SNORT AS IPS LAB

I.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
II.
1.

Scenario
Setup virtual switches in VMWARE
Setup snort machines
Install snort
Configure snort machine to work as an router
Setup victim webserver machine
Setup attacker machine
Setup normal website user machine
Perform http-bruteforce attack without snort running
Configure and run snort
Configure snort to work as an IPS
Perform http-bruteforce attack with snort running
ENVIRONMENT
Creating 4 virtual machine
- Snort router UBUNTU machine configured as a router and with snort installed
- Victim webserver ubuntu machine with apache2 webserver
- Attacker kali linux machine which will perform http-bruteforce attack againts victim
webserver
- Normal web server ubuntu machine to serve as an normal client
2. 2 vmware virtual switches
- Vmnet 6 - host only network with subnet 192.168.248.0/24
- Vmnet 7 host only network with subnet 192.168.232.0/24
III.
Topologi

IV.
CONFIGURE VIRTUAL SWITCHES
1. Use virtual network editor to create following custom host only virtual switches
- Vmnet 6
Subnet ip : 192.168.248.0/24
Subet mask : 255.255.255.0
NO DHCP or host virtual adapter attached
- Vmnet 7
- Subnet ip : 192.168.232.0/24
- Subet mask : 255.255.255.0

V.
-

VI.

NO DHCP or host virtual adapter attached

SETUP SNORT-ROUTER VIRTUAL MACHINE
Add 3 network adapters to the machine

INSTALL SNORT
1. Create temporary install directory
o Mkdir p /tmp/snort-install
o Cd /tmp/snort-install
2. Instal packages for needed to build snort
o Apt-get y install flex bison build-essential checkinstall libpcap-dev libnet1-dev
libpcre3-dev libmysqlclient-dev libnetfilter-queue-dev iptables-dev libdnet-dev
3. Install libnet-1.12
o Wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
o Tar xvzf libdnet-1.12.tgz
o Cd libdnet-1.12
o ./configure CFLAGS-fPIC
o Make
o Sudo checkinstall y
o Sudo dpkg i libdnet_1.12-1_amd64.deb
o Sudo ln s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
o Cd
4. Install lastest daq packages
o Wget http://www.snort.org/
o Tar xvzf daq
o Cd daq
o ./configure
o Make
o Sudo checkinstall y
o Sudo dpkg i daq_
o Cd 5. Install latest snort package
o Wget http://www.snort.org/
o Tar xvzf snort
o Cd snort
o ./configure enable-sourcefire
o Make

o Sudo checkinstall y
o Sudo dpkg i snort
o Sudo ln s /usr/local/bin/snort /usr/sbin/snort
o Sudo ldconfig v
o Snort V
o Cd 6. Download and install latest registered rule
o
o
o
o
o
o
o
o
o
o
VII.

Download rules snapshooot

Cd /home/snort
Cd Downloads
Ls ltr
Sudo mkdir p /etc/snort
Sudo tar xvzf snortrules C /etc/snort
Sudo touch /etc/snort/rules/white_list.rules
Sudo touch /etc/snort/rules/black_list.rules
Sudo mkdir /usr/local/lib/snort_dynamicrules
Sudo mv /etc/snort/etc/* /etc/snort

CONFIGURE SNORT MACHINE TO WORK AS ROUTER

1. Disable network adapter 3 (eth2)
2. Assign Static Ips to eth0 and eth1
3. Enable IP4-forwarding
4. Reboot machine