the snort.conf file and close it

Step 14:- We need to enable the rules set before launching Snort, we have to enable ICMP rule so that snort can able to detect any ping probes to the system having snort running.

Type alert icmp $EXTERNAL_NET any -> $HOME_NET 192.168.0.106 (msg:”ICMP-INFO PING”; icode:0; itype:8; reference:arachnids,135; reference:cve.1999-0265; classtype:bad-unknown; sid:472;rev:7;) in line 21 and save it. NOTE: IP address in HOME_NET may differ in Your environment.

Then open Command Prompt Navigate to C:Snortbin then type snort -iX -A console -c C:Snortetcsnort.conf -l C:Snortlog -K ascii then press Enter. Here we are using X that represents index number of your Device replace it with yours.
Now Snort will be Actively look up for any intrusion to the system if any malicious activities or any intrusion is made then it will create a log and it will alarm or alert the user with the triggers.
We can access the log files from C:SnortlogIP folder so we can inspect the logs for further investigation or for any security measures.

Snort works on IP tables with set of rules to forward, drop like things. we need to configure Snort in each and every system we need, so we can go with Hardware IDS like Juniper

Knowledge of IDS and IPS is mandatory to become a Quality Penetration Tester and Security Administrator, so that we can get to know about Malicious network activity, and log information.

That’s it for today guys, see you guys in another blog another day.

Bye Bye!

Book A Free Demo Class

    Social Media
    Facebook
    Twitter
    WhatsApp
    LinkedIn