In the last post we saw a basic firewall using Ubuntu’s iptables/netfilter.
We have our router host ready. Let’s see how to set up snort in packet sniffer, packet logger, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) modes on the network.
Packet sniffer mode: snort -v
Packet logger mode: snort -l <logging dir>
By default the logging directory is /var/log/snort
Intrusion detection mode (IDS) mode: Also known as alert mode, Snort requires configuration file, rule set and the path to these files. The default location for the configuration file is /etc/snort/snort.conf. We don’t have to change many variables in this file other than RULE_PATH to the path of your rules file. “include $RULE_PATH/mynew.rules. mynew.rules is the file where I have defined my rules. Coming to rule set, the default location to rules is /etc/snort/rules.
Rules include:
1. Alert when icmp pings are detected in both directions.
2. Alert when connection to facebook.com is done on a web browser by host 10.0.0.4 (Ubuntu-VM Clone)
Let me remind the network that was set up earlier. See Fig 2. Note that snort is running on router host (Ubuntu-VM)
To see if snort alerts us on pinging Router host or modem from 10.0.0.4. See Fig 3.
The syntax for IDS mode is snort -c <path to conf file> -l <path to log file> -I <interface snort should be listening to>. -A console is to display alerts on screen while snort is running. -q is to quiet mode (avoids banners and status report)
Let’s check what happens when 10.0.0.4 tries to access facebook.com. See Fig 4. Going bak to Fig 1, the rule option used is “content”. Therefore snort checks the content of IP packet to look for a match.
The last mode is the IPS mode. I will write about it next week.
