Scribd Logo
Upload

Welcome to Scribd!

  • Ie434 144130 143344 143258-1

    Uploaded by

    Alejandro Galvan
    14 views9 pages
    This document discusses using Snort, an open source network intrusion detection system, to monitor network activity and detect suspicious behavior based on configured rules. It describes setting up Snort on a Linux system to monitor their network and deploying rules to detect traffic from unauthorized IP addresses, as well as traffic on specific ports and protocols. It shows Snort generating alerts when the rules are triggered by test connections using PuTTY and Nmap, demonstrating Snort's ability to detect intrusion attempts on the network.

    Original Description:

    Laboratorio reporte

    Original Title

    IE434_144130_143344_143258-1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses using Snort, an open source network intrusion detection system, to monitor network activity and detect suspicious behavior based on configured rules. It describes setting up Snort on a Linux system to monitor their network and deploying rules to detect traffic from unauthorized IP addresses, as well as traffic on specific ports and protocols. It shows Snort generating alerts when the rules are triggered by test connections using PuTTY and Nmap, demonstrating Snort's ability to detect intrusion attempts on the network.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views9 pages

    Ie434 144130 143344 143258-1

    Uploaded by

    Alejandro Galvan
    This document discusses using Snort, an open source network intrusion detection system, to monitor network activity and detect suspicious behavior based on configured rules. It describes setting up Snort on a Linux system to monitor their network and deploying rules to detect traffic from unauthorized IP addresses, as well as traffic on specific ports and protocols. It shows Snort generating alerts when the rules are triggered by test connections using PuTTY and Nmap, demonstrating Snort's ability to detect intrusion attempts on the network.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Homework 1: Snort

    EDEI

    Name

    Adrin Falcn 144130


    Gabriel Villaseor 143344
    Alejandro Galvn 143258

    Assignment

    Redes de computadora II

    PROFESOR

    Dr. Vicente Alarcn

    PERIOD

    Autumn 2015

    Abstract
    In this essay we will explain how Snort works, setting rules that help protect our
    network from suspicious behavior in the net, and seeing its response when these
    rules are triggered.
    Keywords: Snort, network security, intrusion detection

    Introduction
    An IDS or Intrusion Detection System is a security tool that tries to detect or monitor
    the events in a computer network.
    Snort is an open source network intrusion detection system (IDS) capable of
    performing real-time traffic analysis and packet-logging on IP networks. It can
    perform protocol analysis, content searching & matching, and can be used to detect
    a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI
    attacks, SMB probes, OS fingerprinting attempts and more. Snort was created by
    Martin Roesch in 1998.
    Rules are based on detecting the actual vulnerability, not an exploit or a unique piece
    of data. Developing a rule requires an acute understanding of how the vulnerability
    actually works.
    Snort has three primary uses. It can be used as a:
    ! straight packet sniffer like tcpdump or libpcap
    ! packet logger (useful for network traffic debugging and so on).
    ! full-blown network intrusion prevention system.

    fragroute intercepts, modifies, and rewrites egress traffic destined for a specified
    host, implementing most of the attacks described in the Secure Networks "Insertion,
    Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of
    January 1998.
    It features a simple rule set language to delay, duplicate, drop, fragment, overlap,
    print, reorder, segment, source-route, or otherwise monkey with all outbound
    packets destined for a target host, with minimal support for randomized or
    probabilistic behavior.
    This tool was written in good faith to aid in the testing of network intrusion detection
    systems, firewalls, and basic TCP/IP stack behavior.
    PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the
    Windows platform. PuTTY is open source software that is available with source
    code and is developed and supported by a group of volunteers.

    Description
    How is our network designed?

    Picture 1. Network architecture

    In reality, the SSH and Telnet servers run inside the gateway computer, which
    also is the host where we run Snort.
    Firstly, because of the limitatons of IDSCenter, namely incompatibility with current
    OS versions, we decided to deploy Snort in our Linux system.
    The snort.conf rule file was created using vim in the terminal. Snort requires an SID
    to be included in every rule.
    Then Snort was launched directly, using the v switch for vebose output. The i
    switch was also necessary to select the appropriate network interface:
    > sudo snort i eth0 -v

    Picture 2.Snort Rules


    In picture 2 we show the snort rules used through this first Assignment
    The first rule was:
    alert tcp 192.168.1.35 any -> any any (msg: Traffic from
    192.168.1.35";)

    Picture(3.Snort(Alert

    In Picture 3 the terminal shows the snort alert log where snort saves the alert as
    the event occur (/var/log/snort/alert.log). In real world applications, a
    program will monitor this file for changes to trigger an event when an alert is raised.
    The second and third rules were:

    Picture(4.Second(Rule

    Picture 5.Third Rule


    For the second and third rule as we shown in picture 5 and picture 6 we change
    the IP address on the intruder computer so as to originate the connection from
    outside the authorized address (the application gateway).

    Picture(6.Intruder(computer(configuration.

    Since these rules are set to detect SSH and Telnet, we used PuTTY to initiate the
    connections.

    Rule no 4:
    alert tcp any any -> $HOMENET :2600 (msg: TCP traffic in
    range"; sid:4;)

    Picture 7 Fourth Rule


    !
    In this rule, the TCP connection was configured in order to have a threshold for ports
    above or equal to 2600.

    Rule No. 5:
    In this rule, the tcp log the traffic from any port less or equal to 6000.
    alert UDP any any -> $HOMENET 5000: (msg: "UDP traffic in
    range"; sid:5;)

    Picture(8(Fifht(Rule

    Picture(9(Configuration

    Rules No 6.
    alert tcp any any -> $HOMENET any (flags: A; ack: 0;
    msg:"NMAP TCP Ping"; sid:6;)

    Conclusions.
    In conclusion, we learned how to perform an attack and how to detect when an
    intruder is attempting one in the network. Furthermore, we could set some rules that
    we learned in class which is fundamental in network administration and very
    important in network security. The ability to perform an attack with the purpose of
    knowing the different methods that a hacker could use against us can give us
    experience in real scenarios in which we need to think like an intruder and keep our
    network safe.

    Bibliography.
    Jeffrey Carr (2007-06-05). "Snort: Open Source Network Intrusion Prevention".
    What does PuTTy means? Recovered from: http://www.putty.org
    Snort User Manual. Recovered from: https://s3.amazonaws.com/snort-orgsite/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSA
    ccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442863717&Signature=1eK9v
    BSDrcGMDkwMGXkeiHta0cw%3D

    You might also like