Untitled

Snort Lab
Background
The Snort program (www.snort.org) is an open source IDS and intrusion prevention system (IPS) that provides extensive rule sets that are frequently updated with new attack vectors. Any questionable activity can be sent to a logging host, and several open source log-processing tools are available to help make sense of the information gathered (for example, the Basic Analysis and Security Engine, or BASE). Running Snort on a Linux system that is located at a key entry/exit point in your network is a great way to track the activity without your having to set up a proxy for each protocol that you want to support.

1.	Get and install Snort:
From Source:
wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://snort.org/downloads/snort/snort-2.9.12.tar.gz
tar xvzf daq-2.0.6.tar.gz
sudo apt install bison
sudo apt install flex
cd daq-2.0.6
./configure && make && sudo make install
cd ..
tar xvzf snort-2.9.12.tar.gz
cd snort-2.9.12
./configure --enable-sourcefire && make && sudo make install

Easy way:
sudo apt install snort
tab OK -> replace eth0 with enp0s3
tab OK

2.	Sniffer Mode
a.	Run Snort and just show the IP and TCP/UDP/ICMP header:

./snort -v

b.	Display the packet data as well as the headers.

./snort -vde or ./snort -d -v -e

3.	Packet Logger Mode
a.	Create a directory named log in the current directory.
b.	Print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host.

./snort -dev -l ./log

c.	In order to log relative to the home network, you need to tell Snort which network is the home network:

./snort -dev -l ./log -h 192.168.1.0/24

d.	Binary mode logs the packets in tcpdump format to a single binary file in the logging directory:

./snort -l ./log -b

Note the command line changes here. We don’t need to specify a home network any longer because binary mode logs everything into a single file, which eliminates the need to tell it how to format the output directory structure.
e.	Snort can read the packets back out of the file with the -r switch (playback mode).

	./snort -dv -r packet.log

f.	You can manipulate the data in the file in a number of ways through Snort’s packet logging and intrusion detection modes, as well as with the BPF interface that’s available from the command line. Show the ICMP packets from the log file. Specify a BPF filter at the command line:

./snort -dvr packet.log icmp

4.	Network Intrusion Detection System (NIDS) mode, which performs detection and analysis on network traffic. This is the most complex and configurable mode.
a.	Enable NIDS mode in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure:

./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

Six modes accessed with the -A command line switch are:

b.	Use the following command line to log to default (decoded ASCII) facility and send alerts to syslog:

./snort -c snort.conf -l ./log -h 192.168.1.0/24 -s

c.	As another example, use the following command line to log to the default facility in /var/log/snort and send alerts to a fast alert file:

./snort -c snort.conf -A fast -h 192.168.1.0/24

5.	Running Snort as a Daemon Running Snort as a Daemon. Add the -D switch to any combination. If you want to be able to restart Snort by sending a SIGHUP signal to the daemon, you must specify the full path to the Snort binary when you start it  Relative paths are not supported due to security concerns. Try this:

/usr/local/bin/snort -d -h 192.168.1.0/24 \
-l /var/log/snortlogs -c /usr/local/etc/snort.conf -s –D


sudo apt update
sudo apt install libpcap-dev