Objective
Learn how to use an Intrusion Detection System (IDS), specifically Snort, to detect network scanning activities and customize detection rules.
Scenario
You are a cybersecurity analyst responsible for monitoring network traffic and detecting suspicious activities. One common method attackers use for reconnaissance is port scanning to discover open ports and services. In this exercise, you’ll set up Snort to detect scanning behavior, perform a network scan using Nmap, and customize Snort rules to generate alerts for port scanning attempts.
⚠️ Important: This exercise should be performed in a legal and controlled lab environment. Unauthorized scanning or intrusion detection deployment on networks without permission is illegal.
Lab Instructions
Step 1: Install Snort
Linux (Ubuntu/Debian):
sudo apt update
sudo apt install snort -yVerify Installation:
snort -VThis should display the Snort version and build details.
Step 2: Configure Snort
Edit the Snort configuration file:
sudo nano /etc/snort/snort.confSet the correct network interface in the configuration:
ipvar HOME_NET <your_network_IP_range>Example: ipvar HOME_NET 192.168.1.0/24
Step 3: Start Snort in IDS Mode
Launch Snort to monitor network traffic:
sudo snort -A console -i <network_interface> -c /etc/snort/snort.confReplace <network_interface> with your active interface (e.g., eth0, wlan0).
Step 4: Perform a Network Scan with Nmap
On a separate machine, perform a port scan on the Snort-monitored machine:
nmap -sS <target-ip>-sS: Stealth SYN scan.
Run a more aggressive scan:
nmap -A <target-ip>Step 5: Analyze Snort Logs
Review Snort output for alerts related to port scanning:
Snort will generate alerts like:
[**] [1:1234:1] TCP SYN scan detected [**]
[Classification: Attempted Information Leak] [Priority: 2]You can also check the log file:
sudo cat /var/log/snort/alertStep 6: Customize Snort Rules
Add a custom rule to detect SYN scans:
sudo nano /etc/snort/rules/local.rulesAdd the following rule:
alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Scan Detected"; sid:1000001; rev:1;)Reload Snort to apply the new rule:
sudo snort -A console -i <network_interface> -c /etc/snort/snort.confStep 7: Test Custom Rule
- Re-run the Nmap scan to trigger the custom alert:
nmap -sS <target-ip> - Verify that the custom alert appears in Snort’s console or log file.
Solution & Explanation
How Snort Detects Scanning
- Snort uses predefined and custom rules to analyze traffic patterns.
- SYN scans are detected by identifying packets with the SYN flag without a completed TCP handshake.
Custom Rule Breakdown
alert tcp any any -> $HOME_NET any: Monitors all TCP traffic targeting the home network.flags:S: Triggers on SYN packets.msg:"TCP SYN Scan Detected": Custom alert message.sid:1000001: Unique rule ID.
Testing & Verification
- Confirm that Snort generates alerts when a scan is detected.
- Check that the custom rule triggers specifically for SYN scans.
- Analyze logs to verify the accuracy and relevance of the alerts.
Additional Script (Optional)
Automate Snort setup and custom rule deployment:
#!/bin/bash
# Install Snort
sudo apt update
sudo apt install snort -y
# Configure HOME_NET
sudo sed -i 's/ipvar HOME_NET any/ipvar HOME_NET 192.168.1.0\/24/' /etc/snort/snort.conf
# Add custom rule for SYN scan detection
echo 'alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Scan Detected"; sid:1000001; rev:1;)' | sudo tee -a /etc/snort/rules/local.rules
# Restart Snort
sudo systemctl restart snort
Run the script:
chmod +x setup_snort.sh
sudo ./setup_snort.sh
Conclusion
In this exercise, you installed and configured Snort to detect port scanning activities. You performed network scans using Nmap and analyzed the generated alerts. Additionally, you created a custom Snort rule to detect SYN scans, enhancing your ability to monitor and secure network traffic against reconnaissance activities.
0 Comments