Abstract In this essay we will explain how Snort works, setting rules that help protect our network from suspicious behavior in the net, and seeing its response when these rules are triggered. Keywords: Snort, network security, intrusion detection Introduction An IDS or Intrusion Detection System is a security tool that tries to detect or monitor the events in a computer network. Snort is an open source network intrusion detection system (IDS) capable of performing real-time traffic analysis and packet-logging on IP networks. It can perform protocol analysis, content searching & matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and more. Snort was created by Martin Roesch in 1998. Rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works. Snort has three primary uses. It can be used as a:

•! straight packet sniffer like tcpdump or libpcap

•! packet logger (useful for network traffic debugging and so on). •! full-blown network intrusion prevention system.

EDEI

Homework 1: Snort

Name Adrián Falcón 144130 Gabriel Villaseñor 143344 Alejandro Galván 143258

Assignment Redes de computadora II

PROFESOR Dr. Vicente Alarcón PERIOD Autumn 2015

fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple rule set language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behavior. PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source code and is developed and supported by a group of volunteers. Description How is our network designed?

Picture 1. Network architecture

In reality, the SSH and Telnet servers run inside the “gateway” computer, which also is the host where we run Snort. Firstly, because of the limitatons of IDSCenter, namely incompatibility with current OS versions, we decided to deploy Snort in our Linux system. The snort.conf rule file was created using vim in the terminal. Snort requires an SID to be included in every rule. Then Snort was launched directly, using the –v switch for vebose output. The –i switch was also necessary to select the appropriate network interface: > sudo snort –i eth0 -v

Picture 2.Snort Rules

In picture 2 we show the snort rules used through this first Assignment The first rule was: alert tcp 192.168.1.35 any -> any any (msg: “Traffic from 192.168.1.35";)

In Picture 3 the terminal shows the snort alert log where snort saves the alert as the event occur (/var/log/snort/alert.log). In real world applications, a program will monitor this file for changes to trigger an event when an alert is raised. The second and third rules were:

Picture(3.Snort(Alert

Picture(4.Second(Rule

Picture 5.Third Rule

For the second and third rule as we shown in picture 5 and picture 6 we change the IP address on the intruder computer so as to originate the connection from outside the authorized address (the application gateway). Since these rules are set to detect SSH and Telnet, we used PuTTY to initiate the connections.

Picture(6.Intruder(computer(configuration.

Rule no 4: alert tcp any any -> $HOMENET :2600 (msg: “TCP traffic in range"; sid:4;)

Picture 7 Fourth Rule

!In this rule, the TCP connection was configured in order to have a threshold for ports above or equal to 2600. Rule No. 5: In this rule, the tcp log the traffic from any port less or equal to 6000.

alert UDP any any -> $HOMENET 5000: (msg: "UDP traffic in range"; sid:5;)

Picture(8(Fifht(Rule

Rules No 6.

alert tcp any any -> $HOMENET any (flags: A; ack: 0; msg:"NMAP TCP Ping"; sid:6;)

Picture(9(Configuration

Conclusions.

In conclusion, we learned how to perform an attack and how to detect when an intruder is attempting one in the network. Furthermore, we could set some rules that we learned in class which is fundamental in network administration and very important in network security. The ability to perform an attack with the purpose of knowing the different methods that a hacker could use against us can give us experience in real scenarios in which we need to think like an intruder and keep our network safe.

Bibliography.

Jeffrey Carr (2007-06-05). "Snort: Open Source Network Intrusion Prevention".

“What does PuTTy means?” Recovered from: http://www.putty.org

Snort User Manual. Recovered from: “https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442863717&Signature=1eK9vBSDrcGMDkwMGXkeiHta0cw%3D”