Académique Documents
Professionnel Documents
Culture Documents
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
InstallingSnortIDSonUbuntu14.04LTS(Desktop)Using
VMWarePlayer6.0
Ifyoucurrentlydonthaveit,VMWarePlayercanbedownloadedfrom:
https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6
_0
AfterinstallationofVMWarePLayer6,youmayproceedwiththeinstallationofthe
UbuntuoperatingsystemandSNORT.
I.HowtoInstall:Ubuntu14.04LTS(Desktop)
A. DownloadtheISOforUbuntufrom:
http://www.ubuntu.com/download/desktop
.
Rememberthefolderwhereyoudownloadeditto.
B. InstallUbuntu
1. OpenupVMWarePlayer6andchooseCreateANewVirtualMachine.
1
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
2. NavigatetotheUbuntuISOfileyoudownloaded.
3. HitNext.Fillinthenecessaryinformation.Theusernameandpassword
youenterherewillbetheusername/passwordyouwillusetologintothe
UbuntuOSyouwillbeworkingon.
2
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
4. Giveyourvirtualmachineaname.
5. HitNext.Specifydiskcapacity(youmaychoosewhateverisappropriatefor
thecapacityofyourcurrenthardware).
3
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
6. HitNext.SelecttheCustomizeHardware
7. Customizeyoursettings(processor,NetworkAdapter,etc).IchoseNATfor
mynetworksetting.Thismeansthatthehostmachine(machinewherethe
virtualmachineisbeinginstalledupon)isactingasasortofrouterforthis
VM.TheVMwillpickupanIPaddressfromthehostmachineandnotthe
actualrouteronthehostmachinesnetwork.
4
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
8. HitClose.AndthenFinishwhenyougetthenextbox.
9. TheUbuntuoperatingsystemisnowbeinginstalled.
10. Onceinstalled,itwillaskyoutologinwithyourusernameandpassword.
5
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
II.PreparingUbuntuandInstallingSNORTworkingintheVM
A. Installtheprerequisitesforinstallingandcompilingsnort.
1. Openupaterminalbyhittingtheuppermosticonontheleftcornerto
searchfortheterminalapplication.
2. Onceterminalhasbeenopened,typeinthefollowingcommand(allinone
line):
sudoaptgetinstallflexbisonbuildessentialcheckinstalllibpcapdev
libnet1devlibpcre3devlibmysqlclient15devlibnetfilterqueuedev
iptablesdev
NOTE:Weusesudotogiveussuperuser(rootlike)permissiontoinstall
applicationsontheOS.
3. Itwillaskyouforthepassword.EnterinyourloginpasswordtotheVM.
6
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
4. Theselectedapplicationsarenowbeinginstalled.Youmayoccasionally
getapromptaskingtocontinue.Typeyandcontinue.
B. Buildandinstalllibdnetfromitssourcecode.
1. Typewget https://libdnet.googlecode.com/files/libdnet1.12.tgz
.Hitenter.
2. Ifyoutypeinls,youwillseethatthefilehasbeendownloadedtoyour
homedirectory.Issuethefollowingcommand:tarxvfvzlibdnet1.12.tgz.Hit.
7
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
Enter.
3. Thisunpacksallthefilesthatwereinthelibdnet112.tgzfileandcreatesa
libdnet112directory.Changeintothelibdnet112directory.
4. Type:./configure"CFLAGS=fPIC".Hitenter.The"fPIC"Cflagis
necessaryifyoucompileiton64bitplatform.
5. Youshouldseesomethinglikethefollowingfigure.Typemake.Hitenter.
8
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
6. Resultsshouldlooksimilartothefollowingfigure.Typesudo
checkinstall.Thecheckinstallcommandabovewillbuild.debpackage.and
willaskyouseveralquestions.Acceptdefaultvalues.
9
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
10
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
7. Installthe.debpackage,andcreateasymboliclinkwhereSnortlooksfor
libdnet.Typeinthefollowingcommands:sudodpkgi
libdnet_1.121_amd64.debandsudolns/usr/local/lib/libdnet.1.0.1
/usr/lib/libdnet.1.
C. Download,buildandInstallDAQ(DataAcquisitionLibrary).
1. DAQcanbedownloadedfrom http://www.snort.org/snortdownloads .The
currentversionisdaq2.0.2Usually,thedownloadsareplacedinthe
DownloadsdirectoryofyourUbuntuOS.
2. Wearegoingtorepeatthestepswedidforthelibdnetinstallunpackthe
files,configure,make,andtheninstall.
11
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
NOTE:So,farthefollowingcommandshavebeenentered:
tarxvfvzdaq2.0.2.tar.gz,
cddaq2.0.2,
./configure,and
make
3. Thesudocheckinstallcommandwillgothroughthefollowingstepslikeit
didfromthelibdnetprocedure.Thefiguresbelowshowstheinitialsudo
checkinstallcommandandthentheendresult.
4. Installthepackagebyrunning:sudodpkgidaq_2.0.21_amd64.deb
12
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
D. Download,buildandInstallSnort
1. MuchlikeDAQ,Snortcanbedownloaded
:
http://www.snort.org/snortdownloads .ThecurrentversionisSnort2.9.6.1
Again,thedownloadedfileresidesintheDownloadsdirectoryofyour
UbuntuOS.
2. Wearegoingtorepeatthestepswedidforthelibdnetanddaqinstall
unpackthefiles,configure,make,andtheninstall.
NOTE:So,farthefollowingcommandshavebeenentered:
tarxvfvzsnort2.9.6.1.tar.gz
cdsnort2.9.6.1
./configure
make
13
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
3. Thesudocheckinstallcommandwillgothroughthefollowingstepslikeit
didfromthelibdnetanddaqprocedures.Thefiguresbelowshowsthe
initialsudocheckinstallcommandandthentheendresult.
4. Installthepackagebyrunning:sudodpkgisnort_2.9.6.11_amd64.deb
5. Createasymboliclinkforsnortbyrunning:sudolns/usr/local/bin/snort
/usr/sbin/snort
14
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
6. Runtheldconfigcommand,sothatdynamiclinkerruntimebindingsfor
libdnetandDAQlibrariesareproperlysetup.
7. Youshouldgetsomethinglikethefollowingfigure:
8. VerifythatsnortisinstalledproperlybyrunningsnortV
15
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
III.ConfiguringSNORT
A. Goodpractice:
1. CreateaseparateLinuxuserforwhichsnortwillrunas
Note:thecommandsare:
sudogroupaddsnortand
sudouseraddsnortd/var/log/snorts/sbin/nologincSNORT_IDSg
snort
2. Createalogdirectoryforsnortandgivesnortownershipofit.
B. DownloadSnortRules
1. Snortrulesarelocated:
http://www.snort.org/snortrules/
16
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
2. Beforeyoucandownloadthesnortrules,youmustcreateanaccountwith
snort.org.
3. Onceloggedin,youcandownloadSnortRules.
4. Makenoteofwhichdirectorythesnortruleswasdownloadedto.
17
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
C. InstallandConfigureSnortRules
1. Createadirectoryatthe/etcdirectorytowhichyouwillunpackthetarfiles
to.
2. Createawhite_list.rulesfileandablack_list.rulesfilebyusingtouch.
3. Createdirectoryfordynamicrules.
4. Changeownershipof/etc/snortandmovedirectoryandfilesfromthe
unpackedsnortrules.
18
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
D. EditadefaultSnortconfiguration.
1. TherearedifferentLinuxfileeditors(vi/vim,gedit,nano/pico,etc).Usethe
oneyouaremostcomfortablewith.
2. Youshouldgetascreenthatlooklikethis:
3. ScrolldownuntilyougettoipvarHOME_NETandchangeittothe
networkyouareprotecting.Inmycase,its192.168.80.0/24.
19
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
4. Alsochangetherulespathfromthis:
sothatitwouldreadlikethis:
5. ipvarEXTERNAL_NETshouldalsobechangedto:
6. SavethefilebyctrlXtoexit.SelectYes.HitEnter.
20
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
7. Testsnortbyrunninginselftestmode.Youcanusethefollowing
command:sudosnortTieth0usnortgsnortc/etc/snort/snort.conf.
ifsuccessful,youshouldgetthefollowingresults:
21
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
IV.CreatingCustomSNORTRules
(NOTE:NotallorganizationshavethesamepolicysotheirIDSconfigurationswill
certainlybedifferent.CreatingcustomSnortrulesallowforthosedifferences).
A. TheBasicsmostrulesarewritteninasinglelineDD
GeneralFormoftherule: actionprotosrc_ipsrc_portdirectiondst_ipdst_port
(options)
1. TheHeaders:
a. Actionalert,log,pass,activate,dynamic,(drop,reject,sdrop),the
latterthreearenotdefaultrules.
b. Protocoltcp,udp,icmp,ip
c. SourceIPandDestinationIPIPaddressesofthesourceoftraffic
andthedestinationoftraffic
d. SourcePortandDestinationPortSpecificportaddressestrafficis
intendedfor(i.e.80isgenerallyhttptraffic,25isforsmtp,etc)
e. DirectionThedirectionfromwheretrafficiscoming.
f. Optiongeneral,payload,nonpayload,postdetection(exampleof
generaloptionismsgwhereitprintsoutacommentalongwiththe
packetwhenaruleisactivated.
2. SampleRule:alerttcpanyany>anyany(content:"www.facebook.com"
msg:"SomeoneisaccessingFacebook!!"sid:1000001)
B. CreatingaCustomAlertruleforSnort
1. Navigatetothedirectorywhereallthesnortrulesarelocated:
2. Createafile(nameitwhateveryouwant)byusingtheeditorofyouchoice.
22
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
3. Typeinyourrule.Andthensave.Ifanyoneaccesses www.facebook.com ,
thenamessagewillshowupthatsomeoneistryingtoaccessit.Thisrule
alsomentionsthatifaping(ICMP)requestcomesinfromIPaddress
192.168.80.135,amessagewillalsopopup.
4. Verifytherulehasbeencreated.
23
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
5. Editthesnort.conffiletomakesurethatthecreatedrule(zzzalert.rules)is
includedinit.Savethefile.
C. CreatingaCustomLogRuleforSnort
1. Makesureyouareinthedirectorywhereyoursnortrulesarelocated.
2. Createafile(nameitwhateveryouwant)byusingtheeditorofyouchoice.
24
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
3. Typeinyourrule.Andthensave.IfthemachinewithIPaddressof
192.168.80.139triestoFTP,thepacketwillbelogged.
4. Verifytherulehasbeencreatedandeditthesnort.conffiletoreflectthe
changes.
25
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
V.RunningSNORT
A. Tomakeitalittleeasierfordemopurposes,Iloggedonasroottorunsnort.
B. InSnifferModeTheoutputisloggedontothescreenitself.
C. InPacketLoggermodetheoutputisloggedintoalogfilethatislocatedin
/var/log/snort.thefileisalsowritteninascii..
D. SnortRunningwiththeconfigurationfile.
1. Aconsolemeansthatmessageswillshowuponscreen
2. ieth0specifiestheinterfacesnortislisteningon
3. c/etc/snort/snort.confspecifiestheconfigurationfileyouarerunning.
Thiswouldincludethecustomsnortrulesthatwereaddedearlier.
4. l/var/log/snortspecifiesthedirectorywherethelogswillbelocated
5. Kasciispecifieshowthelogfileswillbewritten.Asciicaneasilybe
openedupbyatexteditororbythecommandcat.
NOTE:Snorthasmanyoptions.Tolisttheoptions,typeinsnorthandit
shouldgiveyoualistofthoseoptions.Itwouldalsobenefityoutoreadthe
SnortUsersManualwhichyoucanpickupfrom http://www.snort.org/docs
26
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
VI.Results
A. PacketLoggerModeresultsloggedinspecificdirectory
1. Changeintologdirectoryandreadfiles
2. Inspectionoffileprovidesresults.Wewereabletopickuptheusername
andpasswordusedtogainaccesstotheftpserver.
27
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
B. InSnifferModeoutputisdirectlydisplayedonscreen
C. ResultofSnortusingConfigurationFilewithCustomRules
1. Messagesoutputonscreen
28
SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
2. LogfileisalsocreatedforthecustomLogFTPrule.
29